public/Convert-SentinelARArmToYaml.ps1
|
<#
.SYNOPSIS Converts an Azure Sentinel Analytics Rule ARM template to YAML .DESCRIPTION Converts an Azure Sentinel Analytics Rule ARM template to YAML. The ARM template can be provided as a file or as a string. The YAML file can be saved to the same directory as the ARM template file. .PARAMETER Filename The path to the ARM template file .PARAMETER Data The ARM template data as a string .PARAMETER OutFile The path to the output YAML file .PARAMETER UseOriginalFilename If set, the output file will be saved with the same name as the ARM template file, but with a .yaml extension .EXAMPLE Convert-SentinelARArmToYaml -Filename "C:\Temp\MyRule.json" -OutFile "C:\Temp\MyRule.yaml" .NOTES Author: Fabian Bader (https://cloudbrothers.info/) #> function Convert-SentinelARArmToYaml { [CmdletBinding(DefaultParameterSetName = 'Pipeline')] param ( [Parameter(Mandatory = $true, ParameterSetName = 'Path')] [Parameter(Mandatory = $true, ParameterSetName = 'UseOriginalFilename')] [string]$Filename, [Alias('Yaml')] [Parameter(Mandatory = $true, ValueFromPipeline = $true, ParameterSetName = 'Pipeline', Position = 0)] [array]$Data, [Parameter(Mandatory = $false, ParameterSetName = 'Path')] [Parameter(Mandatory = $false, ParameterSetName = 'Pipeline')] [string]$OutFile, [Parameter(Mandatory = $true, ParameterSetName = 'UseOriginalFilename')] [switch]$UseOriginalFilename ) begin { if ($PsCmdlet.ParameterSetName -in ("Path", "UseOriginalFilename") ) { if (-not (Test-Path $Filename) ) { throw "File not found" } if ($UseOriginalFilename) { $FileObject = Get-ChildItem $Filename $NewFileName = $FileObject.Name -replace $FileObject.Extension, ".yaml" $OutFile = Join-Path $FileObject.Directory $NewFileName } } } process { # Use pipeline data and create a variable containing all parsed strings if ($PsCmdlet.ParameterSetName -eq "Pipeline") { $FullARM += $Data } } end { # Mapping of Arm property names to YAML when different $ValueNameMappingArm2Yaml = [ordered]@{ "displayName" = "name" "alertRuleTemplateName" = "id" "templateVersion" = "version" "techniques" = "relevantTechniques" } # Mapping of Arm operator names to YAML when different $CompareOperatorArm2Yaml = @{ "Equals" = "eq" "GreaterThan" = "gt" "GreaterThanOrEqual" = "ge" "LessThan" = "lt" "LessThanOrEqual" = "le" } # List of values to always remove $RemoveArmValues = @( "enabled" ) $DefaultSortOrderInYAML = @( "id", "name", "version", "kind", "description", "severity", "requiredDataConnectors", "queryFrequency", "queryPeriod", "triggerOperator", "triggerThreshold", "tactics", "relevantTechniques", "query" ) # Use parsed pipeline data if no file was specified (default) if ($PsCmdlet.ParameterSetName -eq "Pipeline") { $AnalyticsRuleTemplate = $FullARM | ConvertFrom-Json -Verbose } else { Write-Verbose "Read file `"$Filename`"" $AnalyticsRuleTemplate = Get-Content $Filename | ConvertFrom-Json -Verbose } if ($AnalyticsRuleTemplate.resources.Count -ne 1) { throw "ARM