Skip to content

Commit

Permalink
!Deploy Release Version 0.6.12 (#126)
Browse files Browse the repository at this point in the history 
* Release '0.6.2' (#31)

* updating get alert and hunting rule function

* updated error handling

* Create Get-PlayBook.ps1

* cleaning up

* Release Update Incident function (#37)

* init release update incident function

* cleaning up

* updating

* updating incident function

* code cleanup

* Cleaning up and ready for release

* updating final docs folder

* Release Feature playbook configuration (#33)

* updating get alert and hunting rule function

* updated error handling

* Create Get-PlayBook.ps1

* init release for playbook

* cleaning up

* finishing playbook

* adding get alert rule action function

* releasing get logic app function

* release new- az sen alert action and some codue update

* init release playbook function

* uppdated gitignore

* init release remove azsentinel action rule

* fixed compare issue

* Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook

* updating pester test result

* updating readme

* updating readme

* updated docs and pester test results

* restoring version

* Fix/smallconflicts (#40)

* updating docs

* updating examples

* updating pipeline

* fixing Subscribtion parameter for playbook (#43)

* fixing Subscribtion parameter for playbook (#45)

* Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50)

* fix huntng rule

* fixing hunting rule issue

* Fix - new-azsentinelalertrule playbook property  (#49)

* fixing the if statement

* fixing the if statement

* Feature - get all incidents (#51)

* updating get incident

* updating get incident function and docs

* updating  powershell-yaml

* updating importmodule error

* workaround

* removing powershell-yaml depending

* fixing logicapp sas token (#52)

* Add support for day time periods (#61)

* Add missing dot to yml file extension (#59)

The Import-AZSentinelAlertRule function is not able to import yml files due
to missing dot in the file extension.

* adding support for resource provider in set-azsentinel (#69)

* New function for enabling and disabling Alert rules (#71)

* init release enable and disable function

* adding empty test files

* updating return message

* New feature change the displayName of an alert (#68)

* Release Rename Alert rule function

* updating rename function

* Handle nextLink for Playbooks (#78)

When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents.

* adding support for alert aggregation (#65)

* adding support for alert aggregation, classes created

* updaing classes

* updated the class and created first rule wih no error

* update class and made import function backwards compatible

* small changes

* tested with import method

* updating new function

* checking working code, starting cleanup

* updating documentation

* updating docs and cleaning up

* updating build errors

* change pester version

* updating pester version

* Update groupingConfiguration.ps1 (#87)

* Fix bug that causes loss of certain incident properties, add option to set incident description (#91)

* Feature - Adding support for all alert rule types (#90)

* init release

* updating docs

Co-authored-by: Khabazi <rob5614@robeco.nl>

* New Functionality to get alert rule templates provided by Microsoft (#94)

Co-authored-by: Antonio Ramirez <ramireza@ryanair.com>

* Update/get az sentinel alert rule templates (#95)

* udating Get-AzSentinelAlertRuleTemplates

* updated

Co-authored-by: Khabazi <rob5614@robeco.nl>

* Feature/add az sentinel incident comment (#96)

* udating Get-AzSentinelAlertRuleTemplates

* updated

* fixing playbook issue

* Add-AzSentinelIncidentComment

* release

Co-authored-by: Khabazi <rob5614@robeco.nl>

* fixing class error (#99)

* updating example files, ncluding multi rule yaml file (#104)

* Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102)

* fixing return issue

* fixing playbook issue

* init release Get-AzSentinelDataConnector function (#103)

* Fix - get-azsentinelhuntingrule updated get and remove function (#106)

* fixing hunitng rule get and remove issue

* cleaning up

* updating filters

* Add filtering by lastModified (#107)

* updating AggregationKind class and enum (#111)

* Release of Import-AzSentinelDataConnector function (#116)

* extra check for Import-AzSentinelDataConnector

* fixing class issue (#118)

* New function: Export-AzSentinel (#121)

* init code

* Release Export-AzSentinel and some small fixes/updates

* fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122)

* updating Get-AzSentinelAlertRule function and docs (#125)

Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com>
Co-authored-by: NVolcz <niklas.volcz@gmail.com>
Co-authored-by: stehod <34159548+stehod@users.noreply.github.com>
Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com>
Co-authored-by: Jonathan Holtmann <holtmann@usc.edu>
Co-authored-by: Khabazi <rob5614@robeco.nl>
Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com>
Co-authored-by: Antonio Ramirez <ramireza@ryanair.com>
  • Loading branch information
@pkhabazi @pemontto
@NVolcz @stehod @ThijsLecomte @jholtmann @ramirezversion
9 people committed Oct 21, 2020
1 parent b4672df commit dc83405
Show file tree
Hide file tree
Showing 14 changed files with 573 additions and 65 deletions.
1 change: 1 addition & 0 deletions AzSentinel/AzSentinel.psd1
View file
Expand Up @@ -96,6 +96,7 @@
'Get-AzSentinelAlertRuleTemplates',
'Add-AzSentinelIncidentComment',
'Get-AzSentinelDataConnector',
'Export-AzSentinel'
'Import-AzSentinelDataConnector'
)

Expand Down
182 changes: 182 additions & 0 deletions AzSentinel/Public/Export-AzSentinel.ps1
View file
@@ -0,0 +1,182 @@
function Export-AzSentinel {
<#
.SYNOPSIS
Export Azure Sentinel
.DESCRIPTION
With this function you can export Azure Sentinel configuration
.PARAMETER SubscriptionId
Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
.PARAMETER WorkspaceName
Enter the Workspace name
.PARAMETER Kind
Select what you want to export: Alert, Hunting, Templates or All
.PARAMETER OutputFolder
The Path where you want to export the JSON files
.PARAMETER TemplatesKind
Select which Kind of templates you want to export, if empy all Templates will be exported
.EXAMPLE
Export-AzSentinel -WorkspaceName '' -Path C:\Temp\ -Kind All
In this example you export Alert, Hunting and Template rules
.EXAMPLE
Export-AzSentinel -WorkspaceName '' -Path C:\Temp\ -Kind Templates
In this example you export only the Templates
.EXAMPLE
Export-AzSentinel -WorkspaceName '' -Path C:\Temp\ -Kind Alert
In this example you export only the Scheduled Alert rules
#>

param (
[Parameter(Mandatory = $false,
ParameterSetName = "Sub")]
[ValidateNotNullOrEmpty()]
[string] $SubscriptionId,

[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[string]$WorkspaceName,

[Parameter(Mandatory)]
[System.IO.FileInfo]$OutputFolder,

[Parameter(Mandatory,
ValueFromPipeline)]
[ExportType[]]$Kind,

[Parameter(Mandatory = $false)]
[ValidateNotNullOrEmpty()]
[Kind[]]$TemplatesKind
)

begin {
precheck
}

process {
switch ($PsCmdlet.ParameterSetName) {
Sub {
$arguments = @{
WorkspaceName = $WorkspaceName
SubscriptionId = $SubscriptionId
}
}
default {
$arguments = @{
WorkspaceName = $WorkspaceName
}
}
}

$date = Get-Date -Format HHmmss_ddMMyyyy

<#
Test export path
#>
if (Test-Path $OutputFolder) {
Write-Verbose "Path Exists"
}
else {
try {
$null = New-Item -Path $OutputFolder -Force -ItemType Directory -ErrorAction Stop
}
catch {
$ErrorMessage = $_.Exception.Message
Write-Error $ErrorMessage
Write-Verbose $_
Break
}
}

<#
Export Alert rules section
#>
if (($Kind -like 'Alert') -or ($Kind -like 'All')) {

$rules = Get-AzSentinelAlertRule @arguments
if ($rules) {
$output = @{
Scheduled = @()
Fusion = @()
MLBehaviorAnalytics = @()
MicrosoftSecurityIncidentCreation = @()
}
$rules.Kind | ForEach-Object {
$output.$_ += $rules | Where-Object kind -eq $_
}

try {
$fullPath = "$($OutputFolder)AlertRules_$date.json"
$output | ConvertTo-Json -EnumsAsStrings -Depth 15 | Out-File $fullPath -ErrorAction Stop
Write-Output "Alert rules exported to: $fullPath"
}
catch {
$ErrorMessage = $_.Exception.Message
Write-Error $ErrorMessage
Write-Verbose $_
Break
}
}
}

