CarbonBlackPS

1.0

Public/Get-CbAlert.ps1

                                <#

    .SYNOPSIS

    Search alerts within Carbon Black. 

    Official Carbon Black documentation: https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/alerts-api/#alert-search

    .PARAMETER Search

    Query in lucene syntax and/or including value searches

    .PARAMETER Rows

    Maximum number of rows to return

    .PARAMETER Start

    Row to begin returning results from

    .PARAMETER SortField

    Field to sort results on. Must be used in conjunction with -SortOrder parameter

    .PARAMETER SortOrder

    Specifies ascending or descending order for sorting

    .PARAMETER ComputerName

    Search criteria for name of machine. 

    .PARAMETER OperatingSystem

    Search criteria for operating system

    .PARAMETER OperationgSystemVersion

    Search criteria for version of operating system

    .PARAMETER GroupResults

    Specify whether to group results or not

    .PARAMETER AlertID

    Search criteria for alert ID

    .PARAMETER LegacyAlertID

    Search criteria for legacy alert ID

    .PARAMETER MinimumSeverity

    Search criteria for minimum severity

    .PARAMETER SensorID

    Search criteria for sensor ID

    .PARAMETER PolicyID

    Search criteria for policy ID

    .PARAMETER ThreatID

    Search criteria for threat ID

    .PARAMETER PolicyName

    Search criteria for policy name

    .PARAMETER ProcessName

    Search criteria for process name

    .PARAMETER FileHash

    Search criteria for SHA-256 file hash

    .PARAMETER Reputation

    Search criteria for reputation

    .PARAMETER Tag

    Search criteria for tag

    .PARAMETER TargetValue

    Search criteria for target value

    .PARAMETER Username

    Search criteria for device username

    .PARAMETER Type

    Search criteria for type

    .PARAMETER Workflow

    Search criteria for workflow

    .PARAMETER Category

    Search criteria for category

    .EXAMPLE

    Get-CbAlert -Search "Query"

    .EXAMPLE

    Get-CbAlert -OperatingSystem "Linux" -MinimumSeverity 3 -SortField "last_event_time" -SortOrder "asc" -PolicyID 12345

    Returns results for all alerts for Linux machines in a given policy with a minimum severity of 3, sorted in ascending order by last event time.

#>

function Get-CbAlert {

    param (

        [string]$Search,

        [int]$Rows,

        [int]$Start,

        [ValidateSet("first_event_time", "last_event_time", "create_time", "last_update_time", "severity", "target_value")]

        [string]$SortField,

        [ValidateSet("ASC", "DESC")]

        [string]$SortOrder,

        [string]$ComputerName,

        [ValidateSet("WINDOWS", "MAC", "LINUX", "OTHER")]

        [string]$OperatingSystem,

        [string]$OperatingSystemVersion,

        [switch]$GroupResults,

        [string]$AlertID,

        [string]$LegacyAlertID,

        [int]$MinimumSeverity,

        [int]$SensorID,

        [int]$PolicyID,

        [string]$ThreatID,

        [string]$PolicyName,

        [string]$ProcessName,

        [string]$FileHash,

        [ValidateSet("KNOWN_MALWARE", "SUSPECT_MALWARE", "PUP", "NOT_LISTED", "ADAPTIVE_WHITE_LIST", "COMMON_WHITE_LIST", "TRUSTED_WHITE_LIST", "COMPANY_BLACK_LIST")]

        [string]$Reputation,

        [string]$Tag,

        [ValidateSet("LOW", "MEDIUM", "HIGH", "MISSION_CRITICAL")]

        [string]$TargetValue,

        [string]$Username,

        [string]$Type,

        [string]$Workflow,

        [ValidateSet("THREAT", "MONITORED")]

        [string]$Category

    )

    $jsonBody = "{

    }"

    $psObjBody = $jsonBody |  ConvertFrom-Json    

    if ($Search) {$psObjBody | Add-Member -Name "query" -Value $Search -MemberType NoteProperty}

    if ($Rows) {$psObjBody | Add-Member -Name "rows" -Value $Rows -MemberType NoteProperty}

    if ($Start) {$psObjBody | Add-Member -Name "start" -Value $Start -MemberType NoteProperty}

    if ($SortField -or $SortOrder) {

        $psObjBody | Add-Member -Name "sort" -Value @([PSCustomObject]@{}) -MemberType NoteProperty

        if ($SortOrder) {$psObjBody.sort | Add-Member -Name "order" -Value $SortOrder -MemberType NoteProperty}

        if ($SortField) {$psObjBody.sort | Add-Member -Name "field" -Value $SortField -MemberType NoteProperty}

