AzSentinel.psm1
|
#requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'} #requires -version 6.2 enum AggregationKind { SingleAlert AlertPerRow } enum CloseReason { TruePositive FalsePositive } enum GroupByEntities { Account Ip Host Url } enum MatchingMethod { All None Custom } enum Severity { Medium High Low Informational } enum Status { New InProgress Closed } enum Tactics { InitialAccess Persistence Execution PrivilegeEscalation DefenseEvasion CredentialAccess LateralMovement Discovery Collection Exfiltration CommandAndControl Impact } enum TriggerOperator { GreaterThan LessThan Equal NotEqual gt lt eq ne } class GroupingConfiguration { [bool]$Enabled [bool]$reopenClosedIncident [string]$lookbackDuration [MatchingMethod]$entitiesMatchingMethod [GroupByEntities[]]$groupByEntities # Convert string to ISO_8601 format PdDThHmMsS static [string] TimeString([string]$value) { $value = $value.ToUpper() # Return values already in ISO 8601 format if ($value -match "PT.*|P.*D") { return $value } # Format day time periods if ($value -like "*D") { return "P$value" } # Format hour and minute time periods if ($value -match ".*[HM]") { return "PT$value" } return $value } groupingConfiguration ($properties) { $this.enabled = $properties.enabled $this.reopenClosedIncident = $properties.reopenClosedIncident $this.lookbackDuration = $properties.lookbackDuration $this.entitiesMatchingMethod = $properties.entitiesMatchingMethod $this.groupByEntities = $properties.groupByEntities } groupingConfiguration ($Enabled, $reopenClosedIncident, $lookbackDuration, $entitiesMatchingMethod, $groupByEntities) { $this.enabled = if ($Enabled) { $null -ne $Enabled } else { $true } $this.reopenClosedIncident = if ($null -ne $reopenClosedIncident) { $reopenClosedIncident } else { $false } $this.lookbackDuration = if ($lookbackDuration) { [groupingConfiguration]::TimeString($lookbackDuration) } else { "PT5H" } $this.entitiesMatchingMethod = if ($entitiesMatchingMethod) { $entitiesMatchingMethod } else { "All" } $this.groupByEntities = if ($groupByEntities) { $groupByEntities } else { @( "Account", "Ip", "Host", "Url" ) } } } class IncidentConfiguration { [bool] $CreateIncident [GroupingConfiguration]$GroupingConfiguration IncidentConfiguration ($CreateIncident, $GroupingConfiguration) { $this.createIncident = if ($null -ne $createIncident) { $createIncident } else { $true } $this.groupingConfiguration = $GroupingConfiguration } } class ScheduledAlertProp { [guid] $Name [string] $DisplayName [string] $Description [Severity] $Severity [bool] $Enabled [string] $Query [string] $QueryFrequency [string] $QueryPeriod [TriggerOperator]$TriggerOperator [Int] $TriggerThreshold [string] $SuppressionDuration [bool] $SuppressionEnabled [Tactics[]] $Tactics [string] $PlaybookName [IncidentConfiguration]$IncidentConfiguration $queryResultsAggregationSettings hidden [AggregationKind]$aggregationKind static [string] TriggerOperatorSwitch([string]$value) { switch ($value) { "gt" { $value = "GreaterThan" } "lt" { $value = "LessThan" } "eq" { $value = "Equal" } "ne" { $value = "NotEqual" } default { $value } } return $value } # Convert string to ISO_8601 format PdDThHmMsS static [string] TimeString([string]$value) { $value = $value.ToUpper() # Return values already in ISO 8601 format if ($value -match "PT.*|P.*D") { return $value } # Format day time periods if ($value -like "*D") { return "P$value" } # Format hour and minute time periods if ($value -match ".*[HM]") { return "PT$value" } return $value } ScheduledAlertProp (){ } ScheduledAlertProp ($Name, $DisplayName, $Description, $Severity, $Enabled, $Query, $QueryFrequency, ` $QueryPeriod, $TriggerOperator, $TriggerThreshold, $suppressionDuration, ` $suppressionEnabled, $Tactics, $PlaybookName, $IncidentConfiguration, $aggregationKind) { $this.name = $Name $this.DisplayName = $DisplayName $this.Description = $Description $this.Severity = $Severity $this.Enabled = $Enabled $this.Query = $Query $this.QueryFrequency = [ScheduledAlertProp]::TimeString($QueryFrequency) $this.QueryPeriod = [ScheduledAlertProp]::TimeString($QueryPeriod) $this.TriggerOperator = [ScheduledAlertProp]::TriggerOperatorSwitch($TriggerOperator) $this.TriggerThreshold = $TriggerThreshold $this.SuppressionDuration = if (($null -eq $suppressionDuration) -or ( $false -eq $suppressionEnabled)) { "PT1H" } else { if ( [ScheduledAlertProp]::TimeString($suppressionDuration) -ge [ScheduledAlertProp]::TimeString($QueryFrequency) ) { [ScheduledAlertProp]::TimeString($suppressionDuration) } else { Write-Error "Invalid Properties for Scheduled alert rule: 'suppressionDuration' should be greater than or equal to 'queryFrequency'" -ErrorAction Stop } } $this.SuppressionEnabled = if ($suppressionEnabled) { $suppressionEnabled } else { $false } $this.Tactics = $Tactics $this.PlaybookName = $PlaybookName $this.IncidentConfiguration = $IncidentConfiguration $this.queryResultsAggregationSettings = @{ aggregationKind = if ($aggregationKind) { $aggregationKind } else { "SingleAlert" } } } } class AlertRule { [guid] $Name [string] $Etag [string]$type [string]$kind [pscustomobject]$Properties [string]$Id AlertRule ($Name, $Etag, $Properties, $Id) { $this.id = $Id $this.type = 'Microsoft.SecurityInsights/alertRules' $this.kind = 'Scheduled' $this.Name = $Name $this.Etag = $Etag $this.Properties = $Properties } } function Compare-Policy { <# .SYNOPSIS Compare PS Objects .DESCRIPTION This function is used for comparison to see if a rule needs to be updated .PARAMETER ReferenceTemplate Reference template is the data of the AlertRule as active on Azure .PARAMETER DifferenceTemplate Difference template is data that is generated and will be uploaded to Azure .EXAMPLE Compare-Policy -ReferenceTemplate -DifferenceTemplate .NOTES NAME: Compare-Policy #> [CmdletBinding()] param ( # Reference value is the Online available [Parameter(Mandatory)] [psobject]$ReferenceTemplate, # Difference template is the template that will be uploaded [Parameter(Mandatory)] [psobject]$DifferenceTemplate ) process { $objprops = $ReferenceTemplate | Get-Member -MemberType Property, NoteProperty | ForEach-Object Name $objprops += $DifferenceTemplate | Get-Member -MemberType Property, NoteProperty | ForEach-Object Name $objprops = $objprops | Sort-Object -Unique | Select-Object $diffs = @() foreach ($objprop in $objprops) { $diff = Compare-Object $ReferenceTemplate $DifferenceTemplate -Property $objprop if ($diff) { $diffprops = @{ PropertyName = $objprop RefValue = ($diff | Where-Object { $_.SideIndicator -eq '<=' } | ForEach-Object $($objprop)) DiffValue = ($diff | Where-Object { $_.SideIndicator -eq '=>' } | ForEach-Object $($objprop)) } $diffs += New-Object PSObject -Property $diffprops } } if ($diffs) { return ($diffs | Select-Object PropertyName, RefValue, DiffValue) } } } function Get-AuthToken { <# .SYNOPSIS Get Authorization Token .DESCRIPTION This function is used to generate the Authtoken for API Calls .EXAMPLE Get-AuthToken #> [CmdletBinding()] param ( ) try { $azContext = Get-AzContext if ($null -ne $azContext) { Write-Verbose -Message "Using Subscription: $($azContext.Subscription.Name) from tenant $($azContext.Tenant.Id)" $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile $profileClient = [Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient]::new($azProfile) $script:accessToken = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId) $script:subscriptionId = $azContext.Subscription.Id $script:tenantId = $azContext.Tenant.Id } else { throw 'No subscription available, Please use Connect-AzAccount to login and select the right subscription' } } catch { $PSCmdlet.ThrowTerminatingError($_) } } function Get-AzSentinelPlayBook { <# .SYNOPSIS Get Logic App Playbook .DESCRIPTION This function is used for resolving the Logic App and testing the compability with Azure Sentinel .