Advanced-Threat-Analytics.psm1

# Implement your module commands in this script.
#ATA PowerShell Module
#Required Version ATA 1.8+
#Author: Mike Kassis
#Disclaimer: This is an open source community project and is not part of the ATA product.

#region Global Variables
#If localhost does not resolve to the ATA Center, you will need to change this variable to your ATA Center URL.
#Example: $ATACenter = "atacenter.mydomain.com"
$ATACenter = "localhost"
#endregion

#region Use this for Self-Signed Certs

#Credit to railroadmanuk for this code. https://virtualbrakeman.wordpress.com/2016/03/20/powershell-could-not-create-ssltls-secure-channel/
function Resolve-ATASelfSignedCert {
    try {
        Add-Type -TypeDefinition @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy
{
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem)
{
return true;
}
}
"@

    }
    catch {
        Write-Error $_
    }
    [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
}
Resolve-ATASelfSignedCert
#endregion

#region ----CMDLETS----
#region Get-ATASuspiciousActivity
<#
.Synopsis
    Get-ATASuspiciousActivity is used to retrieve suspicious activities triggered in ATA.
.DESCRIPTION
    Running just Get-ATASuspiciousActivity will return a full listing of all SA's. You may also pass in a unique SA ID to fetch information around a single SA. The 'Profile' switch may be used to get more information around the context of the attack.
.EXAMPLE
    Get-ATASuspiciousActivity


    WindowsEventId : 2007
    ExclusionUniqueEntityId : computer 10.1.2.7
    SourceComputerId : computer 10.1.2.7
    DestinationComputerIds : {ff336d33-81f4-458c-b70b-33f0070ffb20}
    RelatedUniqueEntityIds : {computer 10.1.2.7, ff336d33-81f4-458c-b70b-33f0070ffb20}
    IsAdditionalDataAvailable : False
    SystemCreationTime : 2017-04-17T23:16:49.6943463Z
    SystemUpdateTime : 2017-05-18T16:22:08.9346648Z
    ReasonKey : DnsReconnaissanceSuspiciousActivityReason
    EvidenceKeys : {}
    HasDetails : True
    RelatedActivityCount : 1
    SourceIpAddresses : {10.1.2.7}
    Id : 58f54ce12aaea50ff89b38a7
    StartTime : 2017-04-17T23:16:33.4600665Z
    EndTime : 2017-04-17T23:16:33.4600665Z
    Severity : Medium
    Status : Open
    StatusUpdateTime : 2017-05-18T16:22:08.9346648Z
    TitleKey : DnsReconnaissanceSuspiciousActivityTitle
    DescriptionFormatKey : DnsReconnaissanceSuspiciousActivityDescription
    DescriptionDetailFormatKeys : {}
    Type : DnsReconnaissanceSuspiciousActivity

    The above command retrieves a listing of all Suspicious Activities.

.EXAMPLE
    Get-ATASuspiciousActivity -Id 58f54ce12aaea50ff89b38a7 -Details


    Query : contoso.com
    RecordType : Axfr
    ResponseCode : ConnectionRefused
    AttemptCount : 1
    DestinationComputerIds : {ff336d33-81f4-458c-b70b-33f0070ffb20}
    StartTime : 2017-04-17T23:16:33.4600665Z
    EndTime : 2017-04-17T23:16:33.4600665Z

    The above example retrieves the details around a specified suspicious activity.

.EXAMPLE
    Get-ATASuspiciousActivity -Id 58f54ce12aaea50ff89b38a7 -Export C:\Temp

    The above example downloads the Excel file for the specified suspicious activity to the C:\Temp folder.
#>

function Get-ATASuspiciousActivity {
    [CmdletBinding()]
    Param
    (
        # Unique Id of Suspicious Activity.
        [Parameter(Mandatory = $false,
            ValueFromPipelineByPropertyName = $true,
            ParameterSetName = 'Fetch')]
        [ValidatePattern('^[a-f0-9]{24}$')]
        [string]$Id,

        # Retrieves more details for the suspicious activity, such as time, query, attempts, result, response, etc.
        [Parameter(Mandatory = $false,
            ParameterSetName = 'Fetch')]
        [switch]$Details,

