Skip to content

Commit

Permalink
!Deploy Release version 0.6.14 (#137)
Browse files Browse the repository at this point in the history 
* Release '0.6.2' (#31)

* updating get alert and hunting rule function

* updated error handling

* Create Get-PlayBook.ps1

* cleaning up

* Release Update Incident function (#37)

* init release update incident function

* cleaning up

* updating

* updating incident function

* code cleanup

* Cleaning up and ready for release

* updating final docs folder

* Release Feature playbook configuration (#33)

* updating get alert and hunting rule function

* updated error handling

* Create Get-PlayBook.ps1

* init release for playbook

* cleaning up

* finishing playbook

* adding get alert rule action function

* releasing get logic app function

* release new- az sen alert action and some codue update

* init release playbook function

* uppdated gitignore

* init release remove azsentinel action rule

* fixed compare issue

* Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook

* updating pester test result

* updating readme

* updating readme

* updated docs and pester test results

* restoring version

* Fix/smallconflicts (#40)

* updating docs

* updating examples

* updating pipeline

* fixing Subscribtion parameter for playbook (#43)

* fixing Subscribtion parameter for playbook (#45)

* Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50)

* fix huntng rule

* fixing hunting rule issue

* Fix - new-azsentinelalertrule playbook property  (#49)

* fixing the if statement

* fixing the if statement

* Feature - get all incidents (#51)

* updating get incident

* updating get incident function and docs

* updating  powershell-yaml

* updating importmodule error

* workaround

* removing powershell-yaml depending

* fixing logicapp sas token (#52)

* Add support for day time periods (#61)

* Add missing dot to yml file extension (#59)

The Import-AZSentinelAlertRule function is not able to import yml files due
to missing dot in the file extension.

* adding support for resource provider in set-azsentinel (#69)

* New function for enabling and disabling Alert rules (#71)

* init release enable and disable function

* adding empty test files

* updating return message

* New feature change the displayName of an alert (#68)

* Release Rename Alert rule function

* updating rename function

* Handle nextLink for Playbooks (#78)

When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents.

* adding support for alert aggregation (#65)

* adding support for alert aggregation, classes created

* updaing classes

* updated the class and created first rule wih no error

* update class and made import function backwards compatible

* small changes

* tested with import method

* updating new function

* checking working code, starting cleanup

* updating documentation

* updating docs and cleaning up

* updating build errors

* change pester version

* updating pester version

* Update groupingConfiguration.ps1 (#87)

* Fix bug that causes loss of certain incident properties, add option to set incident description (#91)

* Feature - Adding support for all alert rule types (#90)

* init release

* updating docs

Co-authored-by: Khabazi <rob5614@robeco.nl>

* New Functionality to get alert rule templates provided by Microsoft (#94)

Co-authored-by: Antonio Ramirez <ramireza@ryanair.com>

* Update/get az sentinel alert rule templates (#95)

* udating Get-AzSentinelAlertRuleTemplates

* updated

Co-authored-by: Khabazi <rob5614@robeco.nl>

* Feature/add az sentinel incident comment (#96)

* udating Get-AzSentinelAlertRuleTemplates

* updated

* fixing playbook issue

* Add-AzSentinelIncidentComment

* release

Co-authored-by: Khabazi <rob5614@robeco.nl>

* fixing class error (#99)

* updating example files, ncluding multi rule yaml file (#104)

* Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102)

* fixing return issue

* fixing playbook issue

* init release Get-AzSentinelDataConnector function (#103)

* Fix - get-azsentinelhuntingrule updated get and remove function (#106)

* fixing hunitng rule get and remove issue

* cleaning up

* updating filters

* Add filtering by lastModified (#107)

* updating AggregationKind class and enum (#111)

* Release of Import-AzSentinelDataConnector function (#116)

* extra check for Import-AzSentinelDataConnector

* fixing class issue (#118)

* New function: Export-AzSentinel (#121)

* init code

* Release Export-AzSentinel and some small fixes/updates

* fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122)