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER Name Enter the Logic App name .EXAMPLE Get-AzSentinelPlayBook -Name "" This example will get search for the Logic app within the current subscripbtio and test to see if it's compatible for Sentinel .NOTES NAME: Get-AzSentinelPlayBook #> param ( [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$Name ) begin { precheck } process { $triggerName = 'When_a_response_to_an_Azure_Sentinel_alert_is_triggered' if ($SubscriptionId) { Write-Verbose "Getting LogicApp from Subscription $($subscriptionId)" $uri = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.Logic/workflows?api-version=2016-06-01" } elseif ($script:subscriptionId) { Write-Verbose "Getting LogicApp from Subscription $($script:subscriptionId)" $uri = "https://management.azure.com/subscriptions/$($script:subscriptionId)/providers/Microsoft.Logic/workflows?api-version=2016-06-01" } else { $return = "No SubscriptionID provided" return $return } try { $logicappRaw = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader) $logicapp = $logicappRaw.value while ($logicappRaw.nextLink) { $logicappRaw = (Invoke-RestMethod -Uri $($logicappRaw.nextLink) -Headers $script:authHeader -Method Get) $logicapp += $logicappRaw.value } $playBook = $logicapp | Where-Object { $_.name -eq $Name } if ($playBook){ $uri1 = "https://management.azure.com$($playBook.id)/triggers/$($triggerName)/listCallbackUrl?api-version=2016-06-01" try { $playbookTrigger = (Invoke-RestMethod -Uri $uri1 -Method Post -Headers $script:authHeader) $playbookTrigger | Add-Member -NotePropertyName ResourceId -NotePropertyValue $playBook.id -Force return $playbookTrigger } catch { $return = "Playbook $($Name) doesn't start with 'When_a_response_to_an_Azure_Sentinel_alert_is_triggered' step! Error message: $($_.Exception.Message)" Write-Error $return } } else { Write-Warning "Unable to find LogicApp $Name under Subscription Id: $($script:subscriptionId)" } } catch { $return = $_.Exception.Message Write-Error $return } } } function Get-AzSentinelResourceProvider { <# .SYNOPSIS Get AzSentinelResourceProvider .DESCRIPTION This function is used to get status of the required resource providers .PARAMETER NameSpace Enter the name of the namespace without 'Microsoft.' .EXAMPLE Get-AzSentinelResourceProvider -NameSpace 'OperationsManagement' #> param ( [string]$NameSpace ) $uri = "https://management.azure.com/subscriptions/$($script:subscriptionId)/providers/Microsoft.$($NameSpace)?api-version=2019-10-01" try { $invokeReturn = Invoke-RestMethod -Method Get -Uri $uri -Headers $script:authHeader return $invokeReturn } catch { $return = $_.Exception.Message Write-Error $return return $return } } function Get-LogAnalyticWorkspace { <# .SYNOPSIS Get log analytic workspace .DESCRIPTION This function is used by other function for getting the workspace infiormation and seting the right values for $script:workspace and $script:baseUri .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER FullObject If you want to return the full object data .EXAMPLE Get-LogAnalyticWorkspace -WorkspaceName "" This example will get the Workspace and set workspace and baseuri param on Script scope level .EXAMPLE Get-LogAnalyticWorkspace -WorkspaceName "" -FullObject This example will get the Workspace ands return the full data object .EXAMPLE Get-LogAnalyticWorkspace -SubscriptionId "" -WorkspaceName "" This example will get the workspace info from another subscrion than your "Azcontext" subscription .NOTES NAME: Get-LogAnalyticWorkspace #> param ( [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$WorkspaceName, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [Switch]$FullObject ) begin { precheck } process { if ($SubscriptionId) { Write-Verbose "Getting Worspace from Subscription $($subscriptionId)" $uri = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.OperationalInsights/workspaces?api-version=2015-11-01-preview" } elseif ($script:subscriptionId) { Write-Verbose "Getting Worspace from Subscription $($script:subscriptionId)" $uri = "https://management.azure.com/subscriptions/$($script:subscriptionId)/providers/Microsoft.OperationalInsights/workspaces?api-version=2015-11-01-preview" } else { Write-Error "No SubscriptionID provided" -ErrorAction Stop } $workspaces = Invoke-webrequest -Uri $uri -Method get -Headers $script:authHeader $workspaceObject = ($workspaces.Content | ConvertFrom-Json).value | Where-Object { $_.name -eq $WorkspaceName } if ($workspaceObject) { $Script:workspace = ($workspaceObject.id).trim() Write-Verbose "Workspace is: $($Script:workspace)" $script:baseUri = "https://management.azure.com$($Script:workspace)" if ($FullObject) { return $workspaceObject } Write-Verbose ($workspaceObject | Format-List | Format-Table | Out-String) Write-Verbose "Found Workspace $WorkspaceName in RG $($workspaceObject.id.Split('/')[4])" } else { Write-Error "Unable to find workspace $WorkspaceName under Subscription Id: $($script:subscriptionId)" -ErrorAction Stop } } } function precheck { <# .SYNOPSIS PreCheck .DESCRIPTION This function is used as a precheck step by all the functions to test all the required authentication and properties. .EXAMPLE precheck Run the test .NOTES NAME: precheck #> if ($null -eq $script:accessToken) { Get-AuthToken } elseif ([datetime]::UtcNow.AddMinutes(5) -lt $script:accessToken.ExpiresOn.DateTime ) { # if token expires within 5 minutes, request a new one Get-AuthToken } $script:authHeader = @{ 'Content-Type' = 'application/json' Authorization = 'Bearer ' + $script:accessToken.AccessToken } } function Set-AzSentinelResourceProvider { <# .SYNOPSIS Set AzSentinelResourceProvider .DESCRIPTION This function is enables the required Resource providers .PARAMETER NameSpace Enter the name of the namespace without 'Microsoft.' .EXAMPLE Set-AzSentinelResourceProvider -NameSpace 'OperationsManagementOperationsManagement' #> [OutputType([String])] param ( [string]$NameSpace ) $uri = "https://management.azure.com/subscriptions/$($script:subscriptionId)/providers/Microsoft.$($NameSpace)/register?api-version=2019-10-01" try { $invokeReturn = Invoke-RestMethod -Method Post -Uri $uri -Headers $script:authHeader Write-Verbose $invokeReturn do { $resourceProviderStatus = Get-AzSentinelResourceProvider -NameSpace $NameSpace } until ($resourceProviderStatus.registrationState -eq 'Registered') $return = "Successfully enabled Microsoft.$($NameSpace) on subscription $($script:subscriptionId). Status:$($resourceProviderStatus.registrationState)" return $return } catch { $return = $_.Exception.Message Write-Error $return return $return } } function Disable-AzSentinelAlertRule { <# .SYNOPSIS Disable Azure Sentinel Alert Rules .DESCRIPTION With this function you can disbale Azure Sentinel Alert rule .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER RuleName Enter the name of the Alert rule .EXAMPLE Disable-AzSentinelAlertRule -WorkspaceName "" -RuleName "","" In this example you can get configuration of multiple alert rules in once #> [cmdletbinding(SupportsShouldProcess)] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$WorkspaceName, [Parameter(Mandatory = $false, ValueFromPipeline)] [ValidateNotNullOrEmpty()] [string[]]$RuleName ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } $rules = Get-AzSentinelAlertRule @arguments -RuleName $RuleName foreach ($rule in $rules) { if ($rule.enabled -eq $false) { Write-Output "'$($rule.DisplayName)' already has status '$($rule.enabled)'" } else { $rule.enabled = $false $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($rule.name)?api-version=2019-01-01-preview" $bodyAlertProp = [AlertProp]::new( ($rule | Select-Object * -ExcludeProperty lastModifiedUtc, etag, id) ) $body = [AlertRule]::new( ($rule | Select-Object lastModifiedUtc, etag, id, name), $bodyAlertProp ) try { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) Write-Verbose $result Write-Output "Status of '$($rule.DisplayName)' changed to '$($rule.enabled)'" } catch { Write-Error $_.Exception.Message } } } } } function Rename-AzSentinelAlertRule { <# .SYNOPSIS Rename Azure Sentinel Alert Rule .DESCRIPTION With this function you can rename Azure Sentinel Alert rule .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER CurrentRuleName Enter the current name of the Alert rule .PARAMETER NewRuleName Enter the new name of the Alert rule .EXAMPLE Rename-AzSentinelAlertRule -WorkspaceName "" -CurrentRuleName "" -NewRuleName "" In this example you can rename the alert rule #> [cmdletbinding(SupportsShouldProcess)] [OutputType([String])] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$WorkspaceName, [Parameter(Mandatory = $true, ValueFromPipeline)] [ValidateNotNullOrEmpty()] [string]$CurrentRuleName, [Parameter(Mandatory = $true, ValueFromPipeline)] [ValidateNotNullOrEmpty()] [string]$NewRuleName ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } try { $rule = Get-AzSentinelAlertRule @arguments -RuleName $CurrentRuleName -ErrorAction Stop $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($currentRule.name)?api-version=2019-01-01-preview" $rule.displayName = $NewRuleName $bodyAlertProp = [AlertProp]::new( ($rule | Select-Object * -ExcludeProperty lastModifiedUtc, etag, id) ) $body = [AlertRule]::new( ($rule | Select-Object lastModifiedUtc, etag, id, name), $bodyAlertProp ) try { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings) $return = "Successfully renamed rule $($CurrentRuleName) to $($NewRuleName) with status: $($result.StatusDescription)" return $return } catch { $return = $_.Exception.Message Write-Error "Rename failed with error $return" } } catch { $return = $_.Exception.Message Write-Error $return } } } function Remove-AzSentinelHuntingRule { <# .SYNOPSIS Remove Azure Sentinal Hunting Rules .DESCRIPTION With this function you can remove Azure Sentinal hunting rules from Powershell, if you don't provide andy Hunting rule name all rules will be removed .