        # Downloads the suspicious activity Excel export to the specified folder path. Example: 'C:\temp'
        [Parameter(Mandatory = $false,
            ParameterSetName = 'Fetch')]
        [string]$Export
    )
    begin {
        if ($Details -and $Excel) {Write-Error "You may not select both 'Excel' and 'Details' switch parameters."}
    }
    Process {
        if ($PSCmdlet.ParameterSetName -eq 'Fetch' -and !$Details -and !$Export) {
            $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities/$id" -Method Get -UseDefaultCredentials
            $result
        }
        if ($PSCmdlet.ParameterSetName -eq 'Fetch' -and $Details) {
            $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities/$id/details" -Method Get -UseDefaultCredentials
            $result.DetailsRecords
        }
        if ($Details -and !$Id) {
            Write-Error "You must specify a suspicious activity ID when using the 'details' switch."
        }
        if ($PSCmdlet.ParameterSetName -eq 'Fetch' -and $Export) {
            try {
                $ExcelFilePath = $Export + "/SA_$Id" + '.xlsx'
                $ExcelLocale = 'excel?localeId=en-us'
                $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities/$Id/$ExcelLocale" -OutFile $ExcelFilePath -Method Get -UseDefaultCredentials
                $result
            }
            catch {
                $_
            }
        }
        if ($PSCmdlet.ParameterSetName -ne 'Fetch') {
            $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities" -Method Get -UseDefaultCredentials
            $result
        }
    }
    end {
    }
}
#endregion
#region Set-ATASuspiciousActivity
<#
.Synopsis
    Set-ATASuspiciousActivity is used to update the status of a suspcious activity.
.DESCRIPTION
    This cmdlet requires a suspicious activity ID and a status. Available status types are Open, Closed, and Suppressed.
.EXAMPLE
    Set-ATASuspiciousActivity -Id 58f54ce12aaea50ff89b38a7 -Status Closed; Get-ATASuspiciousActivity | select Id, Status | ft

    Id Status
    -- ------
    58f54ce12aaea50ff89b38a7 Closed

    The above command sets the specified Suspicious Activity to a Closed state, then displays the current status for the SA.
#>

function Set-ATASuspiciousActivity {
    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'High')]
    Param
    (
        # Unique Id of the Suspicious Activity
        [Parameter(Mandatory = $true,
            ValueFromPipelineByPropertyName = $true,
            ParameterSetName = 'Fetch')]
        [ValidatePattern('^[a-f0-9]{24}$')]
        [string]$Id,

        # The specified status to update the Suspicious Activity. (Open, Closed, Suppressed)
        [Parameter(Mandatory = $false,
            ValueFromPipelineByPropertyName = $true,
            ParameterSetName = 'Fetch')]
        [ValidateSet('Open', 'Closed', 'CloseAndExclude', 'Suppressed', 'Delete', 'DeleteSameType')]
        [string]$Status,

        # Suppress 'Confirm' dialogue
        [Parameter(Mandatory = $false,
            ValueFromPipelineByPropertyName = $false)]
        [switch]$Force
    )
    Process {
        if ($PSCmdlet.ParameterSetName -eq 'Fetch' -and $Status -ne 'Delete' -and $Status -ne 'DeleteSameType') {
            if ($Force -or $PSCmdlet.ShouldProcess($Id, "Changing status to $Status")) {
                $body = @{}
                if ($Status) {$body += @{Status = $Status}
                }
                if ($Status -eq 'Closed') {$body += @{ShouldExclude = $false}
                }
                if ($Status -eq 'CloseAndExclude') {$body += @{ShouldExclude = $true}
                }
                $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities/$id" -Method Post -Body $body -UseDefaultCredentials
            }
        }

        if ($PSCmdlet.ParameterSetName -eq 'Fetch' -and $Status -eq 'Delete') {
            if ($Force -or $PSCmdlet.ShouldProcess($Id, "Changing status to $Status")) {
                $ShouldDelete = '?shouldDeleteSameType=false'
                $body = @{}
                $body += @{shouldDeleteSametype = $false}
                $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities/$id$ShouldDelete" -Method Delete -UseDefaultCredentials
            }
        }

        if ($PSCmdlet.ParameterSetName -eq 'Fetch' -and $Status -eq 'DeleteSameType' -and $PSCmdlet.ShouldProcess($Id, "Changing status to $Status")) {
            if ($Force -or $PSCmdlet.ShouldProcess($Id, "Changing status to $Status")) {
                $ShouldDelete = '?shouldDeleteSameType=true'
                $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities/$id$ShouldDelete" -Method Delete -UseDefaultCredentials
            }
        }
    }
    end {
        $result
    }
}
#endregion
#region Get-ATAStatus
<#
.Synopsis
    Get-ATAStatus retrieves status information for ATA.
.DESCRIPTION
    This cmdlet displays a wide range of information around your current ATA Center components, such as the Center, Gateways, and License.
.EXAMPLE
    Get-ATAStatus -Center | Select -ExpandProperty Configuration

