Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor and optimize AccessSessionUpdater and related methods #11

Merged
merged 1 commit into from
Dec 19, 2024
+93 −85
Merged

Refactor and optimize AccessSessionUpdater and related methods #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
176 changes: 92 additions & 84 deletions BeyondTrustConnector/AccessSessionUpdater.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,111 +3,119 @@
using System.Xml.Linq;
using BeyondTrustConnector.Model;
using BeyondTrustConnector.Service;
using Microsoft.AspNetCore.Mvc.ModelBinding.Validation;
using Microsoft.Azure.Functions.Worker;
using Microsoft.Extensions.Logging;

namespace BeyondTrustConnector
namespace BeyondTrustConnector;

public class AccessSessionUpdater(BeyondTrustService beyondTrustService, IngestionService ingestionService, QueryService queryService, ILogger<AccessSessionUpdater> logger)
{
public class AccessSessionUpdater(BeyondTrustService beyondTrustService, IngestionService ingestionService, QueryService queryService, ILogger<AccessSessionUpdater> logger)
[Function(nameof(AccessSessionUpdater))]
public async Task Run([TimerTrigger("0 */15 * * * *", RunOnStartup = false)] TimerInfo myTimer)
{
[Function(nameof(AccessSessionUpdater))]
public async Task Run([TimerTrigger("0 */15 * * * *", RunOnStartup = false)] TimerInfo myTimer)
{
DateTime? lastEventTime = await GetLastUpdatedTime();
lastEventTime ??= DateTime.Now.AddDays(-5);
DateTime? lastEventTime = await GetLastUpdatedTime();
lastEventTime ??= DateTime.Now.AddDays(-5);

var ns = "http://www.beyondtrust.com/sra/namespaces/API/reporting";
var report = await beyondTrustService.GetAccessSessionReport(lastEventTime.Value);
var sessions = report.Root!.Descendants(XName.Get("session", ns));

var accessSessions = new List<BeyondTrustAccessSession>();
foreach (var session in sessions)
var ns = "http://www.beyondtrust.com/sra/namespaces/API/reporting";
var report = await beyondTrustService.GetAccessSessionReport(lastEventTime.Value);
var sessions = report.Root!.Descendants(XName.Get("session", ns));
var sessionIds = sessions.Select(s => s.Attribute("lsid")!.Value).Aggregate(string.Empty, (current, next) => current += $"'{next}',").TrimEnd(',');
var existingSessionResult = await queryService.QueryWorkspace($"BeyondTrustAccessSession_CL | where SessionId in ({sessionIds}) | project SessionId");
var existingSessions = existingSessionResult?.Table.Rows.Select(r => r[0].ToString()).ToList() ?? [];
var accessSessions = new List<BeyondTrustAccessSession>();
foreach (var session in sessions)
{
if (session is null) continue;
var sessionId = session.Attribute("lsid")!.Value;
if (existingSessions.Contains(sessionId))
{
if (session is null) continue;
var startTime = DateTimeOffset.Parse(session.Element(XName.Get("start_time", ns))!.Value);
DateTimeOffset? endTime = null;
var endTimeValue = session.Element(XName.Get("end_time", ns));
if (!string.IsNullOrEmpty(endTimeValue?.Value))
{
endTime = DateTimeOffset.Parse(endTimeValue!.Value);
}
logger.LogInformation("Session {SessionId} already exists in the workspace", sessionId);
continue;
}
var startTime = DateTimeOffset.Parse(session.Element(XName.Get("start_time", ns))!.Value);
DateTimeOffset? endTime = null;
var endTimeValue = session.Element(XName.Get("end_time", ns));
if (!string.IsNullOrEmpty(endTimeValue?.Value))
{
endTime = DateTimeOffset.Parse(endTimeValue!.Value);
}

var jumpPoint = session.Element(XName.Get("jumpoint", ns))!.Value;
var jumpItem = session.Element(XName.Get("primary_customer", ns));
var jumpItemValue = jumpItem!.Value;
var jumpItemId = jumpItem!.Attribute("gsnumber")!.Value;
var jumpGroup = session.Element(XName.Get("jump_group", ns))!.Value;
var sessionType = session.Element(XName.Get("session_type", ns))!.Value;
var sessionId = session.Attribute("lsid")!.Value;
var jumpPoint = session.Element(XName.Get("jumpoint", ns))!.Value;
var jumpItem = session.Element(XName.Get("primary_customer", ns));
var jumpItemValue = jumpItem!.Value;
var jumpItemId = jumpItem!.Attribute("gsnumber")!.Value;
var jumpGroup = session.Element(XName.Get("jump_group", ns))!.Value;
var sessionType = session.Element(XName.Get("session_type", ns))!.Value;

var sessionData = new BeyondTrustAccessSession
{
StartTime = startTime.UtcDateTime,
EndTime = endTime?.UtcDateTime,
SessionId = sessionId,
Jumpoint = jumpPoint,
JumpItemAddress = jumpItemValue,
JumpItemId = int.Parse(jumpItemId),
JumpGroup = jumpGroup,
SessionType = sessionType
};
var sessionData = new BeyondTrustAccessSession
{
StartTime = startTime.UtcDateTime,
EndTime = endTime?.UtcDateTime,
SessionId = sessionId,
Jumpoint = jumpPoint,
JumpItemAddress = jumpItemValue,
JumpItemId = int.Parse(jumpItemId),
JumpGroup = jumpGroup,
SessionType = sessionType
};

