-
Notifications
You must be signed in to change notification settings - Fork 82
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updated module to v0.5.0 and introducing new functions
- Loading branch information
Showing
24 changed files
with
1,898 additions
and
289 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
function Get-LogAnalyticWorkspace { | ||
<# | ||
.SYNOPSIS | ||
Get log analytic workspace | ||
.DESCRIPTION | ||
This function is used by other function for getting the workspace infiormation and seting the right values for $script:workspace and $script:baseUri | ||
.PARAMETER SubscriptionId | ||
Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used | ||
.PARAMETER workspace | ||
Enter the Workspace name | ||
.PARAMETER FullObject | ||
If you want to return the full object data | ||
.EXAMPLE | ||
Get-LogAnalyticWorkspace -WorkspaceName "pkm02" | ||
This example will get the Workspace and set workspace and baseuri param on Script scope level | ||
.EXAMPLE | ||
Get-LogAnalyticWorkspace -WorkspaceName "" -FullObject | ||
This example will get the Workspace ands return the full data object | ||
.EXAMPLE | ||
Get-LogAnalyticWorkspace -SubscriptionId "" -WorkspaceName "" | ||
This example will get the workspace info from another subscrion than your "Azcontext" subscription | ||
.NOTES | ||
NAME: Get-LogAnalyticWorkspace | ||
#> | ||
param ( | ||
[Parameter(Mandatory = $false)] | ||
[ValidateNotNullOrEmpty()] | ||
[string] $SubscriptionId, | ||
|
||
[Parameter(Mandatory)] | ||
[ValidateNotNullOrEmpty()] | ||
[string]$WorkspaceName, | ||
|
||
[Parameter(Mandatory = $false)] | ||
[ValidateNotNullOrEmpty()] | ||
[Switch]$FullObject | ||
) | ||
|
||
begin { | ||
precheck | ||
} | ||
|
||
process { | ||
if ($SubscriptionId) { | ||
Write-Verbose "Getting Worspace from Subscription $($subscriptionId)" | ||
$uri = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.OperationalInsights/workspaces?api-version=2015-11-01-preview" | ||
} | ||
elseif ($script:subscriptionId) { | ||
Write-Verbose "Getting Worspace from Subscription $($script:subscriptionId)" | ||
$uri = "https://management.azure.com/subscriptions/$($script:subscriptionId)/providers/Microsoft.OperationalInsights/workspaces?api-version=2015-11-01-preview" | ||
} | ||
else { | ||
Write-Error "No SubscriptionID provided" -ErrorAction Stop | ||
} | ||
|
||
$workspaces = Invoke-webrequest -Uri $uri -Method get -Headers $script:authHeader | ||
$workspaceObject = ($workspaces.Content | ConvertFrom-Json).value | Where-Object { $_.name -eq $WorkspaceName } | ||
|
||
if ($workspaceObject) { | ||
$Script:workspace = ($workspaceObject.id).trim() | ||
$script:baseUri = "https://management.azure.com$($Script:workspace)" | ||
if ($FullObject) { return $workspaceObject } | ||
Write-Verbose ($workspaceObject | Format-List | Format-Table | Out-String) | ||
Write-Verbose "Found Workspace $WorkspaceName in RG $($workspaceObject.id.Split('/')[4])" | ||
} | ||
else { | ||
Write-Error "Unable to find worrkspace $WorkspaceName under Subscription Id: $($script:subscriptionId)" -ErrorAction Stop | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
#requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'} | ||
#requires -module @{ModuleNAme = 'powershell-yaml'; ModuleVersion = '0.4.0'} | ||
#requires -version 6.0 | ||
|
||
using module Az.Accounts | ||
|
||
function Get-AzSentinelAlertRule { | ||
<# | ||
.SYNOPSIS | ||
Manage Azure Sentinal Alert Rules | ||
.DESCRIPTION | ||
With this function you can get the configuration of the Azure Sentinel Alert rule from Azure Sentinel | ||
.PARAMETER SubscriptionId | ||
Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used | ||
.PARAMETER WorkspaceName | ||
Enter the Workspace name | ||
.PARAMETER RuleName | ||
Enter the name of the Alert rule | ||
.EXAMPLE | ||
Get-AzSentinelAlertRule -WorkspaceName "" -RuleName "","" | ||
In this example you can get configuration of multiple alert rules in once | ||
#> | ||
|
||
[cmdletbinding(SupportsShouldProcess)] | ||
param ( | ||
[Parameter(Mandatory = $false, | ||
ParameterSetName = "Sub")] | ||
[ValidateNotNullOrEmpty()] | ||
[string] $SubscriptionId, | ||
|
||
[Parameter(Mandatory)] | ||
[ValidateNotNullOrEmpty()] | ||
[string]$WorkspaceName, | ||
|
||
[Parameter(Mandatory = $false, | ||
ValueFromPipeline)] | ||
[ValidateNotNullOrEmpty()] | ||
[string[]]$RuleName | ||
) | ||
|
||
begin { | ||
precheck | ||
} | ||
|
||
process { | ||
switch ($PsCmdlet.ParameterSetName) { | ||
Sub { | ||
$arguments = @{ | ||
WorkspaceName = $WorkspaceName | ||
SubscriptionId = $SubscriptionId | ||
} | ||
} | ||
default { | ||
$arguments = @{ | ||
WorkspaceName = $WorkspaceName | ||
} | ||
} | ||
} | ||
Get-LogAnalyticWorkspace @arguments | ||
|
||
$uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules?api-version=2019-01-01-preview" | ||
Write-Verbose -Message "Using URI: $($uri)" | ||
$alertRules = Invoke-webrequest -Uri $uri -Method get -Headers $script:authHeader | ||
Write-Verbose "Found $((($alertRules.Content | ConvertFrom-Json).value).count) Alert rules" | ||
$return = @() | ||
|
||
if ($alertRules) { | ||
if ($RuleName.Count -ge 1) { | ||
foreach ($rule in $RuleName) { | ||
[PSCustomObject]$temp = ($alertRules.Content | ConvertFrom-Json).value | Where-Object { $_.properties.displayName -eq $rule } | ||
if ($null -ne $temp) { | ||
$temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force | ||
$temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force | ||
$temp.properties | Add-Member -NotePropertyName id -NotePropertyValue $temp.id -Force | ||
|
||
$return += $temp.properties | ||
} | ||
else { | ||
Write-Error "Unable to find Rule: $rule" | ||
} | ||
} | ||
return $return | ||
} | ||
else { | ||
($alertRules.Content | ConvertFrom-Json).value | ForEach-Object { | ||
$_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force | ||
return $_.properties | ||
} | ||
} | ||
} | ||
else { | ||
Write-Warning "No rules found on $($WorkspaceName)" | ||
} | ||
} | ||
} |
Oops, something went wrong.