* updating Get-AzSentinelAlertRule function and docs (#125)

* modified token expiration logic (#135)

Co-authored-by: John Crouch <john.crouch@summit7.us>

* fixing small issues (#136)

Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com>
Co-authored-by: NVolcz <niklas.volcz@gmail.com>
Co-authored-by: stehod <34159548+stehod@users.noreply.github.com>
Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com>
Co-authored-by: Jonathan Holtmann <holtmann@usc.edu>
Co-authored-by: Khabazi <rob5614@robeco.nl>
Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com>
Co-authored-by: Antonio Ramirez <ramireza@ryanair.com>
Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com>
Co-authored-by: John Crouch <john.crouch@summit7.us>
  • Loading branch information
@pkhabazi @pemontto
@NVolcz @stehod @ThijsLecomte @jholtmann @ramirezversion @john-crouch
11 people committed Nov 10, 2020
1 parent 851193d commit 53cfd7d
Show file tree
Hide file tree
Showing 22 changed files with 242 additions and 87 deletions.
2 changes: 1 addition & 1 deletion AzSentinel/Classes/groupingConfiguration.ps1
View file
Expand Up @@ -36,7 +36,7 @@ class GroupingConfiguration {
}

groupingConfiguration ($Enabled, $reopenClosedIncident, $lookbackDuration, $entitiesMatchingMethod, $groupByEntities) {
$this.enabled = if ($null -ne $Enabled ) { $Enabled } else { $true }
$this.enabled = if ($null -ne $Enabled ) { $Enabled } else { $false }
$this.reopenClosedIncident = if ($null -ne $reopenClosedIncident) { $reopenClosedIncident } else { $false }
$this.lookbackDuration = if ($lookbackDuration) { [groupingConfiguration]::TimeString($lookbackDuration) } else { "PT5H" }
$this.entitiesMatchingMethod = if ($entitiesMatchingMethod) { $entitiesMatchingMethod } else { "All" }
Expand Down
12 changes: 9 additions & 3 deletions AzSentinel/Private/Get-LogAnalyticWorkspace.ps1
View file
Expand Up @@ -55,8 +55,14 @@ function Get-LogAnalyticWorkspace {
Write-Error "No SubscriptionID provided" -ErrorAction Stop
}

$workspaces = Invoke-webrequest -Uri $uri -Method get -Headers $script:authHeader
$workspaceObject = ($workspaces.Content | ConvertFrom-Json).value | Where-Object { $_.name -eq $WorkspaceName }
try {
$workspaces = Invoke-webrequest -Uri $uri -Method get -Headers $script:authHeader -ErrorAction Stop
$workspaceObject = ($workspaces.Content | ConvertFrom-Json).value | Where-Object { $_.name -eq $WorkspaceName }
}
catch {
Write-Error $_.Exception.Message
break
}

if ($workspaceObject) {
$Script:workspace = ($workspaceObject.id).trim()
Expand All @@ -70,7 +76,7 @@ function Get-LogAnalyticWorkspace {
Write-Verbose "Found Workspace $WorkspaceName in RG $($workspaceObject.id.Split('/')[4])"
}
else {
Write-Error "Unable to find workspace $WorkspaceName under Subscription Id: $($script:subscriptionId)" -ErrorAction Stop
Write-Error "Unable to find workspace $WorkspaceName under Subscription Id: $($script:subscriptionId)"
}
}
}
27 changes: 14 additions & 13 deletions AzSentinel/Private/precheck.ps1
View file
Expand Up @@ -2,27 +2,28 @@
#requires -version 6.2

function precheck {
<#
.SYNOPSIS
PreCheck
.DESCRIPTION
This function is used as a precheck step by all the functions to test all the required authentication and properties.
.EXAMPLE
precheck
Run the test
.NOTES
NAME: precheck
#>
<#
.SYNOPSIS
PreCheck
.DESCRIPTION
This function is used as a precheck step by all the functions to test all the required authentication and properties.
.EXAMPLE
precheck
Run the test
.NOTES
NAME: precheck
#>

if ($null -eq $script:accessToken) {
Get-AuthToken
} elseif ([datetime]::UtcNow.AddMinutes(5) -lt $script:accessToken.ExpiresOn.DateTime ) {
}
elseif ($script:accessToken.ExpiresOn.DateTime - [datetime]::UtcNow.AddMinutes(-5) -le 0) {
# if token expires within 5 minutes, request a new one
Get-AuthToken
}

