CarbonBlackPS

1.0

Public/Set-CbAlertBulk.ps1

                                <#

    .SYNOPSIS

    Bulk update alerts by search definition.

    Official Carbon Black documentation: https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/alerts-api/#bulk-create-workflows

    .PARAMETER Search

    Query in lucene syntax and/or including value searches

    .PARAMETER State

    Workflow state to set. Options are "DISMISSED" or "OPEN"    

    .PARAMETER RemediationState

    Description or justification for the change  

    .PARAMETER Comment

    Comment to include with the operation

    .PARAMETER Category

    Search criteria for category  

    .PARAMETER SensorID

    Search criteria for sensor ID

    .PARAMETER ComputerName

    Search criteria for name of machine. 

    .PARAMETER OperatingSystem

    Search criteria for operating system

    .PARAMETER OperationgSystemVersion

    Search criteria for version of operating system

    .PARAMETER GroupResults

    Specify whether to group results or not

    .PARAMETER AlertID

    Search criteria for alert ID

    .PARAMETER LegacyAlertID

    Search criteria for legacy alert ID

    .PARAMETER MinimumSeverity

    Search criteria for minimum severity

    .PARAMETER PolicyName

    Search criteria for policy name

    .PARAMETER ProcessName

    Search criteria for process name

    .PARAMETER FileHash

    Search criteria for SHA-256 file hash

    .PARAMETER Reputation

    Search criteria for reputation

    .PARAMETER Tag

    Search criteria for tag

    .PARAMETER TargetValue

    Search criteria for target value

    .PARAMETER Username

    Search criteria for device username

    .PARAMETER Type

    Search criteria for type

    .PARAMETER Workflow

    Search criteria for workflow

    .PARAMETER PolicyID

    Search criteria for policy ID

    .PARAMETER ThreatID

    Search criteria for threat ID

    .EXAMPLE

    Set-CbAlertBulk -AlertID $alertID -State DISMISSED -RemediationState "Remediated" -Comment "Validated by Tim"

#>

function Set-CbAlertBulk {

    param (

        [Parameter(Mandatory=$true)]

        [ValidateSet("DISMISSED", "OPEN")]

        [string]$State,

        [string]$RemediationState,

        [string]$Comment,

        [ValidateSet("THREAT", "MONITORED")]

        [string]$Category,

        [int]$SensorID,

        [string]$ComputerName,

        [ValidateSet("WINDOWS", "MAC", "LINUX", "OTHER")]

        [string]$OperatingSystem,

        [string]$OperatingSystemVersion,

        [switch]$GroupResults,

        [string]$AlertID,

        [string]$LegacyAlertID,

        [int]$MinimumSeverity,

        [string]$PolicyName,

        [string]$ProcessName,

        [string]$FileHash,

        [ValidateSet("KNOWN_MALWARE", "SUSPECT_MALWARE", "PUP", "NOT_LISTED", "ADAPTIVE_WHITE_LIST", "COMMON_WHITE_LIST", "TRUSTED_WHITE_LIST", "COMPANY_BLACK_LIST")]

        [string]$Reputation,

        [string]$Tag,

        [ValidateSet("LOW", "MEDIUM", "HIGH", "MISSION_CRITICAL")]

        [string]$TargetValue,

        [string]$Username,

        [string]$Type,

        [string]$Workflow,

        [int]$PolicyID,

        [string]$ThreatID

    )

    $jsonBody = "{

    ""state"": ""$State""

}"

    $psObjBody = $jsonBody | ConvertFrom-Json    

    if ($RemediationState) {$psObjBody | Add-Member -Name "remediation_state" -Value $RemediationState -MemberType NoteProperty}

    if ($Comment) {$psObjBody | Add-Member -Name "comment" -Value $Comment -MemberType NoteProperty}

    if ($Search) {$psObjBody | Add-Member -Name "query" -Value $Search -MemberType NoteProperty}

    if ($ComputerName -or $Category -or $SensorID -or $OperatingSystem -or $OperatingSystemVersion -or $GroupResults -or $AlertID -or $LegacyAlertID -or $MinimumSeverity -or $PolicyName -or $ProcessName -or $FileHash -or $Reputation -or $Tag -or $TargetValue -or $Username -or $Type -or $Workflow -or $PolicyID -or $ThreatID) {

