Bug fixes - version 0.6.1 (#24)

Release version 0.6.1
wortell · Oct 15, 2019 · a9f791f · a9f791f
1 parent 3fd82a7
commit a9f791f
Show file tree

Hide file tree

Showing 20 changed files with 152 additions and 119 deletions.
diff --git a/AzSentinel/AzSentinel.psd1 b/AzSentinel/AzSentinel.psd1
@@ -1,7 +1,7 @@
 #
 # Module manifest for module 'AzSentinel'
 #
-# Generated by: PouyanKhabazi
+# Generated by: Pouyan Khabazi
 #
 # Generated on: 29/07/2019
 #
@@ -12,7 +12,7 @@
     RootModule           = 'AzSentinel.psm1'
 
     # Version number of this module.
-    ModuleVersion        = '0.6.0'
+    ModuleVersion        = '0.6.1'
 
     # Supported PSEditions
     CompatiblePSEditions = 'Core', 'Desktop'
@@ -115,7 +115,6 @@
         PSData = @{
             # Tags applied to this module. These help with module discovery in online galleries.
             Tags       = @(
-                'Azure Sentinel',
                 'Sentinel',
                 'Azure'
             )
@@ -130,7 +129,12 @@
             # IconUri = ''
 
             # ReleaseNotes of this module
-            # ReleaseNotes = ''
+            ReleaseNotes = ' Fixes and new features:
+            * Added Feature Request - Incidents #13
+            * Added support for hunting rules #12
+            * Fixed error handling #16
+            * Fixed error in enum #20
+            * Fixed issue in Remove-AzSentinelRule #21'
 
         } # End of PSData hashtable
 

diff --git a/AzSentinel/Private/Compare-Policy.ps1 b/AzSentinel/Private/Compare-Policy.ps1
@@ -1,3 +1,5 @@
+#requires -version 6.2
+
 function Compare-Policy {
     <#
     .SYNOPSIS

diff --git a/AzSentinel/Private/Get-LogAnalyticWorkspace.ps1 b/AzSentinel/Private/Get-LogAnalyticWorkspace.ps1
@@ -1,3 +1,5 @@
+#requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
+#requires -version 6.2
 function Get-LogAnalyticWorkspace {
     <#
     .SYNOPSIS

diff --git a/AzSentinel/Private/precheck.ps1 b/AzSentinel/Private/precheck.ps1
@@ -1,3 +1,6 @@
+#requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
+#requires -version 6.2
+
 function precheck {
     if ($null -eq $script:accessToken) {
         Get-AuthToken

diff --git a/AzSentinel/Public/Get-AzSentinelAlertRule.ps1 b/AzSentinel/Public/Get-AzSentinelAlertRule.ps1
@@ -1,8 +1,5 @@
 #requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
-#requires -module @{ModuleNAme = 'powershell-yaml'; ModuleVersion = '0.4.0'}
-#requires -version 6.0
-
-using module Az.Accounts
+#requires -version 6.2
 
 function Get-AzSentinelAlertRule {
     <#

diff --git a/AzSentinel/Public/Get-AzSentinelHuntingRule.ps1 b/AzSentinel/Public/Get-AzSentinelHuntingRule.ps1
@@ -1,8 +1,5 @@
 #requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
-#requires -module @{ModuleNAme = 'powershell-yaml'; ModuleVersion = '0.4.0'}
-#requires -version 6.0
-
-using module Az.Accounts
+#requires -version 6.2
 
 function Get-AzSentinelHuntingRule {
     <#

diff --git a/AzSentinel/Public/Get-AzSentinelIncident.ps1 b/AzSentinel/Public/Get-AzSentinelIncident.ps1
@@ -1,8 +1,5 @@
 #requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
-#requires -module @{ModuleNAme = 'powershell-yaml'; ModuleVersion = '0.4.0'}
-#requires -version 6.0
-
-using module Az.Accounts
+#requires -version 6.2
 
 function Get-AzSentinelIncident {
     <#

diff --git a/AzSentinel/Public/Import-AzSentinelAlertRule.ps1 b/AzSentinel/Public/Import-AzSentinelAlertRule.ps1
@@ -139,7 +139,7 @@ function Import-AzSentinelAlertRule {
                 $body = [AlertRule]::new( $item.name, $item.etag, $bodyAlertProp, $item.Id)
             }
             catch {
-                Write-Error "Unable to initiate class with error: $($_.Exception.Message)" -ErrorAction Stop
+                Write-Error "Unable to initiate class with error: $($_.Exception.Message)" -ErrorAction Continue
             }
 
             if ($content) {
@@ -150,15 +150,15 @@ function Import-AzSentinelAlertRule {
 
                     if ($PSCmdlet.ShouldProcess("Do you want to update profile: $($body.Properties.DisplayName)")) {
                         try {
-                            $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json)
+                            $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings)
                             Write-Output "Successfully updated rule: $($item.displayName) with status: $($result.StatusDescription)"
                             Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                         }
                         catch {
                             $errorReturn = $_
                             $errorResult = ($errorReturn | ConvertFrom-Json ).error
                             Write-Verbose $_.Exception.Message
-                            Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Stop
+                            Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Continue
                         }
                     }
                     else {
@@ -174,15 +174,15 @@ function Import-AzSentinelAlertRule {
                 Write-Verbose "Creating new rule: $($item.displayName)"
 
