Functions/EventSecurity/Set-PASPTARule.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
Function Set-PASPTARule {
    <#
    .SYNOPSIS
    Updates an existing Risky Activity rule to PTA
 
    .DESCRIPTION
    Updates an existing Risky Activity rule in the PTA server configuration.
 
    .PARAMETER id
    The unique ID of the rule.
 
    .PARAMETER category
    The Category of the risky activity
    Valid values: SSH, WINDOWS, SCP, KEYSTROKES or SQL
 
    .PARAMETER regex
    Risky activity in regex form.
    Must support all characters (including "/" and escaping characters)
 
    .PARAMETER score
    Activity score.
    Number must be between 1 and 100
 
    .PARAMETER description
    Activity description.
    The field is mandatory but can be empty
 
    .PARAMETER response
    Automatic response to be executed
    Valid Values: NONE, TERMINATE or SUSPEND
 
    .PARAMETER active
    Indicate if the rule should be active or disbaled
 
    .EXAMPLE
Set-PASPTARule -id 66 -category KEYSTROKES -regex '(*.)risky cmd(.*)' -score 65 -description "Updated Rule" -response SUSPEND -active $true
 
    Updates rule 66 in PTA
 
    .NOTES
    Minimum Version CyberArk 10.4
    #>

    [CmdletBinding(SupportsShouldProcess)]
    param(
        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [string][int]$id,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [ValidateSet("SSH", "WINDOWS", "SCP", "KEYSTROKES", "SQL")]
        [string]$category,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [string]$regex,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [ValidateRange(1, 100)]
        [int]$score,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [string]$description,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [ValidateSet("NONE", "TERMINATE", "SUSPEND")]
        [string]$response,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [boolean]$active

    )

    BEGIN {

        $MinimumVersion = [System.Version]"10.4"

    }#begin

    PROCESS {

        Assert-VersionRequirement -ExternalVersion $Script:ExternalVersion -RequiredVersion $MinimumVersion

        #Get all parameters that will be sent in the request
        $boundParameters = $PSBoundParameters | Get-PASParameter

        #Create URL for Request
        $URI = "$Script:BaseURI/API/pta/API/Settings/RiskyActivity/"


        #Create body of request
        $body = $boundParameters | ConvertTo-Json

        if($PSCmdlet.ShouldProcess($id, "Update Risky Activity Rule")) {

            #send request to PAS web service
            Invoke-PASRestMethod -Uri $URI -Method PUT -Body $Body -WebSession $Script:WebSession

        }

    }#process

    END {}#end
}