Private/Get-SocOptimization.ps1
|
function Get-SocOptimization { <# .SYNOPSIS Fetches SOC optimization recommendations from the Sentinel REST API. .OUTPUTS Array of recommendation objects. #> [CmdletBinding()] param( [Parameter(Mandatory)][PSCustomObject]$Context ) $headers = @{ Authorization = "Bearer $($Context.ArmToken)" } $uri = "https://management.azure.com$($Context.ResourceId)" + "/providers/Microsoft.SecurityInsights/recommendations?api-version=2024-01-01-preview" try { $response = Invoke-AzRestWithRetry -Uri $uri -Headers $headers $response.value | ForEach-Object { # Extract actionable suggestions (e.g. specific tables to enable, rules to create) $suggestions = @() if ($_.properties.suggestions) { $suggestions = $_.properties.suggestions | ForEach-Object { [PSCustomObject]@{ Title = $_.title Description = $_.description Action = $_.action TypeId = $_.suggestionTypeId Properties = $_.additionalProperties } } } [PSCustomObject]@{ Id = $_.id Title = $_.properties.title Description = $_.properties.description Category = $_.properties.category Priority = $_.properties.priority State = $_.properties.state RecommendationTypeId = $_.properties.recommendationTypeId Suggestions = $suggestions AdditionalProperties = $_.properties.additionalProperties Actions = $_.properties.actions } } } catch { Write-Verbose "SOC optimization API not available or insufficient permissions: $_" @() } } |