    AbnormalBehaviorDetectorConfiguration : @{BuildModelsConfiguration=; CreateSuspiciousActivitiesConfiguration=;
                                                                                     MinActiveAccountCount=50; SuspiciousActivityCreationDataMaxCount=1000;
                                                                                     BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    AbnormalKerberosDetectorConfiguration : @{ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[];
                                                                                     BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    AbnormalSensitiveGroupMembershipChangeDetectorConfiguration : @{LearningPeriod=70.00:00:00; ExcludedSourceAccountIds=System.Object[];
                                                                                     BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    AbnormalSmbDetectorConfiguration : @{OperationRetentionPeriod=00:03:00; RemoveOldOperationsConfiguration=;
                                                                                     ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[];
                                                                                     BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    AbnormalVpnDetectorConfiguration : @{ProfileCommonGeolocationsAndCarriesAsyncConfiguration=; BlockConfiguration=;
                                                                                     IsEnabled=True; UpsertProfileConfiguration=}
    AccountEnumerationDetectorConfiguration : @{ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[];
                                                                                     BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    ActivityProcessorConfiguration : @{ActivityBlockConfiguration=; ActivityPostponeBlockConfiguration=;
                                                                                     PostponedActivityBlockConfiguration=}
    ActivitySimulatorConfiguration : @{DatabaseServerEndpoint=; DelayInterval=00:00:15; SimulationState=Disabled}
    AppDomainManagerConfiguration : @{GcCollectConfiguration=; UpdateExceptionStatisticsConfiguration=}
    BruteForceDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    CenterTelemetryManagerConfiguration : @{IsEnabled=True; ServiceUrl=https://dc.applicationinsights.microsoft.com/v2/track;
                                                                                     ClientInstrumentationKey=fd3f5bd1-3d71-44a3-9209-d94633544903; ClientBufferMaxSize=450;
                                                                                     ClientSendInterval=00:10:00; UnsentTelemetrySampleInterval=01:00:00;
                                                                                     UnsentTelemetryRetentionPeriod=7.00:00:00; SendSystemTelemetryConfiguration=;
                                                                                     SendPerformanceCounterTelemetryConfiguration=; SendAlertTelemetryConfiguration=;
                                                                                     SendExceptionStatisticsTelemetryConfiguration=; SendUnsentTelemetriesConfiguration=;
                                                                                     UnsentTelemetryBatchSize=20}
    CenterWebApplicationConfiguration : @{ServiceListeningIpEndpoint=; CommunicationCookieExpiration=00:20:00}
    CenterWebClientConfiguration : @{RetryDelay=00:00:01; ServiceEndpoints=System.Object[];
                                                                                     ServiceCertificateThumbprints=System.Object[]}
    ComputerPreauthenticationFailedDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    ConfigurationManagerConfiguration : @{UpdateConfigurationConfiguration=}
    DatabaseConfiguration : @{ServerEndpoint=; ClientConnectTimeout=00:00:30; ClientServerSelectionTimeout=00:00:30;
                                                                                     ConnectionPoolMaxSize=100; WaitQueueSize=1000; ActivityBlockConfiguration=;
                                                                                     BackupSystemProfileMaxCount=10; CappedActivityCollectionHighActivityMaxCount=50000000;
                                                                                     CappedActivityCollectionLowActivityMaxCount=1000000;
                                                                                     CappedActivityCollectionUpdateCurrentCollectionActivityCountConfiguration=;
                                                                                     DataDriveFreeSpaceCriticalPercentage=0.05; DataDriveFreeSpaceCriticalSize=50 GB;
                                                                                     DataDriveFreeSpaceLowPercentage=0.2; DataDriveFreeSpaceLowSize=200 GB;
                                                                                     WorkingSetPercentage=0.25; LogFileMaxSize=50 MB; LogFileMaxCount=10;
                                                                                     BackupSystemProfileConfiguration=; DeleteOldCappedCollectionsConfiguration=;
                                                                                     MonitorDatabaseConfiguration=}
    DetectionConfiguration : @{AlertConfiguration=; NotificationVerbosity=Low}
    DirectoryServicesReplicationDetectorConfiguration : @{OperationRetentionPeriod=00:03:00; RemoveOldOperationsConfiguration=;
                                                                                     ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[];
                                                                                     BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    DnsReconnaissanceDetectorConfiguration : @{ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[];
                                                                                     BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    EncryptedTimestampEncryptionDowngradeDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    EntityProfilerConfiguration : @{UpdateDetectionProfileConfiguration=;
                                                                                     UpdateDirectoryServicesTrafficSystemProfileConfiguration=;
                                                                                     EventActivityBlockConfiguration=; NetworkActivityBlockConfiguration=}
    EntityReceiverConfiguration : @{ActivitiesDroppingEnabled=False; EntityBatchBlockConfiguration=;
                                                                                     EntityBatchBlockSizeAccumulationQueueConfiguration=; GatewayInactivityTimeout=00:15:00}
    EnumerateSessionsDetectorConfiguration : @{OperationRetentionPeriod=00:03:00; RemoveOldOperationsConfiguration=;
                                                                                     ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[];