template must contain exactly one resource" } # Get the id of the analytic rule if ($AnalyticsRuleTemplate.resources.id -match "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}") { $Id = $Matches[0] } else { Write-Verbose "Error reading current Id. Generating new Id." $Id = (New-Guid).Guid } # Get the properties of the analytic rule $AnalyticsRule = $AnalyticsRuleTemplate.resources | Select-Object -ExpandProperty properties # Add the id and kind from the ARM template $AnalyticsRule = $AnalyticsRule | Add-Member -MemberType NoteProperty -Name "id" -Value $Id -PassThru -Force $AnalyticsRule = $AnalyticsRule | Add-Member -MemberType NoteProperty -Name "kind" -Value $AnalyticsRuleTemplate.resources.kind -PassThru -Force # Remove values that are not needed foreach ($RemoveArmValue in $RemoveArmValues) { $AnalyticsRule.PSObject.Properties.Remove($RemoveArmValue) | Out-Null } $JSON = $AnalyticsRule | ConvertTo-Json -Depth 100 # Use ISO8601 format for timespan values $JSON = $JSON -replace '"PT([0-9]+)M"', '"$1m"' -replace '"PT([0-9]+)H"', '"$1h"' -replace '"P([0-9]+)D"', '"$1d"' # Convert the names of the properties to the names used in the YAML foreach ($Arm2Yaml in $ValueNameMappingArm2Yaml.Keys) { $JSON = $JSON -replace $Arm2Yaml, $ValueNameMappingArm2Yaml[$Arm2Yaml] } # Convert the compare operators to the names used in the YAML foreach ($Arm2Yaml in $CompareOperatorArm2Yaml.Keys) { $JSON = $JSON -replace $Arm2Yaml, $CompareOperatorArm2Yaml[$Arm2Yaml] } # Convert the JSON to a PowerShell object $AnalyticsRule = $JSON | ConvertFrom-Json # Use custom sort order of YAML $ErrorActionPreference = "SilentlyContinue" $AnalyticsRuleKeys = $AnalyticsRule.PSObject.Properties.Name | Sort-Object { $i = $DefaultSortOrderInYAML.IndexOf($_) ; if ( $i -eq -1 ) { 100 } else { $i } } $ErrorActionPreference = "Continue" # Create ordered hashtable $AnalyticsRuleCleaned = [ordered]@{} foreach ($PropertyName in $AnalyticsRuleKeys) { # Remove empty properties if ( -not [string]::IsNullOrWhiteSpace($AnalyticsRule.$PropertyName) -or ( $AnalyticsRule.$PropertyName -is [array] -and ($AnalyticsRule.$PropertyName.Count -gt 0) ) ) { $AnalyticsRuleCleaned.Add($PropertyName, $AnalyticsRule.$PropertyName) } } # Convert the PowerShell object to YAML $AnalyticsRuleYAML = $AnalyticsRuleCleaned | ConvertTo-Yaml # Write the YAML to a file or return the YAML if ($OutFile -or $UseOriginalFilename) { $AnalyticsRuleYAML | Out-File $OutFile -Force -Encoding utf8 Write-Verbose "Output written to file: `"$OutFile`"" } else { return $AnalyticsRuleYAML } } } # SIG # Begin signature block # MIIRtAYJKoZIhvcNAQcCoIIRpTCCEaECAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB # gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR # AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUgr+tE6lsTOyT5TwsvI8tvs8M # s/Wggg4AMIIGsDCCBJigAwIBAgIQCK1AsmDSnEyfXs2pvZOu2TANBgkqhkiG9w0B # AQwFADBiMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYD # VQQLExB3d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVk # IFJvb3QgRzQwHhcNMjEwNDI5MDAwMDAwWhcNMzYwNDI4MjM1OTU5WjBpMQswCQYD # VQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lD # ZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEg # Q0ExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1bQvQtAorXi3XdU5 # WRuxiEL1M4zrPYGXcMW7xIUmMJ+kjmjYXPXrNCQH4UtP03hD9BfXHtr50tVnGlJP # DqFX/IiZwZHMgQM+TXAkZLON4gh9NH1MgFcSa0OamfLFOx/y78tHWhOmTLMBICXz # ENOLsvsI8IrgnQnAZaf6mIBJNYc9URnokCF4RS6hnyzhGMIazMXuk0lwQjKP+8bq # HPNlaJGiTUyCEUhSaN4QvRRXXegYE2XFf7JPhSxIpFaENdb5LpyqABXRN/4aBpTC # fMjqGzLmysL0p6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaD # G7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urO # kfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7AD # K5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4 # R+Z1MI3sMJN2FKZbS110YU0/EpF23r9Yy3IQKUHw1cVtJnZoEUETWJrcJisB9IlN # Wdt4z4FKPkBHX8mBUHOFECMhWWCKZFTBzCEa6DgZfGYczXg4RTCZT/9jT0y7qg0I # U0F8WD1Hs/q27IwyCQLMbDwMVhECAwEAAaOCAVkwggFVMBIGA1UdEwEB/wQIMAYB # Af8CAQAwHQYDVR0OBBYEFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB8GA1UdIwQYMBaA # FOzX44LScV1kTN8uZz/nupiuHA9PMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAK # BggrBgEFBQcDAzB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v # Y3NwLmRpZ2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGln # aWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4 # oDagNIYyaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJv # b3RHNC5jcmwwHAYDVR0gBBUwEzAHBgVngQwBAzAIBgZngQwBBAEwDQYJKoZIhvcN # AQEMBQADggIBADojRD2NCHbuj7w6mdNW4AIapfhINPMstuZ0ZveUcrEAyq9sMCcT # Ep6QRJ9L/Z6jfCbVN7w6XUhtldU/SfQnuxaBRVD9nL22heB2fjdxyyL3WqqQz/WT # auPrINHVUHmImoqKwba9oUgYftzYgBoRGRjNYZmBVvbJ43bnxOQbX0P4PpT/djk9 # ntSZz0rdKOtfJqGVWEjVGv7XJz/9kNF2ht0csGBc8w2o7uCJob054ThO2m67Np37 # 5SFTWsPK6Wrxoj7bQ7gzyE84FJKZ9d3OVG3ZXQIUH0AzfAPilbLCIXVzUstG2MQ0 # HKKlS43Nb3Y3LIU/Gs4m6Ri+kAewQ3+ViCCCcPDMyu/9KTVcH4k4Vfc3iosJocsL # 6TEa/y4ZXDlx4b6cpwoG1iZnt5LmTl/eeqxJzy6kdJKt2zyknIYf48FWGysj/4+1 # 6oh7cGvmoLr9Oj9FpsToFpFSi0HASIRLlk2rREDjjfAVKM7t8RhWByovEMQMCGQ8 # M4+uKIw8y4+ICw2/O/TOHnuO77Xry7fwdxPm5yg/rBKupS8ibEH5glwVZsxsDsrF # hsP2JjMMB0ug0wcCampAMEhLNKhRILutG4UI4lkNbcoFUCvqShyepf2gpx8GdOfy # 1lKQ/a+FSCH5Vzu0nAPthkX0tGFuv2jiJmCG6sivqf6UHedjGzqGVnhOMIIHSDCC # BTCgAwIBAgIQCoIwkEerNiPKwx+yPazrmjANBgkqhkiG9w0BAQsFADBpMQswCQYD # VQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lD # ZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEg # Q0ExMB4XDTIyMDUxODAwMDAwMFoXDTI1MDUxNzIzNTk1OVowTTELMAkGA1UEBhMC # REUxEDAOBgNVBAcTB0hhbWJ1cmcxFTATBgNVBAoTDEZhYmlhbiBCYWRlcjEVMBMG # A1UEAxMMRmFiaWFuIEJhZGVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC # AgEAwSPFSbbOIFCY82i///NpwIqHv7GJCDqju+CJg7TAojDV2CDSz72qN2PYjV5a # nfh/jeJVGtA7BrCeKWkLzVH9P4pW52juEhwRe7fbv7s+PkpThLBdwQXh/JHEXpIv # 9jLkOGH3YxrxoIS5bdnzKfuyUr8qJ/J+U6a9SgkOkFNM6pGHFGY2TsRA8wMjTdph # YGTKf585hH4mD7/Gq1db72IQDpooKXYPZobQ+LAuLtF/RgTVH1Ytg/61md28pV35 # QyZujAccoYJjgDWzecx7O7cdYuwAlsPfh6L+YFVOx9LyuaVFQg6w63e1DNYEguIm # Pl6tWtAMOHmgXxd4a4w/H0tvUkqjOH5K4dU4CWmcISnkdh2sdHNwx8gjfYe3TwpW # xlFOU1HEae6HANF6tVtIyVhQRwS7J1DNJO1KIOGZDBhKhiPklr17WMnR5eYECOdc # ackHDT9yZJ3QHkT0GMa3KnZSR56RhObz7NH8llJRSZ/2yzDOPAhiFOrKjZPYYL8R # 5248ZkxOxbTJWpThW53dKPM6b9NotqiJW5ru4eOVq0yjSMdtPLttQAu6HEtNKI19 # 0Aiv5XPPQYMyI1PHVLY5sV7pm36hIpY5EW23HnJs3024AiF45FN1mxHlUkm7c+CY # sNAbnyRJlIcUyF121akFNVuGQUwbIQntmQoa/kxd/vpY2pECAwEAAaOCAgYwggIC # MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBT1CpTC # fZbDHlbuSkDmmKmFygIOOTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB # BQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQu # Y29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAy # MUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy # dFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMD4G # A1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGln # aWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0 # dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2Vy # dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0 # MDk2U0hBMzg0MjAyMUNBMS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsF # AAOCAgEACcHIVShggRroVDxi+SDfJOqVM2Z92T25Yv8xyWGMUm14bGEOBgnfHiIU # JmK9Bpm0k/hnYEpV5Ill8/Rf20l+yvlwTj1m4st2Rr4c84RSGmrW83mkYxMhg5YL # tLiZdafNCcku9+26dgZ537K7YDhGuIeWg708VchAnDEb8CliqWMYLw6J4vagQ91E # 5emPpq7FhDs2qNMElnrjWULjQkYRGlDfw22AcpstCrEBkc+18WZl6BD2Ow1D1whM # V6P1472ZgTco6Pcp8BKhrqooUXq2CDwYXJb/iFNwRnu7Cs78u+dlLu+sXNxsbGuP # T9Ig+5OvC1FiHMeOa4aS8HZSpTbu4w8cclL9EdXqlgVXFC2PlDir/2W9Vj9s6tiS # p3hdlH7dIO5FEQh8JLrdPFwKXZ8drgvP26Mf11jCvykM+QQm9jhB/VhAnwiskgUo # dIkfox0RjJtCQkNT1oXqJVErwBql/IVQUNQCR7Q7fA8U2jU8FBTkYryUQAQaIEqx # av3c+GqM94Th3C5FvrOu4CU28/HZuTjZZCBP7s2EW//4bRUQSnXB4maszUR+/8R+ # bX++yfH/Ou1HQL5aGo9q2L36oaVFjaM282w1pzFAEUf0jgpUkBeJOFUeFvirYWyq # ex+oKwy8Vzgs+BKd7FOShLa7wCai1fjfYvpO7GxbpdYJqanNMmAxggMeMIIDGgIB # ATB9MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8G # A1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBT # SEEzODQgMjAyMSBDQTECEAqCMJBHqzYjysMfsj2s65owCQYFKw4DAhoFAKB4MBgG # CisGAQQBgjcCAQwxCjAIoAKAAKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcC # AQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYE # FKHM3O1yH0S6PrjTfwqhqXYSyWlkMA0GCSqGSIb3DQEBAQUABIICABmY5Ui15Ngx # vsJUMyWwn2vLsKXcXZ1Muqu6ghwK+FkHxlK6xSYD4Ww1ua1+nRth4XQdL5kGj6Um # oNq9ZDnbXUTHw1gpCmZuth1BCtpvlGR7+vqpwgUHKQ6LP31aQ3YpVYzHa5MWLCdi # H9tCcKY4sboIo5FSqq/7S/tddTiJq4Ia3mmTFB2RQ9+ICjxgwibPNPq9lJUDp/Qz # GsFFwJP89EU2AmnBITfPpILvqnWfsTFcUwWgsw+ulK2VhTWQakaZ67RSrTcGP6Uy # Frsbx8d8GOa6f8+VAIDLb9BJHDlnnkCWBqRFKmOSgqWo/j66XQpfnxjvOrImnS4O # OTtRkhCliFQ36n2jsHmtXy7E52k6T84xZtIo2iYBd5Hlnm4rmGKAsYpCaOfUSwzk # kGGv7AhtFg95b8NhMz+VFlWpab99d1hwx8DfWQRjh1ZSiyrAAwvYywuNWsbAdi7k # fFEWFGfJeKSybILUwoB/tMV9Fw6HV2sXyMBLQ9wTN8NF7ddC5dWUdIFm0sLYhdal # tVEkalz/OrMM7wQrUVy7PeBBL9w+8Ce3/YJyD3org9tTKFe+3oiZI59KMfOF9rmE # mjkxxwHE+rX8IzxrvTuNK9LmfKKQQ6P6TJUN+NfX20ZXOjnpYSiG6SB5f2aI1WE6 # wPK/TF7Gor3hAA3gkGORm3OoHS6dVfcE # SIG # End signature block |