-
Notifications
You must be signed in to change notification settings - Fork 82
/
Disable-AzSentinelAlertRule.ps1
84 lines (74 loc) · 2.69 KB
/
Disable-AzSentinelAlertRule.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
function Disable-AzSentinelAlertRule {
<#
.SYNOPSIS
Disable Azure Sentinel Alert Rules
.DESCRIPTION
With this function you can disbale Azure Sentinel Alert rule
.PARAMETER SubscriptionId
Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
.PARAMETER WorkspaceName
Enter the Workspace name
.PARAMETER RuleName
Enter the name of the Alert rule
.EXAMPLE
Disable-AzSentinelAlertRule -WorkspaceName "" -RuleName "",""
In this example you can get configuration of multiple alert rules in once
#>
[cmdletbinding(SupportsShouldProcess)]
param (
[Parameter(Mandatory = $false,
ParameterSetName = "Sub")]
[ValidateNotNullOrEmpty()]
[string] $SubscriptionId,
[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[string]$WorkspaceName,
[Parameter(Mandatory = $false,
ValueFromPipeline)]
[ValidateNotNullOrEmpty()]
[string[]]$RuleName
)
begin {
precheck
}
process {
switch ($PsCmdlet.ParameterSetName) {
Sub {
$arguments = @{
WorkspaceName = $WorkspaceName
SubscriptionId = $SubscriptionId
}
}
default {
$arguments = @{
WorkspaceName = $WorkspaceName
}
}
}
$rules = Get-AzSentinelAlertRule @arguments -RuleName $RuleName
foreach ($rule in $rules) {
if ($rule.enabled -eq $false) {
Write-Output "'$($rule.DisplayName)' already has status '$($rule.enabled)'"
}
else {
$rule.enabled = $false
$uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($rule.name)?api-version=2019-01-01-preview"
$bodyAlertProp = [AlertProp]::new(
($rule | Select-Object * -ExcludeProperty lastModifiedUtc, etag, id)
)
$body = [AlertRule]::new(
($rule | Select-Object lastModifiedUtc, etag, id, name),
$bodyAlertProp
)
try {
$result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
Write-Verbose $result
Write-Output "Status of '$($rule.DisplayName)' changed to '$($rule.enabled)'"
}
catch {
Write-Error $_.Exception.Message
}
}
}
}
}