                                                                                     BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    ExternalIpAddressResolverConfiguration : @{CacheConfiguration=; FailedResolutionsAccumulationQueueConfiguration=}
    ForgedPacDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    GoldenTicketDetectorConfiguration : @{KerberosTicketLifetime=10:00:00; ExcludedSourceAccountIds=System.Object[];
                                                                                     BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    HoneytokenActivityDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    HttpClientConfiguration : @{BufferMaxSize=128 MB; Timeout=00:10:00}
    IntelligenceProxyConfiguration : @{ConnectionLimit=50; WebClientConfiguration=}
    LdapBruteForceDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    LdapCleartextPasswordDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    LoadSimulatorRecorderConfiguration : @{IsEnabled=False; UniqueEntityBatchBlockConfiguration=; EntityBatchBlockConfiguration=;
                                                                                     FileSegmentSize=5 MB}
    LocalizerConfiguration : @{LocaleId=en-us}
    MailClientConfiguration : @{IsEnabled=False; From=; ServerEndpoint=; ServerSslEnabled=False;
                                                                                     ServerSslAcceptAnyServerCertificate=False; AuthenticationEnabled=False;
                                                                                     AuthenticationAccountName=; AuthenticationAccountPasswordEncrypted=}
    MassiveObjectDeletionDetectorConfiguration : @{DetectMassiveObjectDeletionConfiguration=; BlockConfiguration=; IsEnabled=True;
                                                                                     UpsertProfileConfiguration=}
    MemoryStreamPoolConfiguration : @{BlockSize=128 KB; LargeBlockMultipleSize=1 MB; BufferMaxSize=128 MB}
    MonitoringClientConfiguration : @{AlertConfiguration=; MonitoringAlertTypeNameToIsEnabledMapping=;
                                                                                     RenotificationInterval=7.00:00:00}
    MonitoringEngineConfiguration : @{CenterNotReceivingTrafficTimeout=01:00:00; GatewayInactivityTimeout=00:05:00;
                                                                                     GatewayStartFailureTimeout=00:30:00; MonitoringAlertExpiration=30.00:00:00;
                                                                                     DeleteOldMonitoringAlertsConfiguration=; MonitoringCycleConfiguration=}
    NetworkActivityProcessorConfiguration : @{ParentKerberosResponseTicketHashKeyToParentKerberosDataMappingConfiguration=;
                                                                                     SaveParentKerberosBloomFiltersConfiguration=}
    NotificationEngineConfiguration : @{NotificationCycleConfiguration=}
    PassTheHashDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    PassTheTicketDetectorConfiguration : @{HandleInvisibleSuspiciousActivitiesConfiguration=;
                                                                                     ValidateInvisibleSuspiciousActivitiesTimeout=02:00:00;
                                                                                     ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[];
                                                                                     BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    RemoteExecutionDetectorConfiguration : @{OperationRetentionPeriod=00:03:00; RemoveOldOperationsConfiguration=;
                                                                                     ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[];
                                                                                     BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    ReporterConfiguration : @{ReportTypeToConfigurationMapping=; SendPeriodicReportsConfiguration=}
    RetrieveDataProtectionBackupKeyDetectorConfiguration : @{OperationRetentionPeriod=00:03:00; RemoveOldOperationsConfiguration=;
                                                                                     ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[];
                                                                                     BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    SamrReconnaissanceDetectorConfiguration : @{HandleInvisibleSuspiciousActivitiesConfiguration=; OperationRetentionPeriod=00:03:00;
                                                                                     RemoveOldOperationsConfiguration=; ExcludedSourceComputerIds=System.Object[];
                                                                                     ExcludedSubnets=System.Object[]; BlockConfiguration=; IsEnabled=True;
                                                                                     UpsertProfileConfiguration=}
    SecretManagerConfiguration : @{CertificateThumbprint=217562C96ECAF3A574303629848640F556A253FB}
    ServiceSystemProfileConfiguration : @{Id=58f53fded8c26706b8ebb122}
    SoftwareUpdaterConfiguration : @{IsEnabled=True; IsGatewayAutomaticSoftwareUpdateEnabled=True;
                                                                                     IsLightweightGatewayAutomaticRestartEnabled=False;
                                                                                     MicrosoftUpdateCategoryId=6ac905a5-286b-43eb-97e2-e23b3848c87d;
                                                                                     CheckSoftwareUpdatesConfiguration=}
    SourceAccountSupportedEncryptionTypesEncryptionDowngradeDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    SourceComputerSupportedEncryptionTypesEncryptionDowngradeDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    SyncManagerConfiguration : @{UpdateClientsConfiguration=}
    SyslogClientConfiguration : @{IsEnabled=False; ServerEndpoint=; ServerTransport=Udp;
                                                                                     ServerTransportTimeout=00:00:10; Serializer=Rfc5424}
    TgtEncryptionDowngradeDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=}
    UniqueEntityCacheConfiguration : @{CacheConfiguration=}
    UniqueEntityProcessorConfiguration : @{HoneytokenAccountIds=System.Object[]; UniqueEntityBlockParallelismDegree=100;
                                                                                     UpdateSecurityPrincipalsSensitivityConfiguration=;
                                                                                     GetHighFunctionalityDomainControlerIdsConfiguration=;
                                                                                     GetHoneytokenAccountIdsConfiguration=}
    UniqueEntityProfileCacheConfiguration : @{CacheConfiguration=; UniqueEntityProfileBlockConfiguration=;
                                                                                     StoreUniqueEntityProfilesConfiguration=}
    UserAccountClusterDetectorConfiguration : @{ClusterUserAccountsConfiguration=}
    WindowsEventLogClientConfiguration : @{IsEnabled=True}

