!Deploy Release Version 0.6.21 (#171)

* Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi <rob5614@robeco.nl> * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi <rob5614@robeco.nl> * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi <rob5614@robeco.nl> * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch <john.crouch@summit7.us> * fixing small issues (#136) * Fixing issue when switching from subscription (#140) * !Deploy Release version 0.6.14 (#137) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi <rob5614@robeco.nl> * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi <rob5614@robeco.nl> * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi <rob5614@robeco.nl> * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch <john.crouch@summit7.us> * fixing small issues (#136) Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * fixing issue when switching from subscription * fixing subscription precheck issue * restore Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * Fixing issue with Fusion rules (#143) * MSSP Playbook (#142) * !Deploy Release version 0.6.14 (#137) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi <rob5614@robeco.nl> * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi <rob5614@robeco.nl> * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi <rob5614@robeco.nl> * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch <john.crouch@summit7.us> * fixing small issues (#136) Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * init test * ready for release Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * Prevent null reference of non-required argument; fixes #148 (#149) * !Deploy Release Version 0.6.16 (#146) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi <rob5614@robeco.nl> * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi <rob5614@robeco.nl> * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi <rob5614@robeco.nl> * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch <john.crouch@summit7.us> * fixing small issues (#136) * Fixing issue when switching from subscription (#140) * !Deploy Release version 0.6.14 (#137) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi <rob5614@robeco.nl> * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi <rob5614@robeco.nl> * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi <rob5614@robeco.nl> * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch <john.crouch@summit7.us> * fixing small issues (#136) Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * fixing issue when switching from subscription * fixing subscription precheck issue * restore Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * Fixing issue with Fusion rules (#143) * MSSP Playbook (#142) * !Deploy Release version 0.6.14 (#137) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi <rob5614@robeco.nl> * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi <rob5614@robeco.nl> * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi <rob5614@robeco.nl> * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch <john.crouch@summit7.us> * fixing small issues (#136) Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * init test * ready for release Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * fix bug 145 Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * Prevent null reference of non-required argument; fixes #148 Co-authored-by: Pouyan Khabazi <pkhabazi@outlook.com> Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * Add support for FileHash entity (#147) * update enums folder name (#156) * Updating alertrule output format (#157) * adding support for AlertRuleTemplate property (#160) * Follow official api schema (#162) * Update groupingConfiguration.ps1 * Update Import-AzSentinelAlertRule.ps1 * Support importing raw rule configuration This update makes it possible to import a rule without nesting it within "Scheduled", "analytics", "fusion", "MLBehaviorAnalytics" or "MicrosoftSecurityIncidentCreation" * Update Import-AzSentinelAlertRule.ps1 * Update Import-AzSentinelAlertRule.ps1 Added backwards compatibility support, fix for non-nested settings files (row 133), and added some verbose logging. * fixing playbook reference (#163) * Add Office 365 Data Connector (#154) * Typo xported -> exported (#169) Templates xported -> Templates exported * Hunting rules function updated (#170) * init update * update example Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> Co-authored-by: Luke Fritz <lukefritz@gmail.com> Co-authored-by: Anton Wadström <36885853+wadstromtech@users.noreply.github.com> Co-authored-by: wez3 <wez3@users.noreply.github.com> Co-authored-by: nodauf <nodauf@users.noreply.github.com>
wortell · Feb 3, 2021 · 898246a · 898246a
1 parent f4e4f13
commit 898246a
Show file tree

Hide file tree

Showing 7 changed files with 114 additions and 146 deletions.
diff --git a/AzSentinel/Classes/Hunting.ps1 b/AzSentinel/Classes/Hunting.ps1
@@ -0,0 +1,35 @@
+class Hunting {
+    [string]$DisplayName
+    [string]$Query
+
+    [string]$Description
+    [Tactics[]]$Tactics
+
+    [string]$Category
+    [pscustomobject]$Tags
+
+    Hunting($DisplayName, $Query, $Description, $Tactics) {
+        $this.Category = 'Hunting Queries'
+        $this.DisplayName = $DisplayName
+        $this.Query = $Query
+        $this.Tags = @(
+            @{
+                'Name'  = "description"
+                'Value' = $Description
+            },
+            @{
+                "Name"  = "tactics"
+                "Value" = $Tactics -join ','
+            },
+            @{
+                "Name"  = "createdBy"
+                "Value" = ""
+            },
+            @{
+                "Name"  = "createdTimeUtc"
+                "Value" = ""
+            }
+        )
+
+    }
+}
diff --git a/AzSentinel/Classes/HuntingRule.ps1 b/AzSentinel/Classes/HuntingRule.ps1
@@ -0,0 +1,15 @@
+class HuntingRule {
+    [string]$name
+    $eTag
+    [string]$id
+
+    [pscustomobject]$properties
+
+    HuntingRule ($name, $eTag, $id, $properties ) {
+        $this.name = $name
+        $this.eTag = $eTag
+        $this.id = $id
+        $this.properties = $properties
+
+    }
+}
diff --git a/AzSentinel/Classes/classes.psd1 b/AzSentinel/Classes/classes.psd1
@@ -7,5 +7,7 @@
         ,'IncidentConfiguration'
         ,'ScheduledAlertProp'
         ,'AlertRule'
+        , 'Hunting'
+        , 'HuntingRule'
     )
 }
diff --git a/AzSentinel/Public/Export-AzSentinel.ps1 b/AzSentinel/Public/Export-AzSentinel.ps1
@@ -202,7 +202,7 @@ function Export-AzSentinel {
                 try {
                     $fullPath = "$($OutputFolder)Templates_$date.json"
                     $output | ConvertTo-Json -EnumsAsStrings -Depth 15 | Out-File $fullPath -ErrorAction Stop
-                    Write-Output "Templates xported to: $fullPath"
+                    Write-Output "Templates exported to: $fullPath"
                 }
                 catch {
                     $ErrorMessage = $_.Exception.Message