    }

    if ($ComputerName -or $OperatingSystem -or $OperatingSystemVersion -or $GroupResults -or $AlertID -or $LegacyAlertID -or $MinimumSeverity -or $SensorID -or $PolicyID -or $ThreatID -or $PolicyName -or $ProcessName -or $FileHash -or $Reputation -or $Tag -or $TargetValue -or $Username -or $Type -or $Workflow) {

        $psObjBody | Add-Member -Name "criteria" -Value ([PSCustomObject]@{}) -MemberType NoteProperty

        if ($ComputerName) {

            try {

                $device = Get-CbDevice -Search $ComputerName

                $psObjBody.criteria | Add-Member -Name "device_name" -Value @($device.name) -MemberType NoteProperty    

            }

            catch {

                throw "ERROR: No device found with that name."

                break

            }

        }

        if ($OperatingSystem) {$psObjBody.criteria | Add-Member -Name "device_os" -Value @($OperatingSystem) -MemberType NoteProperty}

        if ($OperatingSystemVersion) {$psObjBody.criteria | Add-Member -Name "device_os_version" -Value @($OperatingSystemVersion) -MemberType NoteProperty}

        if ($GroupResults) {

            $psObjBody.criteria | Add-Member -Name "group_results" -Value $true -MemberType NoteProperty

        } else {

            $psObjBody.criteria | Add-Member -Name "group_results" -Value $false -MemberType NoteProperty

        }

        if ($AlertID) {$psObjBody.criteria | Add-Member -Name "id" -Value @($AlertID) -MemberType NoteProperty}

        if ($LegacyAlertID) {$psObjBody.criteria | Add-Member -Name "legacy_alert_id" -Value @($LegacyAlertID) -MemberType NoteProperty}

        if ($MinimumSeverity) {$psObjBody.criteria | Add-Member -Name "minimum_severity" -Value $MinimumSeverity -MemberType NoteProperty}

        if ($SensorID) {$psObjBody.criteria | Add-Member -Name "device_id" -Value @($SensorID) -MemberType NoteProperty}

        if ($PolicyID) {$psObjBody.criteria | Add-Member -Name "policy_id" -Value @($PolicyID) -MemberType NoteProperty}

        if ($ThreatID) {$psObjBody.criteria | Add-Member -Name "threat_id" -Value @($ThreatID) -MemberType NoteProperty}

        if ($PolicyName) {$psObjBody.criteria | Add-Member -Name "policy_name" -Value @($PolicyName) -MemberType NoteProperty}

        if ($ProcessName) {$psObjBody.criteria | Add-Member -Name "process_name" -Value @($ProcessName) -MemberType NoteProperty}

        if ($FileHash) {$psObjBody.criteria | Add-Member -Name "process_sha256" -Value @($FileHash) -MemberType NoteProperty}

        if ($Reputation) {$psObjBody.criteria | Add-Member -Name "reputation" -Value @($Reputation) -MemberType NoteProperty}

        if ($Tag) {$psObjBody.criteria | Add-Member -Name "tag" -Value @($Tag) -MemberType NoteProperty}

        if ($TargetValue) {$psObjBody.criteria | Add-Member -Name "target_value" -Value @($TargetValue) -MemberType NoteProperty}

        if ($Username) {$psObjBody.criteria | Add-Member -Name "device_username" -Value @($Username) -MemberType NoteProperty}

        if ($Type) {$psObjBody.criteria | Add-Member -Name "type" -Value @($Type) -MemberType NoteProperty}

        if ($Workflow) {$psObjBody.criteria | Add-Member -Name "workflow" -Value @($Workflow) -MemberType NoteProperty}

        if ($Category) {$psObjBody.criteria | Add-Member -Name "category" -Value @($Category) -MemberType NoteProperty}

    }

    $jsonBody = $psObjBody | ConvertTo-Json

    $Parameters = @{

        UriPreOrgKey  = "/appservices/v6/orgs/"

        UriPostOrgKey = "/alerts/_search"

        Method     = "Post"

        Body       = $jsonBody

    }

    $result = Invoke-CbMethod @Parameters

    $result.results

}