From 898246abaf1b7932ae6b5f0aec0afcdbf97d85b3 Mon Sep 17 00:00:00 2001 From: Pouyan Khabazi Date: Wed, 3 Feb 2021 17:39:46 +0100 Subject: [PATCH] !Deploy Release Version 0.6.21 (#171) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch * fixing small issues (#136) * Fixing issue when switching from subscription (#140) * !Deploy Release version 0.6.14 (#137) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch * fixing small issues (#136) Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch * fixing issue when switching from subscription * fixing subscription precheck issue * restore Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch * Fixing issue with Fusion rules (#143) * MSSP Playbook (#142) * !Deploy Release version 0.6.14 (#137) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch * fixing small issues (#136) Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch * init test * ready for release Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch * Prevent null reference of non-required argument; fixes #148 (#149) * !Deploy Release Version 0.6.16 (#146) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch * fixing small issues (#136) * Fixing issue when switching from subscription (#140) * !Deploy Release version 0.6.14 (#137) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch * fixing small issues (#136) Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch * fixing issue when switching from subscription * fixing subscription precheck issue * restore Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch * Fixing issue with Fusion rules (#143) * MSSP Playbook (#142) * !Deploy Release version 0.6.14 (#137) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch * fixing small issues (#136) Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch * init test * ready for release Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch * fix bug 145 Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch * Prevent null reference of non-required argument; fixes #148 Co-authored-by: Pouyan Khabazi Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch * Add support for FileHash entity (#147) * update enums folder name (#156) * Updating alertrule output format (#157) * adding support for AlertRuleTemplate property (#160) * Follow official api schema (#162) * Update groupingConfiguration.ps1 * Update Import-AzSentinelAlertRule.ps1 * Support importing raw rule configuration This update makes it possible to import a rule without nesting it within "Scheduled", "analytics", "fusion", "MLBehaviorAnalytics" or "MicrosoftSecurityIncidentCreation" * Update Import-AzSentinelAlertRule.ps1 * Update Import-AzSentinelAlertRule.ps1 Added backwards compatibility support, fix for non-nested settings files (row 133), and added some verbose logging. * fixing playbook reference (#163) * Add Office 365 Data Connector (#154) * Typo xported -> exported (#169) Templates xported -> Templates exported * Hunting rules function updated (#170) * init update * update example Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch Co-authored-by: Luke Fritz Co-authored-by: Anton Wadström <36885853+wadstromtech@users.noreply.github.com> Co-authored-by: wez3 Co-authored-by: nodauf --- AzSentinel/Classes/Hunting.ps1 | 35 ++++++ AzSentinel/Classes/HuntingRule.ps1 | 15 +++ AzSentinel/Classes/classes.psd1 | 2 + AzSentinel/Public/Export-AzSentinel.ps1 | 2 +- .../Public/Import-AzSentinelHuntingRule.ps1 | 100 ++++++----------- .../Public/New-AzSentinelHuntingRule.ps1 | 102 +++++------------- examples/HuntingRules.json | 4 +- 7 files changed, 114 insertions(+), 146 deletions(-) create mode 100644 AzSentinel/Classes/Hunting.ps1 create mode 100644 AzSentinel/Classes/HuntingRule.ps1 diff --git a/AzSentinel/Classes/Hunting.ps1 b/AzSentinel/Classes/Hunting.ps1 new file mode 100644 index 0000000..5806be4 --- /dev/null +++ b/AzSentinel/Classes/Hunting.ps1 @@ -0,0 +1,35 @@ +class Hunting { + [string]$DisplayName + [string]$Query + + [string]$Description + [Tactics[]]$Tactics + + [string]$Category + [pscustomobject]$Tags + + Hunting($DisplayName, $Query, $Description, $Tactics) { + $this.Category = 'Hunting Queries' + $this.DisplayName = $DisplayName + $this.Query = $Query + $this.Tags = @( + @{ + 'Name' = "description" + 'Value' = $Description + }, + @{ + "Name" = "tactics" + "Value" = $Tactics -join ',' + }, + @{ + "Name" = "createdBy" + "Value" = "" + }, + @{ + "Name" = "createdTimeUtc" + "Value" = "" + } + ) + + } +} diff --git a/AzSentinel/Classes/HuntingRule.ps1 b/AzSentinel/Classes/HuntingRule.ps1 new file mode 100644 index 0000000..bcaa151 --- /dev/null +++ b/AzSentinel/Classes/HuntingRule.ps1 @@ -0,0 +1,15 @@ +class HuntingRule { + [string]$name + $eTag + [string]$id + + [pscustomobject]$properties + + HuntingRule ($name, $eTag, $id, $properties ) { + $this.name = $name + $this.eTag = $eTag + $this.id = $id + $this.properties = $properties + + } +} diff --git a/AzSentinel/Classes/classes.psd1 b/AzSentinel/Classes/classes.psd1 index 44891de..5f280e6 100644 --- a/AzSentinel/Classes/classes.psd1 +++ b/AzSentinel/Classes/classes.psd1 @@ -7,5 +7,7 @@ ,'IncidentConfiguration' ,'ScheduledAlertProp' ,'AlertRule' + , 'Hunting' + , 'HuntingRule' ) } diff --git a/AzSentinel/Public/Export-AzSentinel.ps1 b/AzSentinel/Public/Export-AzSentinel.ps1 index da24335..a0d8af2 100644 --- a/AzSentinel/Public/Export-AzSentinel.ps1 +++ b/AzSentinel/Public/Export-AzSentinel.ps1 @@ -202,7 +202,7 @@ function Export-AzSentinel { try { $fullPath = "$($OutputFolder)Templates_$date.json" $output | ConvertTo-Json -EnumsAsStrings -Depth 15 | Out-File $fullPath -ErrorAction Stop - Write-Output "Templates xported to: $fullPath" + Write-Output "Templates exported to: $fullPath" } catch { $ErrorMessage = $_.Exception.Message diff --git a/AzSentinel/Public/Import-AzSentinelHuntingRule.ps1 b/AzSentinel/Public/Import-AzSentinelHuntingRule.ps1 index 1b4d99f..2c945e1 100644 --- a/AzSentinel/Public/Import-AzSentinelHuntingRule.ps1 +++ b/AzSentinel/Public/Import-AzSentinelHuntingRule.ps1 @@ -65,7 +65,7 @@ function Import-AzSentinelHuntingRule { if ($SettingsFile.Extension -eq '.json') { try { $content = (Get-Content $SettingsFile -Raw | ConvertFrom-Json -ErrorAction Stop) - if ($content.analytics){ + if ($content.analytics) { $hunting = $content.analytics } else { @@ -99,8 +99,10 @@ function Import-AzSentinelHuntingRule { break } + $return = @() + foreach ($item in $hunting) { - Write-Output "Started with Hunting rule: $($item.displayName)" + Write-Verbose "Started with Hunting rule: $($item.displayName)" try { Write-Verbose -Message "Get rule $($item.description)" @@ -133,77 +135,39 @@ function Import-AzSentinelHuntingRule { Write-Error "Unable to connect to APi to get Analytic rules with message: $($_.Exception.Message)" -ErrorAction Stop } - [PSCustomObject]$body = @{ - "name" = $item.name - "eTag" = $item.etag - "id" = $item.id - "properties" = @{ - 'Category' = 'Hunting Queries' - 'DisplayName' = [string]$item.displayName - 'Query' = [string]$item.query - [pscustomobject]'Tags' = @( - @{ - 'Name' = "description" - 'Value' = [string]$item.description - }, - @{ - "Name" = "tactics" - "Value" = [Tactics[]] $item.tactics -join ',' - }, - @{ - "Name" = "createdBy" - "Value" = "" - }, - @{ - "Name" = "createdTimeUtc" - "Value" = "" - } - ) - } + <# + Build Class + #> + try { + $bodyProp = [Hunting]::new( + $item.displayName, + $item.query, + $item.description, + $item.tactics + ) + + $body = [HuntingRule]::new( $item.name, $item.eTag, $item.Id, $bodyProp) + } + catch { + Write-Error "Unable to initiate class with error: $($_.Exception.Message)" -ErrorAction Continue } - if ($content) { - $compareResult1 = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, Tags, Version) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, Tags, Version) - $compareResult2 = Compare-Policy -ReferenceTemplate ($content.Tags | Where-Object { $_.name -eq "tactics" }) -DifferenceTemplate ($body.Properties.Tags | Where-Object { $_.name -eq "tactics" }) - $compareResult = [PSCustomObject]$compareResult1 + [PSCustomObject]$compareResult2 - - if ($compareResult) { - Write-Output "Found Differences for hunting rule: $($item.displayName)" - Write-Output ($compareResult | Format-Table | Out-String) - - if ($PSCmdlet.ShouldProcess("Do you want to update hunting rule: $($body.Properties.DisplayName)")) { - try { - $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) - Write-Output "Successfully updated hunting rule: $($item.displayName) with status: $($result.StatusDescription)" - Write-Output ($body.Properties | Format-List | Format-Table | Out-String) - } - catch { - Write-Verbose $_ - Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Continue - } - } - else { - Write-Output "No change have been made for hunting rule $($item.displayName), deployment aborted" - } - } - else { - Write-Output "Hunting rule $($item.displayName) is compliance, nothing to do" - Write-Output ($body.Properties | Format-List | Format-Table | Out-String) - } + <# + Try to create or update Hunting Rule + #> + try { + $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) + $body.Properties | Add-Member -NotePropertyName status -NotePropertyValue $($result.StatusDescription) -Force + $return += $body.Properties + + Write-Verbose "Successfully updated hunting rule: $($item.displayName) with status: $($result.StatusDescription)" } - else { - Write-Verbose "Creating new rule: $($item.displayName)" + catch { + Write-Verbose $_ + Write-Error "Unable to invoke webrequest for rule $($item.displayName) with error message: $($_.Exception.Message)" -ErrorAction Continue - try { - $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) - Write-Output "Successfully created hunting rule: $($item.displayName) with status: $($result.StatusDescription)" - Write-Output ($body.Properties | Format-List | Format-Table | Out-String) - } - catch { - Write-Verbose $_ - Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Continue - } } } + return $return } } diff --git a/AzSentinel/Public/New-AzSentinelHuntingRule.ps1 b/AzSentinel/Public/New-AzSentinelHuntingRule.ps1 index 3345286..9644167 100644 --- a/AzSentinel/Public/New-AzSentinelHuntingRule.ps1 +++ b/AzSentinel/Public/New-AzSentinelHuntingRule.ps1 @@ -69,14 +69,8 @@ function New-AzSentinelHuntingRule { } } } - $item = @{ } - $content = $null - $body = @{ } - $compareResult1 = $null - $compareResult2 = $null - $compareResult = $null Write-Verbose -Message "Creating new Hunting rule: $($DisplayName)" @@ -111,79 +105,37 @@ function New-AzSentinelHuntingRule { Write-Error "Unable to connect to APi to get Analytic rules with message: $($_.Exception.Message)" -ErrorAction Stop } - [PSCustomObject]$body = @{ - "name" = $item.name - "eTag" = $item.etag - "id" = $item.id - "properties" = @{ - 'Category' = 'Hunting Queries' - 'DisplayName' = $DisplayName - 'Query' = $Query - [pscustomobject]'Tags' = @( - @{ - 'Name' = "description" - 'Value' = $Description - }, - @{ - "Name" = "tactics" - "Value" = $Tactics -join ',' - }, - @{ - "Name" = "createdBy" - "Value" = "" - }, - @{ - "Name" = "createdTimeUtc" - "Value" = "" - } - ) - } + <# + Build Class + #> + try { + $bodyProp = [Hunting]::new( + $DisplayName, + $Query, + $Description, + $Tactics + ) + + $body = [HuntingRule]::new( $item.name, $item.etag, $item.Id, $bodyProp) } - - #return $content - if ($content) { - $compareResult1 = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, Tags, Version) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, Tags, Version) - $compareResult2 = Compare-Policy -ReferenceTemplate ($content.Tags | Where-Object { $_.name -eq "tactics" }) -DifferenceTemplate ($body.Properties.Tags | Where-Object { $_.name -eq "tactics" }) - $compareResult = [PSCustomObject]$compareResult1 + [PSCustomObject]$compareResult2 - - if ($compareResult) { - Write-Output "Found Differences for hunting rule: $($DisplayName)" - Write-Output ($compareResult | Format-Table | Out-String) - - if ($PSCmdlet.ShouldProcess("Do you want to update hunting rule: $($DisplayName)")) { - try { - Write-Output ($body.properties | Format-Table) - - $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) - Write-Output "Successfully updated hunting rule: $($DisplayName) with status: $($result.StatusDescription)" - } - catch { - Write-Verbose $_ - Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Stop - } - } - else { - Write-Output "No change have been made for rule $($DisplayName), deployment aborted" - } - } - else { - Write-Output "Hunting rule $($DisplayName) is compliance, nothing to do" - Write-Output ($body.properties | Format-Table) - } + catch { + Write-Error "Unable to initiate class with error: $($_.Exception.Message)" -ErrorAction Continue } - else { - Write-Verbose "Creating new hunting rule: $($DisplayName)" - try { + <# + Try to create or update Hunting Rule + #> + try { + $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) + $body.Properties | Add-Member -NotePropertyName status -NotePropertyValue $($result.StatusDescription) -Force + return $body.Properties + + Write-Verbose "Successfully updated hunting rule: $($item.displayName) with status: $($result.StatusDescription)" + } + catch { + Write-Verbose $_ + Write-Error "Unable to invoke webrequest for rule $($item.displayName) with error message: $($_.Exception.Message)" -ErrorAction Continue - $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) - Write-Output "Successfully created hunting rule: $($DisplayName) with status: $($result.StatusDescription)" - Write-Output ($body.properties | Format-Table) - } - catch { - Write-Verbose $_ - Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Stop - } } } } diff --git a/examples/HuntingRules.json b/examples/HuntingRules.json index fb37421..a697161 100644 --- a/examples/HuntingRules.json +++ b/examples/HuntingRules.json @@ -2,7 +2,7 @@ "Hunting": [ { "displayName": "HuntingRule01", - "description": "test", + "description": "test 1", "query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"", "tactics": [ "Persistence", @@ -12,7 +12,7 @@ }, { "displayName": "HuntingRule02", - "description": "test", + "description": "test2", "query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"", "tactics": [ "Persistence",