diff --git a/AzSentinel/Public/Import-AzSentinelHuntingRule.ps1 b/AzSentinel/Public/Import-AzSentinelHuntingRule.ps1
@@ -65,7 +65,7 @@ function Import-AzSentinelHuntingRule {
         if ($SettingsFile.Extension -eq '.json') {
             try {
                 $content = (Get-Content $SettingsFile -Raw | ConvertFrom-Json -ErrorAction Stop)
-                if ($content.analytics){
+                if ($content.analytics) {
                     $hunting = $content.analytics
                 }
                 else {
@@ -99,8 +99,10 @@ function Import-AzSentinelHuntingRule {
             break
         }
 
+        $return = @()
+
         foreach ($item in $hunting) {
-            Write-Output "Started with Hunting rule: $($item.displayName)"
+            Write-Verbose "Started with Hunting rule: $($item.displayName)"
 
             try {
                 Write-Verbose -Message "Get rule $($item.description)"
@@ -133,77 +135,39 @@ function Import-AzSentinelHuntingRule {
                 Write-Error "Unable to connect to APi to get Analytic rules with message: $($_.Exception.Message)" -ErrorAction Stop
             }
 
-            [PSCustomObject]$body = @{
-                "name"       = $item.name
-                "eTag"       = $item.etag
-                "id"         = $item.id
-                "properties" = @{
-                    'Category'             = 'Hunting Queries'
-                    'DisplayName'          = [string]$item.displayName
-                    'Query'                = [string]$item.query
-                    [pscustomobject]'Tags' = @(
-                        @{
-                            'Name'  = "description"
-                            'Value' = [string]$item.description
-                        },
-                        @{
-                            "Name"  = "tactics"
-                            "Value" = [Tactics[]] $item.tactics -join ','
-                        },
-                        @{
-                            "Name"  = "createdBy"
-                            "Value" = ""
-                        },
-                        @{
-                            "Name"  = "createdTimeUtc"
-                            "Value" = ""
-                        }
-                    )
-                }
+            <#
+                Build Class
+            #>
+            try {
+                $bodyProp = [Hunting]::new(
+                    $item.displayName,
+                    $item.query,
+                    $item.description,
+                    $item.tactics
+                )
+
+                $body = [HuntingRule]::new( $item.name, $item.eTag, $item.Id, $bodyProp)
+            }
+            catch {
+                Write-Error "Unable to initiate class with error: $($_.Exception.Message)" -ErrorAction Continue
             }
 
-            if ($content) {
-                $compareResult1 = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, Tags, Version) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, Tags, Version)
-                $compareResult2 = Compare-Policy -ReferenceTemplate ($content.Tags | Where-Object { $_.name -eq "tactics" }) -DifferenceTemplate ($body.Properties.Tags | Where-Object { $_.name -eq "tactics" })
-                $compareResult = [PSCustomObject]$compareResult1 + [PSCustomObject]$compareResult2
-
-                if ($compareResult) {
-                    Write-Output "Found Differences for hunting rule: $($item.displayName)"
-                    Write-Output ($compareResult | Format-Table | Out-String)
-
-                    if ($PSCmdlet.ShouldProcess("Do you want to update hunting rule: $($body.Properties.DisplayName)")) {
-                        try {
-                            $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
-                            Write-Output "Successfully updated hunting rule: $($item.displayName) with status: $($result.StatusDescription)"
-                            Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
-                        }
-                        catch {
-                            Write-Verbose $_
-                            Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Continue
-                        }
-                    }
-                    else {
-                        Write-Output "No change have been made for hunting rule $($item.displayName), deployment aborted"
-                    }
-                }
-                else {
-                    Write-Output "Hunting rule $($item.displayName) is compliance, nothing to do"
-                    Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
-                }
+            <#
+            Try to create or update Hunting Rule
+            #>
+            try {
+                $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
+                $body.Properties | Add-Member -NotePropertyName status -NotePropertyValue $($result.StatusDescription) -Force
+                $return += $body.Properties
+
+                Write-Verbose "Successfully updated hunting rule: $($item.displayName) with status: $($result.StatusDescription)"
             }
-            else {
-                Write-Verbose "Creating new rule: $($item.displayName)"
+            catch {
+                Write-Verbose $_
+                Write-Error "Unable to invoke webrequest for rule $($item.displayName) with error message: $($_.Exception.Message)" -ErrorAction Continue
 