    The above command retrieves the current configuration for the ATA Center.

.EXAMPLE
    Get-ATAStatus -Gateway | Select ServiceStatus, Status, Version, NetBiosName | fl

    ServiceStatus : Stopped
    Status : StartFailure
    Version : 1.8.6229.4854
    NetbiosName : 2012R2-DC1

    The above example retrieves a list of information for all gateways and displays the ServiceStatus, Status, Version, and NetBiosName of the server.
#>

function Get-ATAStatus {
    [CmdletBinding()]
    Param
    (
        # Retrieves ATA Center status information.
        [Parameter(Mandatory = $false,
            ValueFromPipelineByPropertyName = $true,
            ParameterSetName = 'Center')]
        [switch]$Center,
        # Retrieves ATA Gateway status information.
        [Parameter(Mandatory = $false,
            ValueFromPipelineByPropertyName = $true,
            ParameterSetName = 'Gateway')]
        [switch]$Gateway,
        # Retrieves information around the current ATA License.
        [Parameter(Mandatory = $false,
            ValueFromPipelineByPropertyName = $true,
            ParameterSetName = 'License')]
        [switch]$License
    )
    Process {
        if ($Center) {$foo = "center"}
        if ($Gateway) {$foo = "gateways"}
        if ($License) {$foo = "license"}

        $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/systemProfiles/$foo" -Method Get -UseDefaultCredentials
    }
    end {
        $result
    }
}
#endregion
#region Get-ATAMonitoringAlert
<#
.Synopsis
    Get-ATAMonitoringAlert retrieves all health alerts in ATA.
.DESCRIPTION
    This cmdlet is used to retrieve a list of all health alerts in ATA. Filtering of these alerts can be done post-query.
.EXAMPLE
    Get-ATAMonitoringAlert -Status Open | select Id, TitleKey, Severity, Status, StartTime

