Framework/Core/AzureMonitoring/OMSMonitoring.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
Set-StrictMode -Version Latest 

class OMSMonitoring: CommandBase
{
    [string] $OMSSampleViewTemplateFilepath;
    [string] $OMSSearchesTemplateFilepath;
    [string] $OMSAlertsTemplateFilepath;
    [string] $OMSGenericTemplateFilepath;
    
    [string] $OMSLocation;
    [string] $OMSResourceGroup;
    [string] $OMSWorkspaceName;
    [string] $OMSWorkspaceId;
    [string] $ApplicationSubscriptionName

    OMSMonitoring([string] $_omsSubscriptionId,[string] $_omsResourceGroup,[string] $_omsWorkspaceId, [InvocationInfo] $invocationContext): 
        Base([string] $_omsSubscriptionId, $invocationContext) 
    {     
        
            
                    $this.OMSResourceGroup = $_omsResourceGroup
                    $this.OMSWorkspaceId = $_omsWorkspaceId
                    $omsWorkSpaceInstance = Get-AzureRmOperationalInsightsWorkspace | Where-Object {$_.CustomerId -eq "$_omsWorkspaceId" -and $_.ResourceGroupName -eq  "$($this.OMSResourceGroup)"}
                    if($null -eq $omsWorkSpaceInstance)
                    {
                        throw [SuppressedException] "Invalid OMS Workspace."
                    }
                    $this.OMSWorkspaceName = $omsWorkSpaceInstance.Name;
                    $locationInstance = Get-AzureRmLocation | Where-Object { $_.DisplayName -eq $omsWorkSpaceInstance.Location -or  $_.Location -eq $omsWorkSpaceInstance.Location } 
                    $this.OMSLocation = $locationInstance.Location
                
        
    }

    [void] ConfigureOMS([string] $_viewName, [bool] $_validateOnly)    
    {        
        $this.PublishCustomMessage("WARNING: This command will overwrite the existing AzSK Security View that you may have installed using previous versions of AzSK, Please take a backup using 'Export' option available on the OMS portal.`n", [MessageType]::Warning);
        $input = Read-Host "Enter 'Y' to continue and 'N' to skip installation (Y/N)"
        while ($input -ne "y" -and $input -ne "n")
        {
        if (-not [string]::IsNullOrEmpty($input)) {
            $this.PublishCustomMessage(("Please select an appropriate option.`n" + [Constants]::DoubleDashLine), [MessageType]::Warning)
                  
        }
        $input = Read-Host "Enter 'Y' to continue and 'N' to skip installation (Y/N)"
        $input = $input.Trim()
                
        }
        if ($input -eq "y") 
        {
            $this.PublishCustomMessage([Constants]::DoubleDashLine + "`r`nStarted setting up AzSK OMS solution pack`r`n"+[Constants]::DoubleDashLine);
        
            $OptionalParameters = New-Object -TypeName Hashtable

            $OMSLogPath = [Constants]::AzSKTempFolderPath + "\OMS";
            if(-not (Test-Path -Path $OMSLogPath))
            {
                mkdir -Path $OMSLogPath -Force | Out-Null
            }
                    
            $genericViewTemplateFilepath = [ConfigurationManager]::LoadServerConfigFile("AZSK.AM.OMS.GenericView.V2.omsview");                 
            $this.OMSGenericTemplateFilepath = $OMSLogPath+"\AZSK.AM.OMS.GenericView.V2.omsview";
            $genericViewTemplateFilepath | ConvertTo-Json -Depth 100 | Out-File $this.OMSGenericTemplateFilepath
            $this.PublishCustomMessage("`r`nSetting up OMS AzSK generic view.");
            $this.ConfigureGenericView($_viewName, $_validateOnly);            
            $this.PublishCustomMessage([Constants]::SingleDashLine + "`r`nThe OMS view installed contains a basic set of queries over DevOps Kit scan events. Please feel free to customize them once you get familiar with the queries.`r`nWe also periodically publish updated/richer queries at: https://aka.ms/devopskit/omsqueries. `r`n",[MessageType]::Warning);
            $this.PublishCustomMessage([Constants]::SingleDashLine + "`r`nCompleted setting up AzSK OMS solution pack.`r`n"+[Constants]::DoubleDashLine);
        }
        if ($input -eq "n")
        {
            $this.PublishCustomMessage("Skipping installation of AzSK OMS solution pack...`n" , [MessageType]::Info)
            return;
        }
    }

    [void] ConfigureGenericView([string] $_viewName, [bool] $_validateOnly)
    {
        $OptionalParameters = New-Object -TypeName Hashtable

        $OptionalParameters = $this.GetOMSGenericViewParameters($_viewName);
        $this.PublishCustomMessage([MessageData]::new("Starting template deployment for OMS generic view. Detailed logs are shown below."));
        $ErrorMessages = @()
        if ($_validateOnly) {
            $ErrorMessages =@()
                Test-AzureRmResourceGroupDeployment -ResourceGroupName $this.OMSResourceGroup `
                                                    -TemplateFile $this.OMSGenericTemplateFilepath `
                                                    -TemplateParameterObject $OptionalParameters -Verbose
        }
        else {

            $ErrorMessages =@()
            $SubErrorMessages = @()
            New-AzureRmResourceGroupDeployment -Name ((Get-ChildItem $this.OMSGenericTemplateFilepath).BaseName + '-' + ((Get-Date).ToUniversalTime()).ToString('MMdd-HHmm')) `
                                        -ResourceGroupName $this.OMSResourceGroup `
                                        -TemplateFile $this.OMSGenericTemplateFilepath  `
                                        -TemplateParameterObject $OptionalParameters `
                                        -Verbose -Force -ErrorVariable SubErrorMessages
            $SubErrorMessages = $SubErrorMessages | ForEach-Object { $_.Exception.Message.TrimEnd("`r`n") }
            $ErrorMessages += $SubErrorMessages
           
        }
        if ($ErrorMessages)
        {
            "", ("{0} returned the following errors:" -f ("Template deployment", "Validation")[[bool]$_validateOnly]), @($ErrorMessages) | ForEach-Object { $this.PublishCustomMessage([MessageData]::new($_));}
        }
        else
        {
            $this.PublishCustomMessage([MessageData]::new("Completed template deployment for OMS generic view."));            
        }
    }

    [Hashtable] GetOMSGenericViewParameters([string] $_applicationName)
    {
        [Hashtable] $omsParams = $this.GetOMSBaseParameters();
        $omsParams.Add("viewName",$_applicationName);
        return $omsParams;
    }

    [Hashtable] GetOMSBaseParameters()
    {
        [Hashtable] $omsParams = @{};
        $omsParams.Add("omsWorkspaceLocation",$this.OMSLocation);
        $omsParams.Add("omsResourcegroup",$this.OMSResourceGroup);
        $omsParams.Add("omsSubscriptionId",$this.SubscriptionContext.SubscriptionId);
        $omsParams.Add("omsWorkspaceName",$this.OMSWorkspaceName);
        return $omsParams;
    }
    
}