try
{
var userDetails = GetUserDetails(session, ns);
sessionData.UserDetails = userDetails;
}
catch (Exception ex)
{
logger.LogError("Error getting user details: {ErrorMessage}", ex.Message);
}
accessSessions.Add(sessionData);
try
{
var userDetails = GetUserDetails(session, ns);
sessionData.UserDetails = userDetails;
}

await ingestionService.IngestAccessSessions(accessSessions);
catch (Exception ex)
{
logger.LogError("Error getting user details: {ErrorMessage}", ex.Message);
}
accessSessions.Add(sessionData);
}
if (accessSessions.Count != 0)
await ingestionService.IngestAccessSessions(accessSessions);
}

private static List<Dictionary<string, object>> GetUserDetails(XElement session, string ns)
{
var users = new List<Dictionary<string, object>>();
var userList = session.Element(XName.Get("rep_list", ns));
if (userList is null) return users;
private static List<Dictionary<string, object>> GetUserDetails(XElement session, string ns)
{
var users = new List<Dictionary<string, object>>();
var userList = session.Element(XName.Get("rep_list", ns));
if (userList is null) return users;

foreach (var userElement in userList.Elements(XName.Get("representative", ns)))
foreach (var userElement in userList.Elements(XName.Get("representative", ns)))
{
var userDetails = new Dictionary<string, object>();
if (userElement is not null)
{
var userDetails = new Dictionary<string, object>();
if (userElement is not null)
userDetails.Add("Username", userElement.Element(XName.Get("username", ns))?.Value ?? "Unknown");
userDetails.Add("PublicIP", userElement.Element(XName.Get("public_ip", ns))?.Value ?? "Unknown");
userDetails.Add("PrivateIP", userElement.Element(XName.Get("private_ip", ns))?.Value ?? "Unknown");
userDetails.Add("Hostname", userElement.Element(XName.Get("hostname", ns))?.Value ?? "Unknown");
userDetails.Add("OS", userElement.Element(XName.Get("os", ns))?.Value ?? "Unknown");
var sessionOwnerData = userElement.Element(XName.Get("session_owner", ns))?.Value;
if (!string.IsNullOrEmpty(sessionOwnerData))
{
userDetails.Add("Username", userElement.Element(XName.Get("username", ns))?.Value ?? "Unknown");
userDetails.Add("PublicIP", userElement.Element(XName.Get("public_ip", ns))?.Value ?? "Unknown");
userDetails.Add("PrivateIP", userElement.Element(XName.Get("private_ip", ns))?.Value ?? "Unknown");
userDetails.Add("Hostname", userElement.Element(XName.Get("hostname", ns))?.Value ?? "Unknown");
userDetails.Add("OS", userElement.Element(XName.Get("os", ns))?.Value ?? "Unknown");
var sessionOwnerData = userElement.Element(XName.Get("session_owner", ns))?.Value;
if (!string.IsNullOrEmpty(sessionOwnerData))
{
userDetails.Add("SessionOwner", sessionOwnerData == "1");
}
userDetails.Add("SessionOwner", sessionOwnerData == "1");
}
users.Add(userDetails);
}
return users;
users.Add(userDetails);
}
return users;
}

private async Task<DateTime?> GetLastUpdatedTime()
private async Task<DateTime?> GetLastUpdatedTime(int offsetSeconds = 1)
{
var result = await queryService.QueryWorkspace("BeyondTrustAccessSession_CL | summarize arg_max(TimeGenerated,*) | project TimeGenerated");
DateTime? lastEventTime = null;
if (result?.Table.Rows.Count == 1 && result?.Table.Rows[0][0] is not null)
{
var result = await queryService.QueryWorkspace("BeyondTrustAccessSession_CL | summarize arg_max(TimeGenerated,*) | project TimeGenerated");
DateTime? lastEventTime = null;
if (result?.Table.Rows.Count == 1 && result?.Table.Rows[0][0] is not null)
{
lastEventTime = ((DateTimeOffset)result.Table.Rows[0][0]).UtcDateTime;
}
if (lastEventTime is null)
logger.LogWarning("No last updated timestamp found");
else
logger.LogInformation("Last event time: {LastEventTime}", lastEventTime?.ToString("yyyy-MM-dd HH:mm:ss", CultureInfo.InvariantCulture));

return lastEventTime;
lastEventTime = ((DateTimeOffset)result.Table.Rows[0][0]).UtcDateTime;
lastEventTime = lastEventTime.Value.AddSeconds(offsetSeconds);
}
if (lastEventTime is null)
logger.LogWarning("No last updated timestamp found");
else
logger.LogInformation("Last event time: {LastEventTime}", lastEventTime?.ToString("yyyy-MM-dd HH:mm:ss", CultureInfo.InvariantCulture));

return lastEventTime;
}
}
2 changes: 1 addition & 1 deletion BeyondTrustConnector/Service/BeyondTrustService.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ public class BeyondTrustService(IHttpClientFactory httpClientFactory, ILogger<Be
public async Task<XDocument> GetAccessSessionReport(DateTime start, int reportPeriod = 0)
{
var client = httpClientFactory.CreateClient(nameof(BeyondTrustConnector));
var unixTime = ((DateTimeOffset)start).ToUnixTimeSeconds() + 1;
var unixTime = ((DateTimeOffset)start).ToUnixTimeSeconds();
string requestUri = $"/api/reporting?generate_report=AccessSession&start_date={start:yyyy-MM-dd}&duration={reportPeriod}&start_time={unixTime}";
var response = await client.GetAsync(requestUri);
if (!response.IsSuccessStatusCode)
Expand Down
Loading