-                try {
-                    $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
-                    Write-Output "Successfully created hunting rule: $($item.displayName) with status: $($result.StatusDescription)"
-                    Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
-                }
-                catch {
-                    Write-Verbose $_
-                    Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Continue
-                }
             }
         }
+        return $return
     }
 }
diff --git a/AzSentinel/Public/New-AzSentinelHuntingRule.ps1 b/AzSentinel/Public/New-AzSentinelHuntingRule.ps1
@@ -69,14 +69,8 @@ function New-AzSentinelHuntingRule {
                 }
             }
         }
-
 
         $item = @{ }
-        $content = $null
-        $body = @{ }
-        $compareResult1 = $null
-        $compareResult2 = $null
-        $compareResult = $null
 
         Write-Verbose -Message "Creating new Hunting rule: $($DisplayName)"
 
@@ -111,79 +105,37 @@ function New-AzSentinelHuntingRule {
             Write-Error "Unable to connect to APi to get Analytic rules with message: $($_.Exception.Message)" -ErrorAction Stop
         }
 
-        [PSCustomObject]$body = @{
-            "name"       = $item.name
-            "eTag"       = $item.etag
-            "id"         = $item.id
-            "properties" = @{
-                'Category'             = 'Hunting Queries'
-                'DisplayName'          = $DisplayName
-                'Query'                = $Query
-                [pscustomobject]'Tags' = @(
-                    @{
-                        'Name'  = "description"
-                        'Value' = $Description
-                    },
-                    @{
-                        "Name"  = "tactics"
-                        "Value" = $Tactics -join ','
-                    },
-                    @{
-                        "Name"  = "createdBy"
-                        "Value" = ""
-                    },
-                    @{
-                        "Name"  = "createdTimeUtc"
-                        "Value" = ""
-                    }
-                )
-            }
+        <#
+            Build Class
+        #>
+        try {
+            $bodyProp = [Hunting]::new(
+                $DisplayName,
+                $Query,
+                $Description,
+                $Tactics
+            )
+
+            $body = [HuntingRule]::new( $item.name, $item.etag, $item.Id, $bodyProp)
         }
-
-        #return $content
-        if ($content) {
-            $compareResult1 = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, Tags, Version) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, Tags, Version)
-            $compareResult2 = Compare-Policy -ReferenceTemplate ($content.Tags | Where-Object { $_.name -eq "tactics" }) -DifferenceTemplate ($body.Properties.Tags | Where-Object { $_.name -eq "tactics" })
-            $compareResult = [PSCustomObject]$compareResult1 + [PSCustomObject]$compareResult2
-
-            if ($compareResult) {
-                Write-Output "Found Differences for hunting rule: $($DisplayName)"
-                Write-Output ($compareResult | Format-Table | Out-String)
-
-                if ($PSCmdlet.ShouldProcess("Do you want to update hunting rule: $($DisplayName)")) {
-                    try {
-                        Write-Output ($body.properties | Format-Table)
-
-                        $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
-                        Write-Output "Successfully updated hunting rule: $($DisplayName) with status: $($result.StatusDescription)"
-                    }
-                    catch {
-                        Write-Verbose $_
-                        Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Stop
-                    }
-                }
-                else {
-                    Write-Output "No change have been made for rule $($DisplayName), deployment aborted"
-                }
-            }
-            else {
-                Write-Output "Hunting rule $($DisplayName) is compliance, nothing to do"
-                Write-Output ($body.properties | Format-Table)
-            }
+        catch {
+            Write-Error "Unable to initiate class with error: $($_.Exception.Message)" -ErrorAction Continue
         }
-        else {
-            Write-Verbose "Creating new hunting rule: $($DisplayName)"
 
-            try {
+        <#
+            Try to create or update Hunting Rule
+            #>
+        try {
+            $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
+            $body.Properties | Add-Member -NotePropertyName status -NotePropertyValue $($result.StatusDescription) -Force
+            return $body.Properties
+
+            Write-Verbose "Successfully updated hunting rule: $($item.displayName) with status: $($result.StatusDescription)"
+        }
+        catch {
+            Write-Verbose $_
+            Write-Error "Unable to invoke webrequest for rule $($item.displayName) with error message: $($_.Exception.Message)" -ErrorAction Continue
 
-                $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
-                Write-Output "Successfully created hunting rule: $($DisplayName) with status: $($result.StatusDescription)"
-                Write-Output ($body.properties | Format-Table)
-            }
-            catch {
-                Write-Verbose $_
-                Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Stop
-            }
         }
     }
 }
diff --git a/examples/HuntingRules.json b/examples/HuntingRules.json
@@ -2,7 +2,7 @@
   "Hunting": [
     {
       "displayName": "HuntingRule01",
-      "description": "test",
+      "description": "test 1",
       "query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
       "tactics": [
         "Persistence",
@@ -12,7 +12,7 @@
     },
     {
       "displayName": "HuntingRule02",
-      "description": "test",
+      "description": "test2",
       "query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
       "tactics": [
         "Persistence",