                 try {
-                    $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json)
+                    $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings)
                     Write-Output "Successfully created rule: $($item.displayName) with status: $($result.StatusDescription)"
                     Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                 }
                 catch {
                     $errorReturn = $_
                     $errorResult = ($errorReturn | ConvertFrom-Json ).error
                     Write-Verbose $_.Exception.Message
-                    Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Stop
+                    Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Continue
                 }
             }
         }

diff --git a/AzSentinel/Public/Import-AzSentinelHuntingRule.ps1 b/AzSentinel/Public/Import-AzSentinelHuntingRule.ps1
@@ -162,15 +162,15 @@ function Import-AzSentinelHuntingRule {
 
                     if ($PSCmdlet.ShouldProcess("Do you want to update hunting rule: $($body.Properties.DisplayName)")) {
                         try {
-                            $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10)
+                            $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
                             Write-Output "Successfully updated hunting rule: $($item.displayName) with status: $($result.StatusDescription)"
                             Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                         }
                         catch {
                             $errorReturn = $_
                             $errorResult = ($errorReturn | ConvertFrom-Json ).error
                             Write-Verbose $_.Exception.Message
-                            Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Stop
+                            Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Continue
                         }
                     }
                     else {
@@ -186,15 +186,15 @@ function Import-AzSentinelHuntingRule {
                 Write-Verbose "Creating new rule: $($item.displayName)"
 
                 try {
-                    $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10)
+                    $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
                     Write-Output "Successfully created hunting rule: $($item.displayName) with status: $($result.StatusDescription)"
                     Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                 }
                 catch {
                     $errorReturn = $_
                     $errorResult = ($errorReturn | ConvertFrom-Json ).error
                     Write-Verbose $_.Exception.Message
-                    Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Stop
+                    Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Continue
                 }
             }
         }

diff --git a/AzSentinel/Public/New-AzSentinelAlertRule.ps1 b/AzSentinel/Public/New-AzSentinelAlertRule.ps1
@@ -1,5 +1,4 @@
 #requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
-#requires -module @{ModuleNAme = 'powershell-yaml'; ModuleVersion = '0.4.0'}
 #requires -version 6.2
 
 function New-AzSentinelAlertRule {
@@ -37,7 +36,7 @@ function New-AzSentinelAlertRule {
     .PARAMETER Tactics
     Enter the Tactics, valid values: "InitialAccess", "Persistence", "Execution", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "LateralMovement", "Discovery", "Collection", "Exfiltration", "CommandAndControl", "Impact"
     .EXAMPLE
-    New-AzSentinelAlertRule -WorkspaceName "" -DisplayName "" -Description "" -Severity "" -Enabled  -Query '' -QueryFrequency ""  -QueryPeriod "" -TriggerOperator "" -TriggerThreshold  -SuppressionDuration "" -SuppressionEnabled $false -Tactics @("","")
+    New-AzSentinelAlertRule -WorkspaceName "" -DisplayName "" -Description "" -Severity -Enabled $true -Query '' -QueryFrequency "" -QueryPeriod "" -TriggerOperator -TriggerThreshold  -SuppressionDuration "" -SuppressionEnabled $false -Tactics @("","")
     In this example you create a new Alert rule by defining the rule properties from CMDLET
     #>
 
@@ -123,7 +122,7 @@ function New-AzSentinelAlertRule {
         Write-Verbose -Message "Creating new rule: $($DisplayName)"
         try {
             Write-Verbose -Message "Get rule $DisplayName"
-            $content = Get-AzSentinelAlertRule @arguments -RuleName $DisplayName -WarningAction SilentlyContinue
+            $content = Get-AzSentinelAlertRule @arguments -RuleName $DisplayName -ErrorAction SilentlyContinue
 
             if ($content) {
                 Write-Verbose -Message "Rule $($DisplayName) exists in Azure Sentinel"
@@ -183,7 +182,7 @@ function New-AzSentinelAlertRule {
 
                 if ($PSCmdlet.ShouldProcess("Do you want to update profile: $($body.Properties.DisplayName)")) {
                     try {
-                        $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json)
+                        $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings)
                         Write-Output "Successfully updated rule: $($DisplayName) with status: $($result.StatusDescription)"
                         Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                     }
@@ -207,7 +206,7 @@ function New-AzSentinelAlertRule {
             Write-Verbose "Creating new rule: $($DisplayName)"
 
             try {
-                $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json)
+                $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings)
                 Write-Output "Successfully created rule: $($DisplayName) with status: $($result.StatusDescription)"
                 Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
             }

diff --git a/AzSentinel/Public/New-AzSentinelHuntingRule.ps1 b/AzSentinel/Public/New-AzSentinelHuntingRule.ps1
@@ -1,5 +1,4 @@
 #requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
-#requires -module @{ModuleNAme = 'powershell-yaml'; ModuleVersion = '0.4.0'}
 #requires -version 6.2
 
 function New-AzSentinelHuntingRule {
@@ -157,7 +156,7 @@ function New-AzSentinelHuntingRule {
                     try {
                         Write-Output ($body.properties | Format-Table)
 