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER RuleName Enter the name of the rule that you wnat to remove .EXAMPLE Remove-AzSentinelHuntingRule -WorkspaceName "" -RuleName "" In this example the defined hunting rule will be removed from Azure Sentinel .EXAMPLE Remove-AzSentinelHuntingRule -WorkspaceName "" -RuleName "","", "" In this example you can define multiple hunting rules that will be removed .EXAMPLE Remove-AzSentinelHuntingRule -WorkspaceName "" In this example no hunting rule is specified, all hunting rules will be removed one by one. For each rule you need to confirm the action #> [cmdletbinding(SupportsShouldProcess, ConfirmImpact = 'High')] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$WorkspaceName, [Parameter(Mandatory = $false, ValueFromPipeline)] [ValidateNotNullOrEmpty()] [string[]]$RuleName ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } Get-LogAnalyticWorkspace @arguments if ($RuleName) { # remove defined rules foreach ($rule in $RuleName) { $item = Get-AzSentinelHuntingRule @arguments -Filter 'HuntingQueries' -RuleName $rule if ($item) { $uri = "$script:baseUri/savedSearches/$($item.name)?api-version=2017-04-26-preview" if ($PSCmdlet.ShouldProcess("Do you want to remove: $rule")) { Write-Output $item try { $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader Write-Output "Successfully removed hunting rule: $($rule) with status: $($result.StatusDescription)" } catch { Write-Verbose $_ Write-Error "Unable to remove rule: $($rule) with error message: $($_.Exception.Message)" -ErrorAction Continue } } else { Write-Output "No change have been made for hunting rule: $rule" } } else { Write-Warning "Hunting rule $rule not found in $WorkspaceName" } } } else { Write-Warning "No hunting rule selected, All hunting rules will be removed one by one!" Get-AzSentinelHuntingRule @arguments -Filter 'HuntingQueries' | ForEach-Object { $uri = "$script:baseUri/savedSearches/$($_.name)?api-version=2017-04-26-preview" if ($PSCmdlet.ShouldProcess("Do you want to remove: $($_.displayName)")) { try { $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader Write-Output "Successfully removed hunting rule: $($_.displayName) with status: $($result.StatusDescription)" } catch { Write-Verbose $_ Write-Error "Unable to remove rule: $($_.displayName) with error message: $($_.Exception.Message)" -ErrorAction Continue } } else { Write-Output "No change have been made for hunting rule: $($_.displayName)" } } } } } function Remove-AzSentinelAlertRuleAction { <# .SYNOPSIS Remove Azure Sentinel Alert rule Action .DESCRIPTION This function can be used to see if an action is attached to the alert rule, if so then the configuration will be returned .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER RuleName Enter the name of the Alert rule .PARAMETER RuleId Enter the Alert Rule ID that you want to configure .EXAMPLE Remove-AzSentinelAlertRuleAction -WorkspaceName "" -RuleName "AlertRule01" This example will get the Workspace ands return the full data object .NOTES NAME: Remove-AzSentinelAlertRuleAction #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $WorkspaceName, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string]$RuleName, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string]$RuleId ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } if ($RuleName) { $result = Get-AzSentinelAlertRuleAction @arguments -RuleName $RuleName } elseif ($RuleId) { $result = Get-AzSentinelAlertRuleAction @arguments -RuleId $RuleId } else { Write-Error "No Alert Name or ID is provided" } if ($result) { $uri = "$($Script:baseUri)/providers/Microsoft.SecurityInsights/alertRules/$($result.id.split('asicustomalertsv3_')[-1])?api-version=2019-01-01-preview" Write-Verbose $uri if ($PSCmdlet.ShouldProcess("Do you want to remove Alert Rule action for rule: $($RuleName)")) { try { $return = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader Write-Verbose $return Write-Output "Rule action $($result.properties.logicAppResourceId.Split('/')[-1]) removed for rule $($RuleName) with status: $($return.StatusCode)" return $return.StatusCode } catch { Write-Verbose $_ return $_.Exception.Message } } } else { Write-Output "No Alert Action found for Rule: $($RuleName)" } } } function Remove-AzSentinelAlertRule { <# .SYNOPSIS Remove Azure Sentinal Alert Rules .DESCRIPTION With this function you can remove Azure Sentinal Alert rules from Powershell, if you don't provide andy Rule name all rules will be removed .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER RuleName Enter the name of the rule that you wnat to remove .EXAMPLE Remove-AzSentinelAlertRule -WorkspaceName "" -RuleName "" In this example the defined rule will be removed from Azure Sentinel .EXAMPLE Remove-AzSentinelAlertRule -WorkspaceName "" -RuleName "","", "" In this example you can define multiple rules that will be removed .EXAMPLE Remove-AzSentinelAlertRule -WorkspaceName "" In this example no rule is specified, all rules will be removed one by one. For each rule you need to confirm the action #> [cmdletbinding(SupportsShouldProcess, ConfirmImpact = 'High')] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$WorkspaceName, [Parameter(Mandatory = $false, ValueFromPipeline)] [ValidateNotNullOrEmpty()] [string[]]$RuleName ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } Get-LogAnalyticWorkspace @arguments if ($RuleName) { # remove defined rules foreach ($rule in $RuleName) { $item = Get-AzSentinelAlertRule @arguments -RuleName $rule -WarningAction SilentlyContinue if ($item) { $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($item.name)?api-version=2019-01-01-preview" if ($PSCmdlet.ShouldProcess("Do you want to remove: $rule")) { Write-Output $item try { $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader Write-Output "Successfully removed rule: $($rule) with status: $($result.StatusDescription)" } catch { Write-Verbose $_ Write-Error "Unable to remove rule: $($rule) with error message: $($_.Exception.Message)" -ErrorAction Continue } } else { Write-Output "No change have been made for rule: $rule" } } else { Write-Warning "$rule not found in $WorkspaceName" } } } else { Write-Warning "No Rule selected, All rules will be removed one by one!" Get-AzSentinelAlertRule @arguments | ForEach-Object { $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($_.name)?api-version=2019-01-01-preview" if ($PSCmdlet.ShouldProcess("Do you want to remove: $($_.displayName)")) { try { $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader Write-Output "Successfully removed rule: $($_.displayName) with status: $($result.StatusDescription)" } catch { Write-Verbose $_ Write-Error "Unable to remove rule: $($_.displayName) with error message: $($_.Exception.Message)" -ErrorAction Continue } } else { Write-Output "No change have been made for rule: $($_.displayName)" } } } } } function New-AzSentinelHuntingRule { <# .SYNOPSIS Create Azure Sentinal Hunting Rule .DESCRIPTION Use this function to creates Azure Sentinal Hunting rule .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER DisplayName Enter the Display name for the hunting rule .PARAMETER Description Enter the Description for the hunting rule .PARAMETER Tactics Enter the Tactics, valid values: "InitialAccess", "Persistence", "Execution", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "LateralMovement", "Discovery", "Collection", "Exfiltration", "CommandAndControl", "Impact" .PARAMETER Query Enter the querry in KQL format .EXAMPLE New-AzSentinelHuntingRule -WorkspaceName "" -DisplayName "" -Description "" -Tactics "","" -Query '' In this example you create a new hunting rule by defining the rule properties from CMDLET #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $WorkspaceName, [Parameter(Mandatory)] [string] $DisplayName, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $Query, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $Description, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Tactics[]] $Tactics ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } Get-LogAnalyticWorkspace @arguments $item = @{ } $content = $null $body = @{ } $compareResult1 = $null $compareResult2 = $null $compareResult = $null Write-Verbose -Message "Creating new Hunting rule: $($DisplayName)" try { Write-Verbose -Message "Get hunting rule $DisplayName" $content = Get-AzSentinelHuntingRule @arguments -RuleName $DisplayName -WarningAction SilentlyContinue if ($content) { Write-Verbose -Message "Hunting rule $($DisplayName) exists in Azure Sentinel" $item | Add-Member -NotePropertyName name -NotePropertyValue $content.name -Force $item | Add-Member -NotePropertyName etag -NotePropertyValue $content.eTag -Force $item | Add-Member -NotePropertyName Id -NotePropertyValue $content.id -Force $uri = "$script:baseUri/savedSearches/$($content.name)?api-version=2017-04-26-preview" } else { Write-Verbose -Message "Hunting rule $($DisplayName) doesn't exists in Azure Sentinel" $guid = (New-Guid).Guid $item | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force $item | Add-Member -NotePropertyName etag -NotePropertyValue $null -Force $item | Add-Member -NotePropertyName Id -NotePropertyValue "$script:Workspace/savedSearches/$guid" -Force $uri = "$script:baseUri/savedSearches/$($guid)?api-version=2017-04-26-preview" } } catch { Write-Verbose $_ Write-Error "Unable to connect to APi to get Analytic rules with message: $($_.Exception.Message)" -ErrorAction Stop } [PSCustomObject]$body = @{ "name" = $item.name "eTag" = $item.etag "id" = $item.id "properties" = @{ 'Category' = 'Hunting Queries' 'DisplayName' = $DisplayName 'Query' = $Query [pscustomobject]'Tags' = @( @{ 'Name' = "description" 'Value' = $Description }, @{ "Name" = "tactics" "Value" = $Tactics -join ',' }, @{ "Name" = "createdBy" "Value" = "" }, @{ "Name" = "createdTimeUtc" "Value" = "" } ) } } #return $content if ($content) { $compareResult1 = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, Tags, Version) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, Tags, Version) $compareResult2 = Compare-Policy -ReferenceTemplate ($content.Tags | Where-Object { $_.name -eq "tactics" }) -DifferenceTemplate ($body.Properties.Tags | Where-Object { $_.name -eq "tactics" }) $compareResult = [PSCustomObject]$compareResult1 + [PSCustomObject]$compareResult2 if ($compareResult) { Write-Output "Found Differences for hunting rule: $($DisplayName)" Write-Output ($compareResult | Format-Table | Out-String) if ($PSCmdlet.ShouldProcess("Do you want to update hunting rule: $($DisplayName)")) { try { Write-Output ($body.properties | Format-Table) $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) Write-Output "Successfully updated hunting rule: $($DisplayName) with status: $($result.StatusDescription)" } catch { Write-Verbose $_ Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Stop } } else { Write-Output "No change have been made for rule $($DisplayName), deployment aborted" } } else { Write-Output "Hunting rule $($DisplayName) is compliance, nothing to do" Write-Output ($body.properties | Format-Table) } } else { Write-Verbose "Creating new hunting rule: $($DisplayName)" try { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) Write-Output "Successfully created hunting rule: $($DisplayName) with status: $($result.StatusDescription)" Write-Output ($body.properties | Format-Table) } catch { Write-Verbose $_ Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Stop } } } } function New-AzSentinelAlertRuleAction { <# .SYNOPSIS Create Azure Sentinal Alert Rule Action .DESCRIPTION Use this function to creates Azure Sentinal Alert rule action .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER PlayBookName Enter the Playbook name that you want to assign to the alert rule .PARAMETER RuleName Enter the Alert Rule name that you want to configure .PARAMETER RuleId Enter the Alert Rule ID that you want to configure .EXAMPLE New-AzSentinelAlertRuleAction -WorkspaceName "" -PlayBookName "Playbook01" -RuleName "AlertRule01" New-AzSentinelAlertRuleAction -WorkspaceName "" -PlayBookName "Playbook01" -RuleId 'b6103d42-d2fb-4f35-xxx-c76a7f31ee4e' In this example you you assign the playbook to the Alert rule #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $WorkspaceName, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $PlayBookName, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string]$RuleName, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string]$RuleId ) process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } if ($RuleName) { $alertId = (Get-AzSentinelAlertRule @arguments -RuleName $RuleName -ErrorAction SilentlyContinue).name } elseif ($RuleId) { $alertId = $RuleId } else { Write-Error "No Alert Name or ID is provided" } $action = $null if ($SubscriptionId) { $playBook = Get-AzSentinelPlayBook -SubscriptionId $SubscriptionId -Name $PlayBookName } else { $playBook = Get-AzSentinelPlayBook -Name $PlayBookName } $action = Get-AzSentinelAlertRuleAction @arguments -RuleId $alertId -ErrorAction SilentlyContinue if ($null -eq $action) { $guid = New-Guid $body = @{ "id" = "$($Script:baseUri)/providers/Microsoft.SecurityInsights/alertRules/$($alertId)/actions/$guid" "name" = $guid "type" = "Microsoft.SecurityInsights/alertRules/actions" "properties" = @{ "ruleId" = $alertId "triggerUri" = $playBook.value "logicAppResourceId" = $playBook.ResourceId } } $uri = "$($Script:baseUri)/providers/Microsoft.SecurityInsights/alertRules/$($alertId)/actions/$($guid)?api-version=2019-01-01-preview" try { $return = Invoke-WebRequest -Method Put -Uri $uri -Headers $Script:authHeader -Body ($body | ConvertTo-Json -Depth 10) Write-Output "Successfully created Action for Rule: $($RuleName) with Playbook $($PlayBookName) Status: $($return.StatusDescription)" return $return.StatusDescription } catch { Write-Error "Unable to create Action for Rule: $($RuleName) with Playbook $($PlayBookName) Error: $($_.Exception.Message)" return $_.Exception.Message Write-Verbose $_. } } elseif ((($action.properties.logicAppResourceId).Split('/')[-1]) -eq $PlayBookName) { Write-Output "Alert Rule: $($alertId) has already playbook assigned: $(($action.properties.logicAppResourceId).Split('/')[-1])" } elseif ((($action.properties.logicAppResourceId).Split('/')[-1]) -ne $PlayBookName) { Write-Output "Alert rule $($RuleName) assigned to a different playbook with name $(($action.properties.logicAppResourceId).Split('/')[-1])" } else { #nothing? } } } function Set-AzSentinel { <# .SYNOPSIS Enable Azure Sentinel .DESCRIPTION This function enables Azure Sentinel on a existing Workspace .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .EXAMPLE Set-AzSentinel -WorkspaceName "" This example will enable Azure Sentinel for the provided workspace #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$WorkspaceName ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } $workspaceResult = Get-LogAnalyticWorkspace @arguments -FullObject # Variables $errorResult = '' if ($workspaceResult.properties.provisioningState -eq 'Succeeded') { <# Testing to see if OperationsManagement resource provider is enabled on subscription #> $operationsManagementProvider = Get-AzSentinelResourceProvider -NameSpace "OperationsManagement" if ($operationsManagementProvider.registrationState -ne 'Registered') { Write-Warning "Resource provider 'Microsoft.OperationsManagement' is not registered" if ($PSCmdlet.ShouldProcess("Do you want to enable 'Microsoft.OperationsManagement' on subscription $($script:subscriptionId)")) { Set-AzSentinelResourceProvider -NameSpace 'OperationsManagement' } else { Write-Output "No change have been." break } } <# Testing to see if SecurityInsights resource provider is enabled on subscription #> $securityInsightsProvider = Get-AzSentinelResourceProvider -NameSpace 'SecurityInsights' if ($securityInsightsProvider.registrationState -ne 'Registered') { Write-Warning "Resource provider 'Microsoft.SecurityInsights' is not registered" if ($PSCmdlet.ShouldProcess("Do you want to enable 'Microsoft.SecurityInsights' on subscription $($script:subscriptionId)")) { Set-AzSentinelResourceProvider -NameSpace 'SecurityInsights' } else { Write-Output "No change have been." break } } $body = @{ 'id' = '' 'etag' = '' 'name' = '' 'type' = '' 'location' = $workspaceResult.location 'properties' = @{ 'workspaceResourceId' = $workspaceResult.id } 'plan' = @{ 'name' = 'SecurityInsights($workspace)' 'publisher' = 'Microsoft' 'product' = 'OMSGallery/SecurityInsights' 'promotionCode' = '' } } $uri = "$(($Script:baseUri).Split('microsoft.operationalinsights')[0])Microsoft.OperationsManagement/solutions/SecurityInsights($WorkspaceName)?api-version=2015-11-01-preview" try { $solutionResult = Invoke-webrequest -Uri $uri -Method Get -Headers $script:authHeader Write-Output "Azure Sentinel is already enabled on $WorkspaceName and status is: $($solutionResult.StatusDescription)" } catch { $errorReturn = $_ $errorResult = ($errorReturn | ConvertFrom-Json ).error if ($errorResult.Code -eq 'ResourceNotFound') { Write-Output "Azure Sentinetal is not enabled on workspace: $($WorkspaceName)" try { if ($PSCmdlet.ShouldProcess("Do you want to enable Sentinel for Workspace: $workspace")) { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json) Write-Output "Successfully enabled Sentinel on workspae: $WorkspaceName with result code $($result.StatusDescription)" } else { Write-Output "No change have been made for $WorkspaceName, deployment aborted" break } } catch { Write-Verbose $_ Write-Error "Unable to enable Sentinel on $WorkspaceName with error message: $($_.Exception.Message)" } } else { Write-Verbose $_ Write-Error "Unable to Azure Sentinel with error message: $($_.Exception.Message)" -ErrorAction Stop } } } else { Write-Error "Workspace $WorkspaceName is currently in $($workspaceResult.properties.provisioningState) status, setup canceled" } } } function New-AzSentinelAlertRule { <# .SYNOPSIS Create Azure Sentinal Alert Rules .DESCRIPTION Use this function creates Azure Sentinal Alert rules from provided CMDLET .