    Id : 59046d2bb5487a052cd5381e
    TitleKey : GatewayDirectoryServicesClientAccountPasswordExpiryMonitoringAlertTitleNearExpiry
    Severity : Medium
    Status : Open
    StartTime : 2017-04-29T10:38:35.9741496Z

    Id : 5911f086b5487a052c205f69
    TitleKey : GatewayStartFailureMonitoringAlertTitle
    Severity : Medium
    Status : Open
    StartTime : 2017-05-09T16:38:30.5274492Z

    The above example retrieves a list of Open monitoring alerts and displays the Id, TitleKey, Severity, Status, and StartTime for the alerts.
#>

function Get-ATAMonitoringAlert {
    [CmdletBinding()]
    Param
    (
        # Status to update the monitoring alert. (Open, Closed, Suppressed)
        [Parameter(Mandatory = $false,
            ValueFromPipelineByPropertyName = $true,
            ParameterSetName = 'Fetch')]
        [ValidateSet('Open', 'Closed', 'Suppressed')]
        [string]$Status
    )
    Process {
        $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/monitoringAlerts" -Method Get -UseDefaultCredentials
    }
    end {
        if ($Status) {
            $result | Where-Objecthere-Objecthere-Object {$_.status -eq $Status}
        }

        if (!$Status) {
            $result
        }
    }
}
#endregion
#region Set-ATAMonitoringAlert
<#
.Synopsis
    Set-ATAMonitoringAlert is used to update the status for an alert.
.DESCRIPTION
    Updates a Monitoring Alert's status.
.EXAMPLE
    Set-ATAMonitoringAlert -id 5911f086b5487a052c205f69 -Status Closed

    The above example sets a specific Monitoring Alert to Closed
.EXAMPLE
    Get-ATAMonitoringAlert -Status Open | Set-ATAMonitoringAlert -Status Closed}

    The above example gets all Open Monitoring Alerts and sets them as Closed.
#>

function Set-ATAMonitoringAlert {
    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'High')]
    Param
    (
        # Unique Id of the Monitoring Alert
        [Parameter(Mandatory = $true,
            ValueFromPipelineByPropertyName = $true,
            ParameterSetName = 'Fetch')]
        [ValidatePattern('^[a-f0-9]{24}$')]
        [string]$Id,

        # Status to update the monitoring alert. (Open, Closed, Suppressed)
        [Parameter(Mandatory = $false,
            ValueFromPipelineByPropertyName = $true,
            ParameterSetName = 'Fetch')]
        [ValidateSet('Open', 'Closed', 'Suppressed')]
        [string]$Status,

        # Suppress 'Confirm' dialogue
        [Parameter(Mandatory = $false,
            ValueFromPipelineByPropertyName = $false)]
        [switch]$Force
    )
    Process {
        if ($PSCmdlet.ParameterSetName -eq 'Fetch') {
            if ($Force -or $PSCmdlet.ShouldProcess($Id, "Changing status to $Status")) {
                $body = @{}
                if ($Status) {$body += @{Status = $Status}
                }
                $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/monitoringAlerts/$id" -Method Post -Body $body -UseDefaultCredentials
            }
        }
    }
    end {
        $result
    }
}
#endregion
#region Get-ATAUniqueEntity
<#
.Synopsis
    Get-ATAUniqueEntity is used to retrieve information around unique entities in ATA.
.DESCRIPTION
    This cmdlet retrieves detialed information around users and computers. The 'Profile' flag can be used to see more detailed information built by ATA.
.EXAMPLE
    Get-ATAUniqueEntity -Id ff336d33-81f4-458c-b70b-33f0070ffb20