<#
Export Hunting rules section
#>
if (($Kind -like 'Hunting') -or ($Kind -like 'All')) {
$rules = Get-AzSentinelHuntingRule @arguments

if ($rules) {
$output = @{
Hunting = @()
}
$output.Hunting += $rules
try {
$fullPath = "$($OutputFolder)HuntingRules_$date.json"
$output | ConvertTo-Json -EnumsAsStrings -Depth 15 | Out-File $fullPath -ErrorAction Stop
Write-Output "Hunting rules exported to: $fullPath"
}
catch {
$ErrorMessage = $_.Exception.Message
Write-Error $ErrorMessage
Write-Verbose $_
Break
}
}
}

<#
Export Templates section
#>
if (($Kind -like 'Templates') -or ($Kind -like 'All')) {

if ($TemplatesKind) {
$templates = Get-AzSentinelAlertRuleTemplates @arguments -Kind $TemplatesKind
}
else {
$templates = Get-AzSentinelAlertRuleTemplates @arguments
}

if ($templates) {
$output = @{
Scheduled = @()
Fusion = @()
MLBehaviorAnalytics = @()
MicrosoftSecurityIncidentCreation = @()
}
$templates.Kind | ForEach-Object {
$output.$_ += $templates | Where-Object kind -eq $_
}

try {
$fullPath = "$($OutputFolder)Templates_$date.json"
$output | ConvertTo-Json -EnumsAsStrings -Depth 15 | Out-File $fullPath -ErrorAction Stop
Write-Output "Templates xported to: $fullPath"
}
catch {
$ErrorMessage = $_.Exception.Message
Write-Error $ErrorMessage
Write-Verbose $_
Break
}
}
}
}
}
106 changes: 57 additions & 49 deletions AzSentinel/Public/Get-AzSentinelAlertRule.ps1
View file
Expand Up @@ -17,11 +17,13 @@ function Get-AzSentinelAlertRule {
The alert rule kind
.PARAMETER LastModified
Filter for rules modified after this date/time
.PARAMETER SkipPlaybook
Use SkipPlaybook switch to only return the rule properties, this skips the Playbook resolve step.
.EXAMPLE
Get-AzSentinelAlertRule -WorkspaceName "" -RuleName "",""
In this example you can get configuration of multiple alert rules in once
.EXAMPLE
Get-LogAnalyticWorkspace -SubscriptionId "" -WorkspaceName "" -LastModified 2020-09-21
Get-AzSentinelAlertRule -SubscriptionId "" -WorkspaceName "" -LastModified 2020-09-21
In this example you can get configuration of multiple alert rules only if modified after the 21st September 2020. The datetime must be in ISO8601 format.
#>

Expand Down Expand Up @@ -49,7 +51,12 @@ function Get-AzSentinelAlertRule {
[Parameter(Mandatory = $false,
ValueFromPipeline)]
[ValidateNotNullOrEmpty()]
[DateTime]$LastModified
[DateTime]$LastModified,

[Parameter(Mandatory = $false,
ValueFromPipeline)]
[ValidateNotNullOrEmpty()]
[switch]$SkipPlaybook
)

begin {
Expand Down Expand Up @@ -93,84 +100,85 @@ function Get-AzSentinelAlertRule {

if ($RuleName.Count -ge 1) {
foreach ($rule in $RuleName) {
[PSCustomObject]$temp = $alertRules.value | Where-Object { $_.properties.displayName -eq $rule }
if ($null -ne $temp) {
$alertRules.value | Where-Object { $_.properties.displayName -eq $rule } | ForEach-Object {

$playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId $temp.name
$_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force
$_.properties | Add-Member -NotePropertyName etag -NotePropertyValue $_.etag -Force
$_.properties | Add-Member -NotePropertyName id -NotePropertyValue $_.id -Force
$_.properties | Add-Member -NotePropertyName kind -NotePropertyValue $_.kind -Force

if ($playbook) {
$playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1]
}
else {
$playbookName = ""
}
if (! $SkipPlaybook) {

$playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId $_.name

$temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force
$temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force
$temp.properties | Add-Member -NotePropertyName id -NotePropertyValue $temp.id -Force
$temp.properties | Add-Member -NotePropertyName kind -NotePropertyValue $temp.kind -Force
if ($playbook) {
$playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1]
}
else {
$playbookName = ""
}

if ($temp.kind -eq "Scheduled") {
$temp.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force
$_.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force
}

$return += $temp.properties
}
else {
Write-Verbose "Unable to find Rule: $rule"

$return += $_.properties
}
}
return $return
}
elseif ($Kind.Count -ge 1) {
foreach ($rule in $Kind) {
[PSCustomObject]$temp = $alertRules.value | Where-Object { $_.Kind -eq $rule }
if ($null -ne $temp) {
$alertRules.value | Where-Object { $_.Kind -eq $rule } | ForEach-Object {

$playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($temp.name)[0]
$_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force
$_.properties | Add-Member -NotePropertyName etag -NotePropertyValue $_.etag -Force
$_.properties | Add-Member -NotePropertyName id -NotePropertyValue $_.id -Force
$_.properties | Add-Member -NotePropertyName kind -NotePropertyValue $_.kind -Force

if ($playbook) {
$playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1]
}
else {
$playbookName = ""
}
if (! $SkipPlaybook) {

$playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId $_.name

if ($playbook) {
$playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1]
}
else {
$playbookName = ""
}

$temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force
$temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force
$temp.properties | Add-Member -NotePropertyName id -NotePropertyValue $temp.id -Force
$temp.properties | Add-Member -NotePropertyName kind -NotePropertyValue $temp.kind -Force
if ($temp.kind -eq "Scheduled") {
$temp.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force
$_.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force
}

$return += $temp.properties
}
else {
Write-Verbose "Unable to find Rule: $rule"
$return += $_.properties
}
}
return $return
}
else {
$alertRules.value | ForEach-Object {
$playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId $_.name

if ($playbook) {
$playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1]
}
else {
$playbookName = ""
}
$_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force
$_.properties | Add-Member -NotePropertyName id -NotePropertyValue $_.id -Force
$_.properties | Add-Member -NotePropertyName kind -NotePropertyValue $_.kind -Force
if ($_.kind -eq "Scheduled") {

if (! $SkipPlaybook) {

$playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId $_.name

if ($playbook) {
$playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1]
}
else {
$playbookName = ""
}

$_.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force
}

return $_.properties
$return += $_.properties
}
return $return
}
}
else {
Expand Down
22 changes: 17 additions & 5 deletions AzSentinel/Public/Get-AzSentinelAlertRuleTemplates.ps1
View file
Expand Up @@ -61,7 +61,7 @@ function Get-AzSentinelAlertRuleTemplates {
Write-Verbose -Message "Using URI: $($uri)"

try {
$alertRulesTemplates = Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader
$alertRulesTemplates = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader).value
}
catch {
Write-Verbose $_
Expand All @@ -70,16 +70,28 @@ function Get-AzSentinelAlertRuleTemplates {

$return = @()

if ($alertRulesTemplates.value) {
Write-Verbose "Found $($alertRulesTemplates.value.count) Alert rules templates"
if ($alertRulesTemplates) {
Write-Verbose "Found $($alertRulesTemplates.count) Alert rules templates"

if ($Kind) {
foreach ($item in $Kind) {
$return += $alertRulesTemplates.value | Where-Object Kind -eq $item
$alertRulesTemplates | Where-Object Kind -eq $item | ForEach-Object {
$_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force
$_.properties | Add-Member -NotePropertyName id -NotePropertyValue $_.id -Force
$_.properties | Add-Member -NotePropertyName kind -NotePropertyValue $_.kind -Force

$return += $_.properties
}
}
}
else {
$return += $alertRulesTemplates.value
$alertRulesTemplates | ForEach-Object {
$_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force
$_.properties | Add-Member -NotePropertyName id -NotePropertyValue $_.id -Force
$_.properties | Add-Member -NotePropertyName kind -NotePropertyValue $_.kind -Force

$return += $_.properties
}
}

return $return
Expand Down

0 comments on commit dc83405

Please sign in to comment.