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER DisplayName Enter the Display name for the Alert rule .PARAMETER Description Enter the Description for the Alert rule .PARAMETER Severity Enter the Severity, valid values: Medium", "High", "Low", "Informational" .PARAMETER Enabled Set $true to enable the Alert Rule or $false to disable Alert Rule .PARAMETER Query Enter the Query that you want to use .PARAMETER QueryFrequency Enter the query frequency, example: 5H, 5M, 5D (H stands for Hour, M stands for Minute and D stands for Day) .PARAMETER QueryPeriod Enter the query period, exmaple: 5H, 5M, 5D (H stands for Hour, M stands for Minute and D stands for Day) .PARAMETER TriggerOperator Select the triggert Operator, valid values are: "GreaterThan", "FewerThan", "EqualTo", "NotEqualTo" .PARAMETER TriggerThreshold Enter the trigger treshold .PARAMETER SuppressionDuration Enter the suppression duration, example: 5H, 5M, 5D (H stands for Hour, M stands for Minute and D stands for Day) .PARAMETER SuppressionEnabled Set $true to enable Suppression or $false to disable Suppression .PARAMETER Tactics Enter the Tactics, valid values: "InitialAccess", "Persistence", "Execution", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "LateralMovement", "Discovery", "Collection", "Exfiltration", "CommandAndControl", "Impact" .PARAMETER PlaybookName Enter the Logic App name that you want to configure as playbook trigger .PARAMETER CreateIncident Create incidents from alerts triggered by this analytics rule .PARAMETER GroupingConfigurationEnabled Group related alerts, triggered by this analytics rule, into incidents .PARAMETER ReopenClosedIncident Re-open closed matching incidents .PARAMETER LookbackDuration Limit the group to alerts created within the selected time frame .PARAMETER EntitiesMatchingMethod Group alerts triggered by this analytics rule into a single incident by .PARAMETER GroupByEntities Grouping alerts into a single incident if the selected entities match: .PARAMETER AggregationKind Configure how rule query results are grouped into alerts .EXAMPLE New-AzSentinelAlertRule -WorkspaceName "" -DisplayName "" -Description "" -Severity -Enabled $true -Query '' -QueryFrequency "" -QueryPeriod "" -TriggerOperator -TriggerThreshold -SuppressionDuration "" -SuppressionEnabled $false -Tactics @("","") -PlaybookName "" In this example you create a new Alert rule by defining the rule properties from CMDLET #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $WorkspaceName, [Parameter(Mandatory)] [string] $DisplayName, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $Description, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Severity] $Severity, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [bool] $Enabled, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $Query, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $QueryFrequency, [ValidateNotNullOrEmpty()] [string] $QueryPeriod, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [TriggerOperator] $TriggerOperator, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Int] $TriggerThreshold, [Parameter(Mandatory)] [AllowEmptyString()] [string] $SuppressionDuration, [Parameter(Mandatory)] [bool] $SuppressionEnabled, [Parameter(Mandatory)] [AllowEmptyCollection()] #[Tactics[]] $Tactics, [string[]] $Tactics, [Parameter(Mandatory = $false)] [AllowEmptyString()] [string] $PlaybookName = $null, [Parameter(Mandatory = $false)] [AllowEmptyString()] [bool]$CreateIncident, [Parameter(Mandatory = $false)] [AllowEmptyString()] [bool]$GroupingConfigurationEnabled, [Parameter(Mandatory = $false)] [AllowEmptyString()] [bool]$ReopenClosedIncident, [Parameter(Mandatory = $false)] [AllowEmptyString()] [string]$LookbackDuration, [Parameter(Mandatory = $false)] [AllowEmptyString()] [MatchingMethod]$EntitiesMatchingMethod, [Parameter(Mandatory = $false)] [AllowEmptyString()] #[groupByEntities[]]$GroupByEntities, [string[]]$GroupByEntities, [Parameter(Mandatory = $false)] [AllowEmptyString()] [string]$AggregationKind ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } $item = @{ } Write-Verbose -Message "Creating new rule: $($DisplayName)" try { Write-Verbose -Message "Get rule $DisplayName" $content = Get-AzSentinelAlertRule @arguments -RuleName $DisplayName -ErrorAction SilentlyContinue if ($content) { Write-Verbose -Message "Rule $($DisplayName) exists in Azure Sentinel" $item | Add-Member -NotePropertyName name -NotePropertyValue $content.name -Force $item | Add-Member -NotePropertyName etag -NotePropertyValue $content.eTag -Force $item | Add-Member -NotePropertyName Id -NotePropertyValue $content.id -Force $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($content.name)?api-version=2019-01-01-preview" } else { Write-Verbose -Message "Rule $($DisplayName) doesn't exists in Azure Sentinel" $guid = (New-Guid).Guid $item | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force $item | Add-Member -NotePropertyName etag -NotePropertyValue $null -Force $item | Add-Member -NotePropertyName Id -NotePropertyValue "$script:Workspace/providers/Microsoft.SecurityInsights/alertRules/$guid" -Force $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($guid)?api-version=2019-01-01-preview" } } catch { Write-Verbose $_ Write-Error "Unable to connect to APi to get Analytic rules with message: $($_.Exception.Message)" -ErrorAction Stop } try { $groupingConfiguration = [GroupingConfiguration]::new( $GroupingConfigurationEnabled, $ReopenClosedIncident, $LookbackDuration, $EntitiesMatchingMethod, $GroupByEntities ) $incidentConfiguration = [IncidentConfiguration]::new( $CreateIncident, $groupingConfiguration ) $bodyAlertProp = [ScheduledAlertProp]::new( $item.name, $DisplayName, $Description, $Severity, $Enabled, $Query, $QueryFrequency, $QueryPeriod, $TriggerOperator, $TriggerThreshold, $SuppressionDuration, $SuppressionEnabled, $Tactics, $PlaybookName, $incidentConfiguration, $AggregationKind ) $body = [AlertRule]::new( $item.name, $item.etag, $bodyAlertProp, $item.Id) } catch { Write-Error "Unable to initiate class with error: $($_.Exception.Message)" -ErrorAction Stop } if ($content) { if ($PlaybookName -or $content.playbookName) { $compareResult = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name) } else { $compareResult = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, PlaybookName) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, PlaybookName) } try { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) if (($compareResult | Where-Object PropertyName -eq "playbookName").DiffValue) { New-AzSentinelAlertRuleAction @arguments -PlayBookName ($body.Properties.playbookName) -RuleId $($body.Name) } elseif (($compareResult | Where-Object PropertyName -eq "playbookName").RefValue) { Remove-AzSentinelAlertRuleAction @arguments -RuleId $($body.Name) -Confirm:$false } else { #nothing } $body.Properties | Add-Member -NotePropertyName status -NotePropertyValue $($result.StatusDescription) -Force $return += $body.Properties return $return } catch { $body.Properties | Add-Member -NotePropertyName status -NotePropertyValue "failed" -Force $return += $body.Properties return $return Write-Verbose $_ Write-Error "Unable to invoke webrequest for rule $($item.displayName) with error message: $($_.Exception.Message)" -ErrorAction Continue } } else { Write-Verbose "Creating new rule: $($DisplayName)" try { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) if (($body.Properties.PlaybookName)) { New-AzSentinelAlertRuleAction @arguments -PlayBookName ($body.Properties.PlaybookName) -RuleId $($body.Properties.Name) -confirm:$false } $body.Properties | Add-Member -NotePropertyName status -NotePropertyValue $($result.StatusDescription) -Force $return += $body.Properties return $return } catch { $body.Properties | Add-Member -NotePropertyName status -NotePropertyValue "failed" -Force $return += $body.Properties return $return Write-Verbose $_ Write-Error "Unable to invoke webrequest for rule $($item.displayName) with error message: $($_.Exception.Message)" -ErrorAction Continue } } } } function Import-AzSentinelAlertRule { <# .SYNOPSIS Import Azure Sentinal Alert rule .DESCRIPTION This function imports Azure Sentinal Alert rules from JSON and YAML config files. This way you can manage your Alert rules dynamic from JSON or multiple YAML files .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER SettingsFile Path to the JSON or YAML file for the AlertRules .EXAMPLE Import-AzSentinelAlertRule -WorkspaceName "" -SettingsFile ".\examples\AlertRules.json" In this example all the rules configured in the JSON file will be created or updated Performing the operation "Import-AzSentinelAlertRule" on target "Do you want to update profile: AlertRule01". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Yes"): Successfully created Action for Rule: with Playbook pkmsentinel Status: Created Created Successfully updated rule: AlertRule01 with status: OK Name : b6103d42-xxx-4f35-xxx-c76a7f31ee4e DisplayName : AlertRule01 Description : Severity : Medium Enabled : True Query : SecurityEvent | where EventID == "4688" | where CommandLine contains "-noni -ep bypass $" QueryFrequency : PT5H QueryPeriod : PT6H TriggerOperator : GreaterThan TriggerThreshold : 5 SuppressionDuration : PT6H SuppressionEnabled : False Tactics : {Persistence, LateralMovement, Collection} PlaybookName : Playbook01 .EXAMPLE Import-AzSentinelAlertRule -WorkspaceName "" -SettingsFile ".