wortell · pkhabazi · Sep 8, 2019 · Sep 8, 2019
diff --git a/AzSentinel/AzSentinel.psd1 b/AzSentinel/AzSentinel.psd1
@@ -12,7 +12,7 @@
     RootModule = 'AzSentinel.psm1'
 
     # Version number of this module.
-    ModuleVersion = '0.1.0'
+    ModuleVersion = '0.5.0'
 
     # Supported PSEditions
     CompatiblePSEditions = 'Core', 'Desktop'
@@ -79,8 +79,8 @@
 
     # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
     FunctionsToExport = @(
-        'New-AzSentinelAlertRule', 'Set-AzSentinel'
-    )
+        'New-AzSentinelAlertRule', 'Set-AzSentinel', 'Get-AzSentinelAlertRule','Import-AzSentinelAlertRule', 'Remove-AzSentinelAlertRule'
+     )
 
     # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
     CmdletsToExport = @()

diff --git a/AzSentinel/Classes/AlertRule.ps1 b/AzSentinel/Classes/AlertRule.ps1
@@ -13,7 +13,7 @@ class AlertProp {
 
     [Parameter(Mandatory)]
     [ValidateNotNullOrEmpty()]
-    [ValidateSet("Medium" , "High", "Low" , "Informational")]
+    [ValidateSet("Medium", "High", "Low", "Informational")]
     [string] $Severity
 
     [Parameter(Mandatory)]

diff --git a/AzSentinel/Private/Compare-Policy.ps1 b/AzSentinel/Private/Compare-Policy.ps1
@@ -1,16 +1,15 @@
 function Compare-Policy {
     <#
     .SYNOPSIS
-        coming soon
+    Compare PS Objects
     .DESCRIPTION
-        coming soon
+    This function is used for  comparison to see if a rule needs to be updated
     .PARAMETER ReferenceTemplate
-        Coming soon
+    Reference template is the data of the AlertRule as active on Azure
     .PARAMETER DifferenceTemplate
-    Coming soon
+    Difference template is data that is generated and will be uploaded to Azure
     .EXAMPLE
-    Compare-Policy -ReferenceTemplate $ref -DifferenceTemplate $diff
-
+    Compare-Policy -ReferenceTemplate  -DifferenceTemplate
     .NOTES
     NAME: Compare-Policy
     #>

diff --git a/AzSentinel/Private/Get-AuthToken.ps1 b/AzSentinel/Private/Get-AuthToken.ps1
@@ -25,6 +25,8 @@ function Get-AuthToken {
             $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
             $profileClient = [Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient]::new($azProfile)
             $script:accessToken = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId)
+            $script:subscriptionId = $azContext.Subscription.Id
+            $script:tenantId = $azContext.Tenant.Id
         } else {
             throw 'No subscription available, Please use Connect-AzAccount to login and select the right subscription'
         }

diff --git a/AzSentinel/Private/Get-LogAnalyticWorkspace.ps1 b/AzSentinel/Private/Get-LogAnalyticWorkspace.ps1
@@ -0,0 +1,70 @@
+function Get-LogAnalyticWorkspace {
+    <#
+    .SYNOPSIS
+    Get log analytic workspace
+    .DESCRIPTION
+    This function is used by other function for getting the workspace infiormation and seting the right values for $script:workspace and $script:baseUri
+    .PARAMETER SubscriptionId
+    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
+    .PARAMETER workspace
+    Enter the Workspace name
+    .PARAMETER FullObject
+    If you want to return the full object data
+    .EXAMPLE
+    Get-LogAnalyticWorkspace -WorkspaceName "pkm02"
+    This example will get the Workspace and set workspace and baseuri param on Script scope level
+    .EXAMPLE
+    Get-LogAnalyticWorkspace -WorkspaceName "" -FullObject
+    This example will get the Workspace ands return the full data object
+    .EXAMPLE
+    Get-LogAnalyticWorkspace -SubscriptionId "" -WorkspaceName ""
+    This example will get the workspace info from another subscrion than your "Azcontext" subscription
+    .NOTES
+    NAME: Get-LogAnalyticWorkspace
+    #>
+    param (
+        [Parameter(Mandatory = $false)]
+        [ValidateNotNullOrEmpty()]
+        [string] $SubscriptionId,
+
+        [Parameter(Mandatory)]
+        [ValidateNotNullOrEmpty()]
+        [string]$WorkspaceName,
+
+        [Parameter(Mandatory = $false)]
+        [ValidateNotNullOrEmpty()]
+        [Switch]$FullObject
+    )
+
+    begin {
+        precheck
+    }
+
+    process {
+        if ($SubscriptionId) {
+            Write-Verbose "Getting Worspace from Subscription $($subscriptionId)"
+            $uri = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.OperationalInsights/workspaces?api-version=2015-11-01-preview"
+        }
+        elseif ($script:subscriptionId) {
+            Write-Verbose "Getting Worspace from Subscription $($script:subscriptionId)"
+            $uri = "https://management.azure.com/subscriptions/$($script:subscriptionId)/providers/Microsoft.OperationalInsights/workspaces?api-version=2015-11-01-preview"
+        }
+        else {
+            Write-Error "No SubscriptionID provided" -ErrorAction Stop
+        }
+
+        $workspaces = Invoke-webrequest -Uri $uri -Method get -Headers $script:authHeader
+        $workspaceObject = ($workspaces.Content | ConvertFrom-Json).value | Where-Object { $_.name -eq $WorkspaceName }
+
+        if ($workspaceObject) {
+            $Script:workspace = ($workspaceObject.id).trim()
+            $script:baseUri = "https://management.azure.com$($Script:workspace)"
+            if ($FullObject) { return $workspaceObject }
+            Write-Verbose ($workspaceObject | Format-List | Format-Table | Out-String)
+            Write-Verbose "Found Workspace $WorkspaceName in RG $($workspaceObject.id.Split('/')[4])"
+        }
+        else {
+            Write-Error "Unable to find worrkspace $WorkspaceName under Subscription Id: $($script:subscriptionId)" -ErrorAction Stop
+        }
+    }
+}
diff --git a/AzSentinel/Private/precheck.ps1 b/AzSentinel/Private/precheck.ps1
@@ -1,7 +1,7 @@
 function precheck {
     if ($null -eq $script:accessToken) {
         Get-AuthToken
-    } elseif ([datetime]::UtcNow.AddMinutes(5) -lt $script.accessToken.ExpiresOn.DateTime ) {
+    } elseif ([datetime]::UtcNow.AddMinutes(5) -lt $script:accessToken.ExpiresOn.DateTime ) {
         # if token expires within 5 minutes, request a new one
         Get-AuthToken
     }