$script:authHeader = @{
'Content-Type' = 'application/json'
Authorization = 'Bearer ' + $script:accessToken.AccessToken
Authorization = 'Bearer ' + $script:accessToken.AccessToken
}
}
10 changes: 7 additions & 3 deletions AzSentinel/Public/Disable-AzSentinelAlertRule.ps1
View file
Expand Up @@ -50,7 +50,13 @@ function Disable-AzSentinelAlertRule {
}
}

$rules = Get-AzSentinelAlertRule @arguments -RuleName $RuleName
try {
$rules = Get-AzSentinelAlertRule @arguments -RuleName $RuleName -ErrorAction Stop
}
catch {
$return = $_.Exception.Message
Write-Error $return
}

foreach ($rule in $rules) {
if ($rule.enabled -eq $false) {
Expand Down Expand Up @@ -94,12 +100,10 @@ function Disable-AzSentinelAlertRule {

$body = [AlertRule]::new( $rule.name, $rule.etag, $bodyAlertProp, $rule.Id, 'Scheduled')


try {
$result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
Write-Verbose $result
Write-Output "Status of '$($rule.DisplayName)' changed to '$($rule.enabled)'"

}
catch {
Write-Error $_.Exception.Message
Expand Down
8 changes: 7 additions & 1 deletion AzSentinel/Public/Enable-AzSentinelAlertRule.ps1
View file
Expand Up @@ -50,7 +50,13 @@ function Enable-AzSentinelAlertRule {
}
}

$rules = Get-AzSentinelAlertRule @arguments -RuleName $RuleName -ErrorAction Stop
try {
$rules = Get-AzSentinelAlertRule @arguments -RuleName $RuleName -ErrorAction Stop
}
catch {
$return = $_.Exception.Message
Write-Error $return
}

foreach ($rule in $rules) {
if ($rule.enabled -eq $true) {
Expand Down
34 changes: 29 additions & 5 deletions AzSentinel/Public/Export-AzSentinel.ps1
View file
Expand Up @@ -91,7 +91,14 @@ function Export-AzSentinel {
#>
if (($Kind -like 'Alert') -or ($Kind -like 'All')) {

$rules = Get-AzSentinelAlertRule @arguments
try {
$rules = Get-AzSentinelAlertRule @arguments -ErrorAction Stop
}
catch {
$return = $_.Exception.Message
Write-Error $return
}

if ($rules) {
$output = @{
Scheduled = @(
Expand Down Expand Up @@ -126,8 +133,13 @@ function Export-AzSentinel {
Export Hunting rules section
#>
if (($Kind -like 'Hunting') -or ($Kind -like 'All')) {
$rules = Get-AzSentinelHuntingRule @arguments

try {
$rules = Get-AzSentinelHuntingRule @arguments -ErrorAction Stop
}
catch {
$return = $_.Exception.Message
Write-Error $return
}
if ($rules) {
$output = @{
Hunting = @()
Expand All @@ -153,10 +165,22 @@ function Export-AzSentinel {
if (($Kind -like 'Templates') -or ($Kind -like 'All')) {

if ($TemplatesKind) {
$templates = Get-AzSentinelAlertRuleTemplates @arguments -Kind $TemplatesKind
try {
$templates = Get-AzSentinelAlertRuleTemplates @arguments -Kind $TemplatesKind
}
catch {
$return = $_.Exception.Message
Write-Error $return
}
}
else {
$templates = Get-AzSentinelAlertRuleTemplates @arguments
try {
$templates = Get-AzSentinelAlertRuleTemplates @arguments
}
catch {
$return = $_.Exception.Message
Write-Error $return
}
}

if ($templates) {
Expand Down
9 changes: 7 additions & 2 deletions AzSentinel/Public/Get-AzSentinelAlertRule.ps1
View file
Expand Up @@ -77,7 +77,13 @@ function Get-AzSentinelAlertRule {
}
}
}
Get-LogAnalyticWorkspace @arguments
try {
Get-LogAnalyticWorkspace @arguments -ErrorAction Stop
}
catch {
Write-Error $_.Exception.Message
break
}

$uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules?api-version=2020-01-01"
Write-Verbose -Message "Using URI: $($uri)"
Expand Down Expand Up @@ -121,7 +127,6 @@ function Get-AzSentinelAlertRule {
$_.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force
}


$return += $_.properties
}
}
Expand Down
8 changes: 7 additions & 1 deletion AzSentinel/Public/Get-AzSentinelAlertRuleAction.ps1
View file
Expand Up @@ -60,7 +60,13 @@ function Get-AzSentinelAlertRuleAction {
}

if ($RuleName) {
$alertId = (Get-AzSentinelAlertRule @arguments -RuleName $RuleName).name
try {
$alertId = (Get-AzSentinelAlertRule @arguments -RuleName $RuleName -ErrorAction Stop).name
}
catch {
Write-Error $_.Exception.Message
break
}
}
elseif ($RuleId) {
$alertId = $RuleId
Expand Down
9 changes: 8 additions & 1 deletion AzSentinel/Public/Get-AzSentinelAlertRuleTemplates.ps1
View file
Expand Up @@ -54,7 +54,14 @@ function Get-AzSentinelAlertRuleTemplates {
}
}
}
Get-LogAnalyticWorkspace @arguments

try {
Get-LogAnalyticWorkspace @arguments -ErrorAction Stop
}
catch {
Write-Error $_.Exception.Message
break
}

$uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2019-01-01-preview"

Expand Down
9 changes: 8 additions & 1 deletion AzSentinel/Public/Get-AzSentinelDataConnector.ps1
View file
Expand Up @@ -60,7 +60,14 @@ function Get-AzSentinelDataConnector {
}
}
}
Get-LogAnalyticWorkspace @arguments

try {
Get-LogAnalyticWorkspace @arguments -ErrorAction Stop
}
catch {
Write-Error $_.Exception.Message
break
}

if ($DataConnectorName) {
$dataConnectors = @()
Expand Down
9 changes: 8 additions & 1 deletion AzSentinel/Public/Get-AzSentinelHuntingRule.ps1
View file
Expand Up @@ -63,7 +63,14 @@ function Get-AzSentinelHuntingRule {
}
}
}
Get-LogAnalyticWorkspace @arguments

try {
Get-LogAnalyticWorkspace @arguments -ErrorAction Stop
}
catch {
Write-Error $_.Exception.Message
break
}

$uri = "$script:baseUri/savedSearches?api-version=2017-04-26-preview"

Expand Down
9 changes: 8 additions & 1 deletion AzSentinel/Public/Get-AzSentinelIncident.ps1
View file
Expand Up @@ -76,7 +76,14 @@ function Get-AzSentinelIncident {
}
}
}
Get-LogAnalyticWorkspace @arguments

try {
Get-LogAnalyticWorkspace @arguments -ErrorAction Stop
}
catch {
Write-Error $_.Exception.Message
break
}

