Functions/EventSecurity/Set-PASPTARule.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
Function Set-PASPTARule {
    <#
.SYNOPSIS
Updates an existing Risky Activity rule to PTA

.DESCRIPTION
Updates an existing Risky Activity rule in the PTA server configuration.

.PARAMETER id
The unique ID of the rule.

.PARAMETER category
The Category of the risky activity
Valid values: SSH, WINDOWS, SCP, KEYSTROKES or SQL

.PARAMETER regex
Risky activity in regex form.
Must support all characters (including "/" and escaping characters)

.PARAMETER score
Activity score.
Number must be between 1 and 100

.PARAMETER description
Activity description.
The field is mandatory but can be empty

.PARAMETER response
Automatic response to be executed
Valid Values: NONE, TERMINATE or SUSPEND

.PARAMETER active
Indicate if the rule should be active or disbaled

.EXAMPLE
Set-PASPTARule -id 66 -category KEYSTROKES -regex '(*.)risky cmd(.*)' -score 65 -description "Updated Rule" -response SUSPEND -active $true

Updates rule 66 in PTA

.NOTES
Minimum Version CyberArk 10.4

.LINK
https://pspas.pspete.dev/commands/Set-PASPTARule
#>

    [CmdletBinding(SupportsShouldProcess)]
    param(
        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [string][int]$id,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [ValidateSet("SSH", "WINDOWS", "SCP", "KEYSTROKES", "SQL")]
        [string]$category,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [string]$regex,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [ValidateRange(1, 100)]
        [int]$score,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [string]$description,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [ValidateSet("NONE", "TERMINATE", "SUSPEND")]
        [string]$response,

        [parameter(
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true
        )]
        [boolean]$active

    )

    BEGIN {

        $MinimumVersion = [System.Version]"10.4"

    }#begin

    PROCESS {

        Assert-VersionRequirement -ExternalVersion $Script:ExternalVersion -RequiredVersion $MinimumVersion

        #Get all parameters that will be sent in the request
        $boundParameters = $PSBoundParameters | Get-PASParameter

        #Create URL for Request
        $URI = "$Script:BaseURI/API/pta/API/Settings/RiskyActivity/"


        #Create body of request
        $body = $boundParameters | ConvertTo-Json

        if ($PSCmdlet.ShouldProcess($id, "Update Risky Activity Rule")) {

            #send request to PAS web service
            Invoke-PASRestMethod -Uri $URI -Method PUT -Body $Body -WebSession $Script:WebSession

        }

    }#process

    END { }#end
}