\examples\SuspectApplicationConsent.yaml" In this example all the rules configured in the YAML file will be created or updated .EXAMPLE Get-Item .\examples\*.json | Import-AzSentinelAlertRule -WorkspaceName "" In this example you can select multiple JSON files and Pipeline it to the SettingsFile parameter #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $WorkspaceName, [Parameter(Mandatory, ValueFromPipeline)] [ValidateScript( { (Test-Path -Path $_) -and ($_.Extension -in '.json', '.yaml', '.yml') })] [System.IO.FileInfo] $SettingsFile ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } if ($SettingsFile.Extension -eq '.json') { try { $analytics = (Get-Content $SettingsFile -Raw | ConvertFrom-Json -ErrorAction Stop).analytics Write-Verbose -Message "Found $($analytics.count) rules" } catch { Write-Verbose $_ Write-Error -Message 'Unable to convert JSON file' -ErrorAction Stop } } elseif ($SettingsFile.Extension -in '.yaml', '.yml') { try { $analytics = [pscustomobject](Get-Content $SettingsFile -Raw | ConvertFrom-Yaml -ErrorAction Stop) $analytics | Add-Member -MemberType NoteProperty -Name DisplayName -Value $analytics.name Write-Verbose -Message 'Found compatibel yaml file' } catch { Write-Verbose $_ Write-Error -Message 'Unable to convert yaml file' -ErrorAction Stop } } else { Write-Error -Message 'Unsupported extension for SettingsFile' -ErrorAction Stop } $return = @() foreach ($item in $analytics) { Write-Verbose -Message "Started with rule: $($item.displayName)" $guid = (New-Guid).Guid try { Write-Verbose -Message "Get rule $($item.description)" $content = Get-AzSentinelAlertRule @arguments -RuleName $($item.displayName) -ErrorAction SilentlyContinue if ($content) { Write-Verbose "Rule $($item.displayName) exists in Azure Sentinel" $item | Add-Member -NotePropertyName name -NotePropertyValue $content.name -Force $item | Add-Member -NotePropertyName etag -NotePropertyValue $content.etag -Force $item | Add-Member -NotePropertyName Id -NotePropertyValue $content.id -Force $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($content.name)?api-version=2019-01-01-preview" } else { Write-Verbose -Message "Rule $($item.displayName) doesn't exist in Azure Sentinel" $item | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force $item | Add-Member -NotePropertyName etag -NotePropertyValue $null -Force $item | Add-Member -NotePropertyName Id -NotePropertyValue "$script:Workspace/providers/Microsoft.SecurityInsights/alertRules/$guid" -Force $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($guid)?api-version=2019-01-01-preview" } } catch { Write-Verbose $_ Write-Error "Unable to connect to APi to get Analytic rules with message: $($_.Exception.Message)" -ErrorAction Stop } try { $groupingConfiguration = [GroupingConfiguration]::new( $item.groupingConfiguration.enabled, $item.groupingConfiguration.reopenClosedIncident, $item.groupingConfiguration.lookbackDuration, $item.groupingConfiguration.entitiesMatchingMethod, $item.groupingConfiguration.groupByEntities ) $IncidentConfiguration = [IncidentConfiguration]::new( $item.createIncident, $groupingConfiguration ) $bodyAlertProp = [ScheduledAlertProp]::new( $item.name, $item.displayName, $item.description, $item.severity, $item.enabled, $item.query, $item.queryFrequency, $item.queryPeriod, $item.triggerOperator, $item.triggerThreshold, $item.suppressionDuration, $item.suppressionEnabled, $item.Tactics, $item.playbookName, $IncidentConfiguration, $item.aggregationKind ) $body = [AlertRule]::new( $item.name, $item.etag, $bodyAlertProp, $item.Id) } catch { Write-Error "Unable to initiate class with error: $($_.Exception.Message)" -ErrorAction Stop } if ($content) { if ($item.playbookName -or $content.playbookName) { $compareResult = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id,incidentConfiguration, queryResultsAggregationSettings) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id,incidentConfiguration, queryResultsAggregationSettings) } else { $compareResult = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, PlaybookName, incidentConfiguration, queryResultsAggregationSettings) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, PlaybookName, incidentConfiguration, queryResultsAggregationSettings) } try { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | Select-Object * -ExcludeProperty Properties.PlaybookName | ConvertTo-Json -Depth 10 -EnumsAsStrings) if (($compareResult | Where-Object PropertyName -eq "playbookName").DiffValue) { New-AzSentinelAlertRuleAction @arguments -PlayBookName ($body.Properties.playbookName) -RuleId $($body.Name) } elseif (($compareResult | Where-Object PropertyName -eq "playbookName").RefValue) { Remove-AzSentinelAlertRuleAction @arguments -RuleId $($body.Name) -Confirm:$false } else { #nothing } $body.Properties | Add-Member -NotePropertyName status -NotePropertyValue $($result.StatusDescription) -Force $return += $body.Properties } catch { $body.Properties | Add-Member -NotePropertyName status -NotePropertyValue "failed" -Force $return += $body.Properties Write-Verbose $_ Write-Error "Unable to invoke webrequest for rule $($item.displayName) with error message: $($_.Exception.Message)" -ErrorAction Continue } } else { Write-Verbose "Creating new rule: $($item.displayName)" try { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | Select-Object * -ExcludeProperty Properties.PlaybookName | ConvertTo-Json -Depth 10 -EnumsAsStrings) if ($body.Properties.playbookName) { New-AzSentinelAlertRuleAction @arguments -PlayBookName $($body.Properties.playbookName) -RuleId $($body.Properties.Name) -confirm:$false } $body.Properties | Add-Member -NotePropertyName status -NotePropertyValue $($result.StatusDescription) -Force $return += $body.Properties } catch { $body.Properties | Add-Member -NotePropertyName status -NotePropertyValue "failed" -Force $return += $body.Properties Write-Verbose $_ Write-Error "Unable to invoke webrequest for rule $($item.displayName) with error message: $($_.Exception.Message)" -ErrorAction Continue } } } return $return } } function Get-AzSentinelIncident { <# .SYNOPSIS Get Azure Sentinel Incident .DESCRIPTION With this function you can get a list of open incidents from Azure Sentinel. You can can also filter to Incident with speciefiek case namber or Case name .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER IncidentName Enter incident name, this is the same name as the alert rule that triggered the incident .PARAMETER CaseNumber Enter the case number to get specfiek details of a open case .PARAMETER All Use -All switch to get a list of all the incidents .EXAMPLE Get-AzSentinelIncident -WorkspaceName "" Get a list of the last 200 Incidents .EXAMPLE Get-AzSentinelIncident -WorkspaceName "" -All Get a list of all Incidents .EXAMPLE Get-AzSentinelIncident -WorkspaceName "" -CaseNumber Get information of a specifiek incident with providing the casenumber .EXAMPLE Get-AzSentinelIncident -WorkspaceName "" -IncidentName "", "" Get information of one or more incidents with providing a incident name, this is the name of the alert rule that triggered the incident #> [cmdletbinding(SupportsShouldProcess)] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$WorkspaceName, [Parameter(Mandatory = $false, ValueFromPipeline)] [ValidateNotNullOrEmpty()] [string[]]$IncidentName, [Parameter(Mandatory = $false, ValueFromPipeline)] [ValidateNotNullOrEmpty()] [int[]]$CaseNumber, [Parameter(Mandatory = $false, ValueFromPipeline)] [Switch]$All ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } Get-LogAnalyticWorkspace @arguments $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/Cases?api-version=2019-01-01-preview" Write-Verbose -Message "Using URI: $($uri)" try { $incidentRaw = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader) $incident += $incidentRaw.value if ($All){ while ($incidentRaw.nextLink) { $incidentRaw = (Invoke-RestMethod -Uri $($incidentRaw.nextLink) -Headers $script:authHeader -Method Get) $incident += $incidentRaw.value } } } catch { Write-Verbose $_ Write-Error "Unable to get incidents with error code: $($_.Exception.Message)" -ErrorAction Stop } $return = @() if ($incident) { Write-Verbose "Found $($incident.count) incidents" if ($IncidentName.Count -ge 1) { foreach ($rule in $IncidentName) { [PSCustomObject]$temp = $incident | Where-Object { $_.properties.title -eq $rule } if ($null -ne $temp) { $temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force $temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force $return += $temp.properties } else { Write-Error "Unable to find incident: $rule" } } return $return } elseif ($CaseNumber.Count -ge 1) { foreach ($rule in $CaseNumber) { [PSCustomObject]$temp = $incident | Where-Object { $_.properties.caseNumber -eq $rule } if ($null -ne $temp) { $temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force $temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force $return += $temp.properties } else { Write-Error "Unable to find incident: $rule" } } return $return } else { $incident | ForEach-Object { $_.properties | Add-Member -NotePropertyName etag -NotePropertyValue $_.etag -Force $_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force } return $incident.properties } } else { Write-Warning "No incident found on $($WorkspaceName)" } } } function Get-AzSentinelHuntingRule { <# .SYNOPSIS Get Azure Sentinel Hunting rule .DESCRIPTION With this function you can get the configuration of the Azure Sentinel Hunting rule from Azure Sentinel .