$uri = "$script:baseUri/providers/Microsoft.SecurityInsights/Cases?api-version=2019-01-01-preview"
Write-Verbose -Message "Using URI: $($uri)"
Expand Down
9 changes: 7 additions & 2 deletions AzSentinel/Public/Import-AzSentinelAlertRule.ps1
View file
Expand Up @@ -114,8 +114,13 @@ function Import-AzSentinelAlertRule {
Test All rules first
#>
$allRules = $rules.analytics + $rules.Scheduled + $rules.fusion + $rules.MLBehaviorAnalytics + $rules.MicrosoftSecurityIncidentCreation | Select-Object displayName
$allRulesContent = Get-AzSentinelAlertRule @arguments -RuleName $($allRules.displayName)

try {
$allRulesContent = Get-AzSentinelAlertRule @arguments -RuleName $($allRules.displayName) -ErrorAction Stop
}
catch {
Write-Error $_.Exception.Message
break
}
<#
analytics rule
#>
Expand Down
9 changes: 8 additions & 1 deletion AzSentinel/Public/Import-AzSentinelDataConnector.ps1
View file
Expand Up @@ -52,7 +52,14 @@ function Import-AzSentinelDataConnector {
}
}
}
Get-LogAnalyticWorkspace @arguments

try {
Get-LogAnalyticWorkspace @arguments -ErrorAction Stop
}
catch {
Write-Error $_.Exception.Message
break
}

if ($SettingsFile.Extension -eq '.json') {
try {
Expand Down
12 changes: 10 additions & 2 deletions AzSentinel/Public/Import-AzSentinelHuntingRule.ps1
View file
Expand Up @@ -59,7 +59,6 @@ function Import-AzSentinelHuntingRule {
}
}
}
Get-LogAnalyticWorkspace @arguments

$item = @{ }

Expand Down Expand Up @@ -92,12 +91,21 @@ function Import-AzSentinelHuntingRule {
}
}

try {
$allRulesContent = Get-AzSentinelHuntingRule @arguments -RuleName $($hunting.displayName) -WarningAction SilentlyContinue -ErrorAction Stop
}
catch {
Write-Error $_.Exception.Message
break
}

foreach ($item in $hunting) {
Write-Output "Started with Hunting rule: $($item.displayName)"

try {
Write-Verbose -Message "Get rule $($item.description)"
$content = Get-AzSentinelHuntingRule @arguments -RuleName $($item.displayName) -WarningAction SilentlyContinue

$content = $allRulesContent | Where-Object displayName -eq $item.displayName

if ($content) {
Write-Verbose -Message "Hunting rule $($item.displayName) exists in Azure Sentinel"
Expand Down
10 changes: 8 additions & 2 deletions AzSentinel/Public/New-AzSentinelAlertRule.ps1
View file
Expand Up @@ -188,8 +188,14 @@ function New-AzSentinelAlertRule {

Write-Verbose -Message "Creating new rule: $($DisplayName)"

$content = Get-AzSentinelAlertRule @arguments -RuleName $DisplayName

try {
$content = Get-AzSentinelAlertRule @arguments -RuleName $DisplayName -ErrorAction Stop
}
catch {
Write-Error $_.Exception.Message
break
}

if ($content) {
Write-Verbose -Message "Rule $($DisplayName) exists in Azure Sentinel"

Expand Down
2 changes: 1 addition & 1 deletion AzSentinel/Public/New-AzSentinelHuntingRule.ps1
View file
Expand Up @@ -69,7 +69,7 @@ function New-AzSentinelHuntingRule {
}
}
}
Get-LogAnalyticWorkspace @arguments


$item = @{ }
$content = $null
Expand Down
11 changes: 9 additions & 2 deletions AzSentinel/Public/Remove-AzSentinelAlertRule.ps1
View file
Expand Up @@ -59,12 +59,19 @@ function Remove-AzSentinelAlertRule {
}
}
}
Get-LogAnalyticWorkspace @arguments

if ($RuleName) {
# remove defined rules
foreach ($rule in $RuleName) {
$item = Get-AzSentinelAlertRule @arguments -RuleName $rule -WarningAction SilentlyContinue

try {
$item = Get-AzSentinelAlertRule @arguments -RuleName $rule -WarningAction SilentlyContinue -ErrorAction Stop
}
catch {
$return = $_.Exception.Message
Write-Error $return
}

if ($item) {
$uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($item.name)?api-version=2019-01-01-preview"

Expand Down

0 comments on commit 53cfd7d

Please sign in to comment.