        $psObjBody | Add-Member -Name "criteria" -Value ([PSCustomObject]@{}) -MemberType NoteProperty

        if ($ComputerName) {

            try {

                $device = Get-CbDevice -Search $ComputerName

                $psObjBody.criteria | Add-Member -Name "device_name" -Value @($device.name) -MemberType NoteProperty    

            }

            catch {

                throw "ERROR: No device found with that name."

                break

            }

        }

        if ($Category) {$psObjBody.criteria | Add-Member -Name "category" -Value @($Category) -MemberType NoteProperty}

        if ($SensorID) {$psObjBody.criteria | Add-Member -Name "device_id" -Value @($SensorID) -MemberType NoteProperty}

        if ($OperatingSystem) {$psObjBody.criteria | Add-Member -Name "device_os" -Value @($OperatingSystem) -MemberType NoteProperty}

        if ($OperatingSystemVersion) {$psObjBody.criteria | Add-Member -Name "device_os_version" -Value @($OperatingSystemVersion) -MemberType NoteProperty}

        if ($GroupResults) {

            $psObjBody.criteria | Add-Member -Name "group_results" -Value $true -MemberType NoteProperty

        } else {

            $psObjBody.criteria | Add-Member -Name "group_results" -Value $false -MemberType NoteProperty

        }

        if ($AlertID) {$psObjBody.criteria | Add-Member -Name "id" -Value @($AlertID) -MemberType NoteProperty}

        if ($LegacyAlertID) {$psObjBody.criteria | Add-Member -Name "legacy_alert_id" -Value @($LegacyAlertID) -MemberType NoteProperty}

        if ($MinimumSeverity) {$psObjBody.criteria | Add-Member -Name "minimum_severity" -Value $MinimumSeverity -MemberType NoteProperty}

        if ($PolicyName) {$psObjBody.criteria | Add-Member -Name "policy_name" -Value @($PolicyName) -MemberType NoteProperty}

        if ($ProcessName) {$psObjBody.criteria | Add-Member -Name "process_name" -Value @($ProcessName) -MemberType NoteProperty}

        if ($FileHash) {$psObjBody.criteria | Add-Member -Name "process_sha256" -Value @($FileHash) -MemberType NoteProperty}

        if ($Reputation) {$psObjBody.criteria | Add-Member -Name "reputation" -Value @($Reputation) -MemberType NoteProperty}

        if ($Tag) {$psObjBody.criteria | Add-Member -Name "tag" -Value @($Tag) -MemberType NoteProperty}

        if ($TargetValue) {$psObjBody.criteria | Add-Member -Name "target_value" -Value @($TargetValue) -MemberType NoteProperty}

        if ($Username) {$psObjBody.criteria | Add-Member -Name "device_username" -Value @($Username) -MemberType NoteProperty}

        if ($Type) {$psObjBody.criteria | Add-Member -Name "type" -Value @($Type) -MemberType NoteProperty}

        if ($Workflow) {$psObjBody.criteria | Add-Member -Name "workflow" -Value @($Workflow) -MemberType NoteProperty}

        if ($PolicyID) {$psObjBody.criteria | Add-Member -Name "policy_id" -Value @($PolicyID) -MemberType NoteProperty}

        if ($ThreatID) {$psObjBody.criteria | Add-Member -Name "threat_id" -Value @($ThreatID) -MemberType NoteProperty}

    }

    $jsonBody = $psObjBody | ConvertTo-Json

    $Parameters = @{

        UriPreOrgKey  = "/appservices/v6/orgs/"

        UriPostOrgKey = "/alerts/workflow/_criteria"

        Method     = "Post"

        Body       = $jsonBody

    }

    $result = Invoke-CbMethod @Parameters

    $result

}