!Deploy Release Version 0.6.15 (#141)

* Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi <rob5614@robeco.nl> * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi <rob5614@robeco.nl> * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi <rob5614@robeco.nl> * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch <john.crouch@summit7.us> * fixing small issues (#136) * Fixing issue when switching from subscription (#140) * !Deploy Release version 0.6.14 (#137) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi <rob5614@robeco.nl> * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi <rob5614@robeco.nl> * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi <rob5614@robeco.nl> * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch <john.crouch@summit7.us> * fixing small issues (#136) Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * fixing issue when switching from subscription * fixing subscription precheck issue * restore Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * Fixing issue with Fusion rules (#143) * MSSP Playbook (#142) * !Deploy Release version 0.6.14 (#137) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi <rob5614@robeco.nl> * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi <rob5614@robeco.nl> * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi <rob5614@robeco.nl> * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) * New function: Export-AzSentinel (#121) * init code * Release Export-AzSentinel and some small fixes/updates * fixing SeveritiesFilter issue for MicrosoftSecurityIncidentCreation (#122) * updating Get-AzSentinelAlertRule function and docs (#125) * modified token expiration logic (#135) Co-authored-by: John Crouch <john.crouch@summit7.us> * fixing small issues (#136) Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> * init test * ready for release Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us> Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz <niklas.volcz@gmail.com> Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann <holtmann@usc.edu> Co-authored-by: Khabazi <rob5614@robeco.nl> Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez <ramireza@ryanair.com> Co-authored-by: John Crouch <50185606+john-crouch@users.noreply.github.com> Co-authored-by: John Crouch <john.crouch@summit7.us>
wortell · Nov 19, 2020 · b190081 · b190081
1 parent 53cfd7d
commit b190081
Show file tree

Hide file tree

Showing 10 changed files with 89 additions and 76 deletions.
diff --git a/AzSentinel/Classes/AlertRule.ps1 b/AzSentinel/Classes/AlertRule.ps1
@@ -1,5 +1,5 @@
 class AlertRule {
-    [guid] $Name
+    [string] $Name
 
     [string] $Etag
 

diff --git a/AzSentinel/Classes/ScheduledAlertProp.ps1 b/AzSentinel/Classes/ScheduledAlertProp.ps1
@@ -92,7 +92,11 @@ class ScheduledAlertProp {
         }
         $this.SuppressionEnabled = if ($suppressionEnabled) { $suppressionEnabled } else { $false }
         $this.Tactics = $Tactics
-        $this.PlaybookName = $PlaybookName
+        $this.PlaybookName = if ($PlaybookName.Split('/').count -gt 1){
+            $PlaybookName.Split('/')[-1]
+        } else {
+            $PlaybookName
+        }
         $this.IncidentConfiguration = $IncidentConfiguration
         $this.eventGroupingSettings = @{
             aggregationKind = if ($aggregationKind) { $aggregationKind } else { "SingleAlert" }

diff --git a/AzSentinel/Private/Get-AuthToken.ps1 b/AzSentinel/Private/Get-AuthToken.ps1
@@ -13,24 +13,21 @@ function Get-AuthToken {
 
     [CmdletBinding()]
     param (
-
     )
 
-    try {
-        $azContext = Get-AzContext
-
-        if ($null -ne $azContext) {
-            Write-Verbose -Message "Using Subscription: $($azContext.Subscription.Name) from tenant $($azContext.Tenant.Id)"
-
-            $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
-            $profileClient = [Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient]::new($azProfile)
-            $script:accessToken = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId)
-            $script:subscriptionId = $azContext.Subscription.Id
-            $script:tenantId = $azContext.Tenant.Id
-        } else {
-            throw 'No subscription available, Please use Connect-AzAccount to login and select the right subscription'
-        }
-    } catch {
-        $PSCmdlet.ThrowTerminatingError($_)
+    $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
+
+    Write-Verbose -Message "Using Subscription: $($azProfile.DefaultContext.Subscription.Name) from tenant $($azProfile.DefaultContext.Tenant.Id)"
+
+    $script:subscriptionId = $azProfile.DefaultContext.Subscription.Id
+    $script:tenantId = $azProfile.DefaultContext.Tenant.Id
+
+    $profileClient = [Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient]::new($azProfile)
+    $script:accessToken = $profileClient.AcquireAccessToken($script:tenantId)
+
+    $script:authHeader = @{
+        'Content-Type' = 'application/json'
+        Authorization  = 'Bearer ' + $script:accessToken.AccessToken
     }
+
 }
diff --git a/AzSentinel/Private/Get-AzSentinelPlayBook.ps1 b/AzSentinel/Private/Get-AzSentinelPlayBook.ps1
@@ -20,9 +20,9 @@ function Get-AzSentinelPlayBook {
     param (
         [Parameter(Mandatory = $false)]
         [ValidateNotNullOrEmpty()]
-        [string] $SubscriptionId,
+        [string]$SubscriptionId,
 