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER RuleName Enter the name of the Hunting rule name .PARAMETER Filter Select which type of Hunting rules you want to see. Option: HuntingQueries, GeneralExploration, LogManagement .EXAMPLE Get-AzSentinelHuntingRule -WorkspaceName "" -RuleName "","" In this example you can get configuration of multiple Hunting rules .EXAMPLE Get-AzSentinelHuntingRule -WorkspaceName "" In this example you can get a list of all the Hunting rules in once #> [cmdletbinding(SupportsShouldProcess)] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$WorkspaceName, [Parameter(Mandatory = $false, ValueFromPipeline)] [ValidateNotNullOrEmpty()] [string[]]$RuleName, [Parameter(Mandatory = $false, ValueFromPipeline)] [ValidateNotNullOrEmpty()] [string]$Filter ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } Get-LogAnalyticWorkspace @arguments $uri = "$script:baseUri/savedSearches?api-version=2017-04-26-preview" Write-Verbose -Message "Using URI: $($uri)" try { if ($Filter) { $huntingRules = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader) | Where-Object $_.Category -eq $Filter } else { $huntingRules = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader) } } catch { Write-Verbose $_ Write-Error "Unable to get hunting rules with error code: $($_.Exception.Message)" -ErrorAction Stop } $return = @() if ($huntingRules.value) { Write-Verbose "Found $($huntingRules.value.count) hunting rules" if ($RuleName.Count -ge 1) { foreach ($rule in $RuleName) { [PSCustomObject]$temp = $huntingRules.value | Where-Object { $_.displayName -eq $rule } if ($null -ne $temp) { $temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force $temp.properties | Add-Member -NotePropertyName id -NotePropertyValue $temp.id -Force $temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force $return += $temp.Properties } else { Write-Warning "Unable to find hunting rule: $rule" } } return $return } else { $huntingRules.value | ForEach-Object { $_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force $_.properties | Add-Member -NotePropertyName id -NotePropertyValue $_.id -Force $_.properties | Add-Member -NotePropertyName etag -NotePropertyValue $_.etag -Force return $_.properties } } } else { Write-Warning "No hunting rules found on $($WorkspaceName)" } } } function Get-AzSentinelAlertRuleAction { <# .SYNOPSIS Get Azure Sentinel Alert rule Action .DESCRIPTION This function can be used to see if an action is attached to the alert rule, if so then the configuration will be returned .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER RuleName Enter the name of the Alert rule .PARAMETER RuleId Enter the Rule Id to skip Get-AzSentinelAlertRule step .EXAMPLE Get-AzSentinelAlertRuleAction -WorkspaceName "" -RuleName "testrule01" This example will get the Workspace ands return the full data object .NOTES NAME: Get-AzSentinelAlertRuleAction #> param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $WorkspaceName, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string]$RuleName, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string]$RuleId ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } if ($RuleName) { $alertId = (Get-AzSentinelAlertRule @arguments -RuleName $RuleName).name } elseif ($RuleId) { $alertId = $RuleId } else { Write-Error "No Alert Name or ID is provided" } if ($alertId) { $uri = "$($Script:baseUri)/providers/Microsoft.SecurityInsights/alertRules/$($alertId)/actions?api-version=2019-01-01-preview" try { $return = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader).value return $return } catch { $return = $_.Exception.Message return $return } } else { $return = "No Alert found with provided: $($alertId)" return $return } } } function Get-AzSentinelAlertRule { <# .SYNOPSIS Get Azure Sentinel Alert Rules .DESCRIPTION With this function you can get the configuration of the Azure Sentinel Alert rule from Azure Sentinel .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER RuleName Enter the name of the Alert rule .EXAMPLE Get-AzSentinelAlertRule -WorkspaceName "" -RuleName "","" In this example you can get configuration of multiple alert rules in once #> [cmdletbinding(SupportsShouldProcess)] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$WorkspaceName, [Parameter(Mandatory = $false, ValueFromPipeline)] [ValidateNotNullOrEmpty()] [string[]]$RuleName ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } Get-LogAnalyticWorkspace @arguments $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules?api-version=2019-01-01-preview" Write-Verbose -Message "Using URI: $($uri)" try { $alertRules = Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader } catch { Write-Verbose $_ Write-Error "Unable to get alert rules with error code: $($_.Exception.Message)" -ErrorAction Stop } $return = @() if ($alertRules.value) { Write-Verbose "Found $($alertRules.value.count) Alert rules" if ($RuleName.Count -ge 1) { foreach ($rule in $RuleName) { [PSCustomObject]$temp = $alertRules.value | Where-Object { $_.properties.displayName -eq $rule } if ($null -ne $temp) { $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($temp.name) if ($playbook) { $playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1] } else { $playbookName = "" } $temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force $temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force $temp.properties | Add-Member -NotePropertyName id -NotePropertyValue $temp.id -Force $temp.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force $return += $temp.properties } else { Write-Error "Unable to find Rule: $rule" } } return $return } else { $alertRules.value | ForEach-Object { $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($_.name) if ($playbook) { $playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1] } else { $playbookName = "" } $_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force $_.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force return $_.properties } } } else { Write-Warning "No rules found on $($WorkspaceName)" } } } function Enable-AzSentinelAlertRule { <# .SYNOPSIS Enable Azure Sentinel Alert Rules .DESCRIPTION With this function you can enable Azure Sentinel Alert rule .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER RuleName Enter the name of the Alert rule .EXAMPLE Enable-AzSentinelAlertRule -WorkspaceName "" -RuleName "","" In this example you can get configuration of multiple alert rules in once #> [cmdletbinding(SupportsShouldProcess)] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$WorkspaceName, [Parameter(Mandatory = $false, ValueFromPipeline)] [ValidateNotNullOrEmpty()] [string[]]$RuleName ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } $rules = Get-AzSentinelAlertRule @arguments -RuleName $RuleName -ErrorAction Stop foreach ($rule in $rules) { if ($rule.enabled -eq $true) { Write-Output "'$($rule.DisplayName)' already has status '$($rule.enabled)'" } else { $rule.enabled = $true $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($rule.name)?api-version=2019-01-01-preview" $bodyAlertProp = [AlertProp]::new( ($rule | Select-Object * -ExcludeProperty lastModifiedUtc, etag, id) ) $body = [AlertRule]::new( ($rule | Select-Object lastModifiedUtc, etag, id, name), $bodyAlertProp ) try { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) Write-Verbose $result Write-Output "Status of '$($rule.DisplayName)' changed to '$($rule.enabled)'" } catch { Write-Error $_.Exception.Message } } } } } function Import-AzSentinelHuntingRule { <# .SYNOPSIS Import Azure Sentinal Hunting rule .DESCRIPTION This function imports Azure Sentinal Hunnting rules from JSON and YAML config files. This way you can manage your Hunting rules dynamic from JSON or multiple YAML files .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER SettingsFile Path to the JSON or YAML file for the Hunting rules .EXAMPLE Import-AzSentinelHuntingRule -WorkspaceName "infr-weu-oms-t-7qodryzoj6agu" -SettingsFile ".\examples\HuntingRules.json" In this example all the rules configured in the JSON file will be created or updated .EXAMPLE Import-AzSentinelHuntingRule -WorkspaceName "" -SettingsFile ".\examples\HuntingRules.yaml" In this example all the rules configured in the YAML file will be created or updated .EXAMPLE Get-Item .