Functions/EventSecurity/Add-PASPTARule.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
Function Add-PASPTARule {
    <#
    .SYNOPSIS
    Adds a new Risky Activity rule to PTA

    .DESCRIPTION
    Adds a new Risky Activity rule in the PTA server configuration.

    .PARAMETER category
    The Category of the risky activity
    Valid values: SSH, WINDOWS, SCP, KEYSTROKES or SQL

    .PARAMETER regex
    Risky activity in regex form.
    Must support all characters (including "/" and escaping characters)

    .PARAMETER score
    Activity score.
    Number must be between 1 and 100

    .PARAMETER description
    Activity description.
    The field is mandatory but can be empty

    .PARAMETER response
    Automatic response to be executed
    Valid Values: NONE, TERMINATE or SUSPEND

    .PARAMETER active
    Indicate if the rule should be active or disbaled

    .EXAMPLE
Add-PASPTARule -category KEYSTROKES -regex '(*.)risky command(.*)' -score 60 -description "Example Rule" -response NONE -active $true

    Adds a new rule to PTA

    .NOTES
    Minimum Version CyberArk 10.4
    #>

    [CmdletBinding()]
    param(
        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [ValidateSet("SSH", "WINDOWS", "SCP", "KEYSTROKES", "SQL")]
        [string]$category,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [string]$regex,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [ValidateRange(1, 100)]
        [int]$score,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [string]$description,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [ValidateSet("NONE", "TERMINATE", "SUSPEND")]
        [string]$response,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [boolean]$active

    )

    BEGIN {

        $MinimumVersion = [System.Version]"10.4"

    }#begin

    PROCESS {

        Assert-VersionRequirement -ExternalVersion $Script:ExternalVersion -RequiredVersion $MinimumVersion

        #Get all parameters that will be sent in the request
        $boundParameters = $PSBoundParameters | Get-PASParameter

        #Create URL for Request
        $URI = "$Script:BaseURI/API/pta/API/Settings/RiskyActivity/"


        #Create body of request
        $body = $boundParameters | ConvertTo-Json

        #send request to PAS web service
        $result = Invoke-PASRestMethod -Uri $URI -Method POST -Body $Body -WebSession $Script:WebSession

        if($result) {

            #Return Results
            $result | Add-ObjectDetail -typename "psPAS.CyberArk.Vault.PTA.Rule"

        }

    }#process

    END {}#end
}