-                        $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10)
+                        $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
                         Write-Output "Successfully updated hunting rule: $($DisplayName) with status: $($result.StatusDescription)"
                     }
                     catch {
@@ -181,7 +180,7 @@ function New-AzSentinelHuntingRule {
 
             try {
 
-                $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10)
+                $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
                 Write-Output "Successfully created hunting rule: $($DisplayName) with status: $($result.StatusDescription)"
                 Write-Output ($body.properties | Format-Table)
             }

diff --git a/AzSentinel/Public/Remove-AzSentinelAlertRule.ps1 b/AzSentinel/Public/Remove-AzSentinelAlertRule.ps1
@@ -1,8 +1,5 @@
 #requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
-#requires -module @{ModuleNAme = 'powershell-yaml'; ModuleVersion = '0.4.0'}
-#requires -version 6.0
-
-using module Az.Accounts
+#requires -version 6.2
 
 function Remove-AzSentinelAlertRule {
     <#
@@ -67,9 +64,9 @@ function Remove-AzSentinelAlertRule {
         if ($RuleName) {
             # remove defined rules
             foreach ($rule in $RuleName) {
-                $item = Get-AzSentinelHuntingRule @arguments -RuleName $rule -WarningAction SilentlyContinue
+                $item = Get-AzSentinelAlertRule @arguments -RuleName $rule -WarningAction SilentlyContinue
                 if ($item) {
-                    $uri = "$script:baseUri/savedSearches/$($item.name)?api-version=2017-04-26-preview"
+                    $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($item.name)?api-version=2019-01-01-preview"
 
                     if ($PSCmdlet.ShouldProcess("Do you want to remove: $rule")) {
                         Write-Output $item
@@ -87,8 +84,9 @@ function Remove-AzSentinelAlertRule {
         }
         else {
             Write-Warning "No Rule selected, All rules will be removed one by one!"
-            Get-AzSentinelHuntingRule @arguments | ForEach-Object {
-                $uri = "$script:baseUri/savedSearches/$($_.name)?api-version=2017-04-26-preview"
+            Get-AzSentinelAlertRule @arguments | ForEach-Object {
+                $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($_.name)?api-version=2019-01-01-preview"
+
                 if ($PSCmdlet.ShouldProcess("Do you want to remove: $($_.displayName)")) {
                     $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader
                     Write-Output "Successfully removed rule: $($_.displayName) with status: $($result.StatusDescription)"

diff --git a/AzSentinel/Public/Remove-AzSentinelHuntingRule.ps1 b/AzSentinel/Public/Remove-AzSentinelHuntingRule.ps1
@@ -1,8 +1,5 @@
 #requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
-#requires -module @{ModuleNAme = 'powershell-yaml'; ModuleVersion = '0.4.0'}
-#requires -version 6.0
-
-using module Az.Accounts
+#requires -version 6.2
 
 function Remove-AzSentinelHuntingRule {
     <#

diff --git a/AzSentinel/enums/Severity.ps1 b/AzSentinel/enums/Severity.ps1
@@ -1,9 +1,6 @@
-Add-Type -TypeDefinition @"
-    public enum Severity
-    {
-        Medium,
-        High,
-        Low,
-        Informational
-    }
-"@
+enum Severity {
+    Medium
+    High
+    Low
+    Informational
+}
diff --git a/AzSentinel/enums/Tactics.ps1 b/AzSentinel/enums/Tactics.ps1
@@ -1,17 +1,14 @@
-Add-Type -TypeDefinition @"
-    public enum Tactics
-    {
-        InitialAccess,
-        Persistence,
-        Execution,
-        PrivilegeEscalation,
-        DefenseEvasion,
-        CredentialAccess,
-        LateralMovement,
-        Discovery,
-        Collection,
-        Exfiltration,
-        CommandAndControl,
-        Impact
-    }
-"@
+enum Tactics {
+    InitialAccess
+    Persistence
+    Execution
+    PrivilegeEscalation
+    DefenseEvasion
+    CredentialAccess
+    LateralMovement
+    Discovery
+    Collection
+    Exfiltration
+    CommandAndControl
+    Impact
+}
diff --git a/AzSentinel/enums/TriggerOperator.ps1 b/AzSentinel/enums/TriggerOperator.ps1
@@ -1,9 +1,6 @@
-Add-Type -TypeDefinition @"
-   public enum TriggerOperator
-   {
-        GreaterThan,
-        FewerThan,
-        EqualTo,
-        NotEqualTo
-    }
-"@
+enum TriggerOperator {
+    GreaterThan
+    FewerThan
+    EqualTo
+    NotEqualTo
+}