Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
!Deploy Release Version 0.6.12 (#126)
* Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi <rob5614@robeco.nl> * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi <rob5614@robeco.nl> * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi <rob5614@robeco.nl> * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com>
- Loading branch information
1 parent
b4672df
commit dc83405
Showing
14 changed files
with
573 additions
and
65 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,182 @@ | ||
function Export-AzSentinel { | ||
<# | ||
.SYNOPSIS | ||
Export Azure Sentinel | ||
.DESCRIPTION | ||
With this function you can export Azure Sentinel configuration | ||
.PARAMETER SubscriptionId | ||
Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used | ||
.PARAMETER WorkspaceName | ||
Enter the Workspace name | ||
.PARAMETER Kind | ||
Select what you want to export: Alert, Hunting, Templates or All | ||
.PARAMETER OutputFolder | ||
The Path where you want to export the JSON files | ||
.PARAMETER TemplatesKind | ||
Select which Kind of templates you want to export, if empy all Templates will be exported | ||
.EXAMPLE | ||
Export-AzSentinel -WorkspaceName '' -Path C:\Temp\ -Kind All | ||
In this example you export Alert, Hunting and Template rules | ||
.EXAMPLE | ||
Export-AzSentinel -WorkspaceName '' -Path C:\Temp\ -Kind Templates | ||
In this example you export only the Templates | ||
.EXAMPLE | ||
Export-AzSentinel -WorkspaceName '' -Path C:\Temp\ -Kind Alert | ||
In this example you export only the Scheduled Alert rules | ||
#> | ||
|
||
param ( | ||
[Parameter(Mandatory = $false, | ||
ParameterSetName = "Sub")] | ||
[ValidateNotNullOrEmpty()] | ||
[string] $SubscriptionId, | ||
|
||
[Parameter(Mandatory)] | ||
[ValidateNotNullOrEmpty()] | ||
[string]$WorkspaceName, | ||
|
||
[Parameter(Mandatory)] | ||
[System.IO.FileInfo]$OutputFolder, | ||
|
||
[Parameter(Mandatory, | ||
ValueFromPipeline)] | ||
[ExportType[]]$Kind, | ||
|
||
[Parameter(Mandatory = $false)] | ||
[ValidateNotNullOrEmpty()] | ||
[Kind[]]$TemplatesKind | ||
) | ||
|
||
begin { | ||
precheck | ||
} | ||
|
||
process { | ||
switch ($PsCmdlet.ParameterSetName) { | ||
Sub { | ||
$arguments = @{ | ||
WorkspaceName = $WorkspaceName | ||
SubscriptionId = $SubscriptionId | ||
} | ||
} | ||
default { | ||
$arguments = @{ | ||
WorkspaceName = $WorkspaceName | ||
} | ||
} | ||
} | ||
|
||
$date = Get-Date -Format HHmmss_ddMMyyyy | ||
|
||
<# | ||
Test export path | ||
#> | ||
if (Test-Path $OutputFolder) { | ||
Write-Verbose "Path Exists" | ||
} | ||
else { | ||
try { | ||
$null = New-Item -Path $OutputFolder -Force -ItemType Directory -ErrorAction Stop | ||
} | ||
catch { | ||
$ErrorMessage = $_.Exception.Message | ||
Write-Error $ErrorMessage | ||
Write-Verbose $_ | ||
Break | ||
} | ||
} | ||
|
||
<# | ||
Export Alert rules section | ||
#> | ||
if (($Kind -like 'Alert') -or ($Kind -like 'All')) { | ||
|
||
$rules = Get-AzSentinelAlertRule @arguments | ||
if ($rules) { | ||
$output = @{ | ||
Scheduled = @() | ||
Fusion = @() | ||
MLBehaviorAnalytics = @() | ||
MicrosoftSecurityIncidentCreation = @() | ||
} | ||
$rules.Kind | ForEach-Object { | ||
$output.$_ += $rules | Where-Object kind -eq $_ | ||
} | ||
|
||
try { | ||
$fullPath = "$($OutputFolder)AlertRules_$date.json" | ||
$output | ConvertTo-Json -EnumsAsStrings -Depth 15 | Out-File $fullPath -ErrorAction Stop | ||
Write-Output "Alert rules exported to: $fullPath" | ||
} | ||
catch { | ||
$ErrorMessage = $_.Exception.Message | ||
Write-Error $ErrorMessage | ||
Write-Verbose $_ | ||
Break | ||
} | ||
} | ||
} | ||
|
||
<# | ||
Export Hunting rules section | ||
#> | ||
if (($Kind -like 'Hunting') -or ($Kind -like 'All')) { | ||
$rules = Get-AzSentinelHuntingRule @arguments | ||
|
||
if ($rules) { | ||
$output = @{ | ||
Hunting = @() | ||
} | ||
$output.Hunting += $rules | ||
try { | ||
$fullPath = "$($OutputFolder)HuntingRules_$date.json" | ||
$output | ConvertTo-Json -EnumsAsStrings -Depth 15 | Out-File $fullPath -ErrorAction Stop | ||
Write-Output "Hunting rules exported to: $fullPath" | ||
} | ||
catch { | ||
$ErrorMessage = $_.Exception.Message | ||
Write-Error $ErrorMessage | ||
Write-Verbose $_ | ||
Break | ||
} | ||
} | ||
} | ||
|
||
<# | ||
Export Templates section | ||
#> | ||
if (($Kind -like 'Templates') -or ($Kind -like 'All')) { | ||
|
||
if ($TemplatesKind) { | ||
$templates = Get-AzSentinelAlertRuleTemplates @arguments -Kind $TemplatesKind | ||
} | ||
else { | ||
$templates = Get-AzSentinelAlertRuleTemplates @arguments | ||
} | ||
|
||
if ($templates) { | ||
$output = @{ | ||
Scheduled = @() | ||
Fusion = @() | ||
MLBehaviorAnalytics = @() | ||
MicrosoftSecurityIncidentCreation = @() | ||
} | ||
$templates.Kind | ForEach-Object { | ||
$output.$_ += $templates | Where-Object kind -eq $_ | ||
} | ||
|
||
try { | ||
$fullPath = "$($OutputFolder)Templates_$date.json" | ||
$output | ConvertTo-Json -EnumsAsStrings -Depth 15 | Out-File $fullPath -ErrorAction Stop | ||
Write-Output "Templates xported to: $fullPath" | ||
} | ||
catch { | ||
$ErrorMessage = $_.Exception.Message | ||
Write-Error $ErrorMessage | ||
Write-Verbose $_ | ||
Break | ||
} | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.