\examples\HuntingRules*.json | Import-AzSentinelHuntingRule -WorkspaceName "" In this example you can select multiple JSON files and Pipeline it to the SettingsFile parameter #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $WorkspaceName, [Parameter(Mandatory, ValueFromPipeline)] [ValidateScript( { (Test-Path -Path $_) -and ($_.Extension -in '.json', '.yaml', '.yml') })] [System.IO.FileInfo] $SettingsFile ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } Get-LogAnalyticWorkspace @arguments $item = @{ } if ($SettingsFile.Extension -eq '.json') { try { $analytics = (Get-Content $SettingsFile -Raw | ConvertFrom-Json -ErrorAction Stop).analytics Write-Verbose -Message "Found $($analytics.count) rules" } catch { Write-Verbose $_ Write-Error -Message 'Unable to convert JSON file' -ErrorAction Stop } } elseif ($SettingsFile.Extension -in '.yaml', 'yml') { try { $analytics = [pscustomobject](Get-Content $SettingsFile -Raw | ConvertFrom-Yaml -ErrorAction Stop) $analytics | Add-Member -MemberType NoteProperty -Name DisplayName -Value $analytics.name Write-Verbose -Message 'Found compatibel yaml file' } catch { Write-Verbose $_ Write-Error -Message 'Unable to convert yaml file' -ErrorAction Stop } } foreach ($item in $analytics) { Write-Output "Started with Hunting rule: $($item.displayName)" try { Write-Verbose -Message "Get rule $($item.description)" $content = Get-AzSentinelHuntingRule @arguments -RuleName $($item.displayName) -WarningAction SilentlyContinue if ($content) { Write-Verbose -Message "Hunting rule $($item.displayName) exists in Azure Sentinel" $item | Add-Member -NotePropertyName name -NotePropertyValue $content.name -Force $item | Add-Member -NotePropertyName etag -NotePropertyValue $content.etag -Force $item | Add-Member -NotePropertyName Id -NotePropertyValue $content.id -Force $uri = "$script:baseUri/savedSearches/$($content.name)?api-version=2017-04-26-preview" } else { Write-Verbose -Message "Hunting rule $($item.displayName) doesn't exists in Azure Sentinel" $guid = (New-Guid).Guid $item | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force $item | Add-Member -NotePropertyName etag -NotePropertyValue $null -Force $item | Add-Member -NotePropertyName Id -NotePropertyValue "$script:Workspace/savedSearches/$guid" -Force $uri = "$script:baseUri/savedSearches/$($guid)?api-version=2017-04-26-preview" } } catch { Write-Verbose $_ Write-Error "Unable to connect to APi to get Analytic rules with message: $($_.Exception.Message)" -ErrorAction Stop } [PSCustomObject]$body = @{ "name" = $item.name "eTag" = $item.etag "id" = $item.id "properties" = @{ 'Category' = 'Hunting Queries' 'DisplayName' = [string]$item.displayName 'Query' = [string]$item.query [pscustomobject]'Tags' = @( @{ 'Name' = "description" 'Value' = [string]$item.description }, @{ "Name" = "tactics" "Value" = [Tactics[]] $item.tactics -join ',' }, @{ "Name" = "createdBy" "Value" = "" }, @{ "Name" = "createdTimeUtc" "Value" = "" } ) } } if ($content) { $compareResult1 = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, Tags, Version) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, Tags, Version) $compareResult2 = Compare-Policy -ReferenceTemplate ($content.Tags | Where-Object { $_.name -eq "tactics" }) -DifferenceTemplate ($body.Properties.Tags | Where-Object { $_.name -eq "tactics" }) $compareResult = [PSCustomObject]$compareResult1 + [PSCustomObject]$compareResult2 if ($compareResult) { Write-Output "Found Differences for hunting rule: $($item.displayName)" Write-Output ($compareResult | Format-Table | Out-String) if ($PSCmdlet.ShouldProcess("Do you want to update hunting rule: $($body.Properties.DisplayName)")) { try { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) Write-Output "Successfully updated hunting rule: $($item.displayName) with status: $($result.StatusDescription)" Write-Output ($body.Properties | Format-List | Format-Table | Out-String) } catch { Write-Verbose $_ Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Continue } } else { Write-Output "No change have been made for hunting rule $($item.displayName), deployment aborted" } } else { Write-Output "Hunting rule $($item.displayName) is compliance, nothing to do" Write-Output ($body.Properties | Format-List | Format-Table | Out-String) } } else { Write-Verbose "Creating new rule: $($item.displayName)" try { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) Write-Output "Successfully created hunting rule: $($item.displayName) with status: $($result.StatusDescription)" Write-Output ($body.Properties | Format-List | Format-Table | Out-String) } catch { Write-Verbose $_ Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Continue } } } } } function Update-AzSentinelIncident { <# .SYNOPSIS Update Azure Sentinel Incident .DESCRIPTION With this function you can update existing Azure Sentinel Incident. .PARAMETER SubscriptionId Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used .PARAMETER WorkspaceName Enter the Workspace name .PARAMETER CaseNumber Enter the case number to get specfiek details of a open case .PARAMETER Severity Enter the Severity, you can choose from Medium, High, Low and Informational .PARAMETER Status Enter the Status of the incident, you can choose from New, InProgress and Closed .PARAMETER Comment Enter Comment tekst to add comment to the incident .PARAMETER Labels Add Lebels to the incident, current configured Labels will be added to the existing Labels .PARAMETER CloseReason When Status is equil to Closed, CloseReason is required. You can select from: TruePositive, FalsePositive .PARAMETER ClosedReasonText When Status is equil to Closed, ClosedReasonText is required to be filled in. .EXAMPLE Update-AzSentinelIncident -WorkspaceName "" Get a list of all open Incidents .EXAMPLE Update-AzSentinelIncident -WorkspaceName '' -CaseNumber 42291 -Labels "NewLabel" Add a new Label to list of Labels for a Incident .EXAMPLE Update-AzSentinelIncident -WorkspaceName '' -CaseNumber 42293 -Status Closed -CloseReason FalsePositive -ClosedReasonText "Your input" Close the Incidnet using status Closed, when status closed is selected then CloseReason and ClosedReasonText prperty are required to be filled in #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] param ( [Parameter(Mandatory = $false, ParameterSetName = "Sub")] [ValidateNotNullOrEmpty()] [string] $SubscriptionId, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$WorkspaceName, [Parameter(Mandatory, ValueFromPipeline)] [ValidateNotNullOrEmpty()] [int]$CaseNumber, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string]$Severity, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [Status]$Status, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string]$Comment, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string[]]$Labels, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [CloseReason]$CloseReason, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string]$ClosedReasonText ) begin { precheck } process { switch ($PsCmdlet.ParameterSetName) { Sub { $arguments = @{ WorkspaceName = $WorkspaceName SubscriptionId = $SubscriptionId } } default { $arguments = @{ WorkspaceName = $WorkspaceName } } } Write-Verbose -Message "Using URI: $($uri)" $incident = Get-AzSentinelIncident @arguments -CaseNumber $CaseNumber if ($incident) { if ($Comment) { $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/Cases/$($incident.name)/comments/$(New-Guid)?api-version=2019-01-01-preview" $body = @{ "properties" = @{ "message" = $Comment } } } else { $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/Cases/$($incident.name)?api-version=2019-01-01-preview" $LabelsUnique = $incident.labels + $Labels | Select-Object -Unique $body = @{ "etag" = $($incident.etag) "properties" = @{ "caseNumber" = $CaseNumber "createdTimeUtc" = $($incident.incidentcreatedTimeUtc) "endTimeUtc" = $($incident.endTimeUtc) "lastUpdatedTimeUtc" = $($incident.lastUpdatedTimeUtc) "lastComment" = "" "totalComments" = 0 "metrics" = @{ } [pscustomobject]"relatedAlertIds" = @( ) [pscustomobject]"relatedAlertProductNames" = @( ) "severity" = if ($Severity) { $Severity } else { $incident.severity } "startTimeUtc" = $($incident.startTimeUtc) "status" = if ($Status) { $Status } else { $incident.status } "closeReason" = if ($Status -eq 'Closed') { if ($null -ne [CloseReason]$CloseReason) { $CloseReason } else { Write-Error "No Close Reasen provided" -ErrorAction Stop } } else { $null } "closedReasonText" = if ($Status -eq 'Closed') { if ($ClosedReasonText) { $ClosedReasonText } else { Write-Error 'No closed comment provided' } } else { $null } [pscustomobject]"labels" = @( $LabelsUnique) "title" = $($incident.title) "description" = "" "firstAlertTimeGenerated" = "" "lastAlertTimeGenerated" = "" "owner" = @{ "name" = $null "email" = $null "objectId" = $null } } } } Write-Output "Found incident with case number: $($incident.caseNumber)" if ($PSCmdlet.ShouldProcess("Do you want to update Incident: $($body.Properties.DisplayName)")) { try { $return = Invoke-WebRequest -Uri $uri -Method Put -Body ($body | ConvertTo-Json -Depth 99 -EnumsAsStrings) -Headers $script:authHeader return ($return.Content | ConvertFrom-Json).properties } catch { $return = $_.Exception.Message Write-Verbose $_ Write-Error "Unable to update Incident $($incident.caseNumber) with error message $return" return $return } } else { Write-Output "No change have been made for Incident $($incident.caseNumber), update aborted" } } } } |