    DnsName : 2012R2-DC1.contoso.com
    DomainController : @{IsGlobalCatalog=True; IsPrimary=True; IsReadOnly=False}
    IpAddress :
    IsDomainController : True
    IsServer : True
    OperatingSystemDisplayName : Windows Server 2012 R2 Datacenter, 6.3 (9600)
    SystemDisplayName : 2012R2-DC1
    BadPasswordTime :
    ConstrainedDelegationSpns : {}
    ExpiryTime :
    IsDisabled : False
    IsExpired : False
    IsHoneytoken : False
    IsLocked : False
    IsPasswordExpired : False
    IsPasswordFarExpiry : False
    IsPasswordNeverExpires : False
    IsPasswordNotRequired : False
    IsSmartcardRequired : False
    PasswordExpiryTime :
    PasswordUpdateTime : 2017-04-17T17:59:57.0826645Z
    Spns : {Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/2012R2-DC1.contoso.com, ldap/2012R2-DC1.contoso.com/ForestDnsZones.contoso.com,
                                 ldap/2012R2-DC1.contoso.com/DomainDnsZones.contoso.com, TERMSRV/2012R2-DC1...}
    UpnName :
    Description :
    IsSensitive : True
    SamName : 2012R2-DC1$
    DomainId : 7c915dca-0591-4abe-84c6-2522466bed4d
    CanonicalName : contoso.com/Domain Controllers/2012R2-DC1
    CreationTime : 2017-04-17T17:59:40Z
    DistinguishedName : CN=2012R2-DC1,OU=Domain Controllers,DC=contoso,DC=com
    IsDeleted : False
    IsNew : False
    Sid : S-1-5-21-3599243929-1086515894-1402892407-1001
    SystemSubDisplayName :
    Id : ff336d33-81f4-458c-b70b-33f0070ffb20
    IsPartial : False
    Type : Computer

    The above example retrieves information about the specified unique entity.

.EXAMPLE
    Get-ATAUniqueEntity -Id ff336d33-81f4-458c-b70b-33f0070ffb20 -ParentGroupId | foreach {Get-ATAUniqueEntity -Id $_}

    GroupType : {Global, Security}
    SystemDisplayName : Domain Controllers
    SystemSubDisplayName : All domain controllers in the domain
    Description : All domain controllers in the domain
    IsSensitive : True
    SamName : Domain Controllers
    DomainId : 7c915dca-0591-4abe-84c6-2522466bed4d
    CanonicalName : contoso.com/Users/Domain Controllers
    CreationTime : 2017-04-17T17:59:41Z
    DistinguishedName : CN=Domain Controllers,CN=Users,DC=contoso,DC=com
    IsDeleted : False
    IsNew : False
    Sid : S-1-5-21-3599243929-1086515894-1402892407-516
    Id : 9c7c6002-d192-48e8-99c2-1205cbd5f2c9
    IsPartial : False
    Type : Group

    The above example extracts the parentgroupid from the unique entity and passes it back into Get-ATAUniqueEntity to see the group's information.

.EXAMPLE
    Get-ATASuspiciousActivity | select SourceComputerId | Get-ATAUniqueEntity

    The above example pipes the SourceComputerId property directly into Get-ATAUniqueEntity to retrieve the entity information for the source computer.
#>

function Get-ATAUniqueEntity {
    [CmdletBinding()]
    Param
    (
        # Unique Id of Unique Entity
        [Parameter(Mandatory = $true,
            ValueFromPipelineByPropertyName = $true,
            ParameterSetName = 'Fetch')]
        [Alias('SourceComputerId', 'ExclusionUniqueEntityId')]
        [string]$Id,

        # Retrieves the profile for the unique entity.
        [Parameter(Mandatory = $false,
            ParameterSetName = 'Fetch')]
        [switch]$Profile,

        # Retrieves the parent group Id for the unique entity.
        [Parameter(Mandatory = $false,
            ParameterSetName = 'Fetch')]
        [switch]$ParentGroupId

    )
    begin {
        if ($Profile -and $ParentGroupId) { Write-Error "You may not set both Profile and ParentGroupId."}
    }
    Process {
        if ($Id -and !$Profile -and !$ParentGroupId) {
            $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/uniqueEntities/$Id" -Method Get -UseDefaultCredentials

            $result
        }
        if ($Id -and $Profile) {
            $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/uniqueEntities/$Id/profile" -Method Get -UseDefaultCredentials

            $result
        }
        if ($Id -and $ParentGroupId) {
            $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/uniqueEntities/$Id/parentGroupIds" -Method Get -UseDefaultCredentials

            $result
        }
        if (!$Id -and $Profile) {
            Write-Error "You must specify a unique entity ID when using the 'Profile' switch."
        }
    }
    end {
    }
}
#endregion
#endregion

# Export only the functions using PowerShell standard verb-noun naming.
# Be sure to list each exported functions in the FunctionsToExport field of the module manifest file.
# This improves performance of command discovery in PowerShell.
Export-ModuleMember -Function *-ATA*