diff --git a/AzSentinel/Public/Get-AzSentinelAlertRule.ps1 b/AzSentinel/Public/Get-AzSentinelAlertRule.ps1
@@ -0,0 +1,95 @@
+#requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
+#requires -module @{ModuleNAme = 'powershell-yaml'; ModuleVersion = '0.4.0'}
+#requires -version 6.0
+
+using module Az.Accounts
+
+function Get-AzSentinelAlertRule {
+    <#
+    .SYNOPSIS
+    Manage Azure Sentinal Alert Rules
+    .DESCRIPTION
+    With this function you can get the configuration of the Azure Sentinel Alert rule from Azure Sentinel
+    .PARAMETER SubscriptionId
+    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
+    .PARAMETER WorkspaceName
+    Enter the Workspace name
+    .PARAMETER RuleName
+    Enter the name of the Alert rule
+    .EXAMPLE
+    Get-AzSentinelAlertRule -WorkspaceName "" -RuleName "",""
+    In this example you can get configuration of multiple alert rules in once
+    #>
+
+    [cmdletbinding(SupportsShouldProcess)]
+    param (
+        [Parameter(Mandatory = $false,
+            ParameterSetName = "Sub")]
+        [ValidateNotNullOrEmpty()]
+        [string] $SubscriptionId,
+
+        [Parameter(Mandatory)]
+        [ValidateNotNullOrEmpty()]
+        [string]$WorkspaceName,
+
+        [Parameter(Mandatory = $false,
+            ValueFromPipeline)]
+        [ValidateNotNullOrEmpty()]
+        [string[]]$RuleName
+    )
+
+    begin {
+        precheck
+    }
+
+    process {
+        switch ($PsCmdlet.ParameterSetName) {
+            Sub {
+                $arguments = @{
+                    WorkspaceName  = $WorkspaceName
+                    SubscriptionId = $SubscriptionId
+                }
+            }
+            default {
+                $arguments = @{
+                    WorkspaceName = $WorkspaceName
+                }
+            }
+        }
+        Get-LogAnalyticWorkspace @arguments
+
+        $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules?api-version=2019-01-01-preview"
+        Write-Verbose -Message "Using URI: $($uri)"
+        $alertRules = Invoke-webrequest -Uri $uri -Method get -Headers $script:authHeader
+        Write-Verbose "Found $((($alertRules.Content | ConvertFrom-Json).value).count) Alert rules"
+        $return = @()
+
+        if ($alertRules) {
+            if ($RuleName.Count -ge 1) {
+                foreach ($rule in $RuleName) {
+                    [PSCustomObject]$temp = ($alertRules.Content | ConvertFrom-Json).value | Where-Object { $_.properties.displayName -eq $rule }
+                    if ($null -ne $temp) {
+                        $temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force
+                        $temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force
+                        $temp.properties | Add-Member -NotePropertyName id -NotePropertyValue $temp.id -Force
+
+                        $return += $temp.properties
+                    }
+                    else {
+                        Write-Error "Unable to find Rule: $rule"
+                    }
+                }
+                return $return
+            }
+            else {
+                ($alertRules.Content | ConvertFrom-Json).value | ForEach-Object {
+                    $_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force
+                    return $_.properties
+                }
+            }
+        }
+        else {
+            Write-Warning "No rules found on $($WorkspaceName)"
+        }
+    }
+}