-        [Parameter(Mandatory)]
+        [Parameter(Mandatory = $false)]
         [ValidateNotNullOrEmpty()]
         [string]$Name
     )
@@ -35,7 +35,11 @@ function Get-AzSentinelPlayBook {
 
         $triggerName = 'When_a_response_to_an_Azure_Sentinel_alert_is_triggered'
 
-        if ($SubscriptionId) {
+        if ($Name.Split('/').count -gt 1) {
+            $uri = "https://management.azure.com/subscriptions/$($Name.Split('/')[2])/providers/Microsoft.Logic/workflows?api-version=2016-06-01"
+            $Name = $Name.Split('/')[-1]
+        }
+        elseif ($SubscriptionId) {
             Write-Verbose "Getting LogicApp from Subscription $($subscriptionId)"
             $uri = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.Logic/workflows?api-version=2016-06-01"
         }
@@ -51,12 +55,15 @@ function Get-AzSentinelPlayBook {
         try {
             $logicappRaw = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader)
             $logicapp = $logicappRaw.value
+
             while ($logicappRaw.nextLink) {
                 $logicappRaw = (Invoke-RestMethod -Uri $($logicappRaw.nextLink) -Headers $script:authHeader -Method Get)
                 $logicapp += $logicappRaw.value
             }
+
             $playBook = $logicapp | Where-Object { $_.name -eq $Name }
-            if ($playBook){
+
+            if ($playBook) {
                 $uri1 = "https://management.azure.com$($playBook.id)/triggers/$($triggerName)/listCallbackUrl?api-version=2016-06-01"
                 try {
                     $playbookTrigger = (Invoke-RestMethod -Uri $uri1 -Method Post -Headers $script:authHeader)

diff --git a/AzSentinel/Private/precheck.ps1 b/AzSentinel/Private/precheck.ps1
@@ -2,7 +2,7 @@
 #requires -version 6.2
 
 function precheck {
-    <#
+  <#
   .SYNOPSIS
   PreCheck
   .DESCRIPTION
@@ -14,16 +14,22 @@ function precheck {
   NAME: precheck
   #>
 
-    if ($null -eq $script:accessToken) {
-        Get-AuthToken
-    }
-    elseif ($script:accessToken.ExpiresOn.DateTime - [datetime]::UtcNow.AddMinutes(-5) -le 0) {
-        # if token expires within 5 minutes, request a new one
-        Get-AuthToken
-    }
+    $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
 
-    $script:authHeader = @{
-        'Content-Type' = 'application/json'
-        Authorization  = 'Bearer ' + $script:accessToken.AccessToken
+    if ($azProfile.Contexts.Count -ne 0) {
+        if ($null -eq $script:accessToken ) {
+            Get-AuthToken
+        }
+        elseif ($script:accessToken.ExpiresOn.DateTime - [datetime]::UtcNow.AddMinutes(-5) -le 0) {
+            # if token expires within 5 minutes, request a new one
+            Get-AuthToken
+        }
+
+        # Set the subscription from AzContext
+        $script:subscriptionId = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext.Subscription.Id
+    }
+    else {
+        Write-Error 'No subscription available, Please use Connect-AzAccount to login and select the right subscription'
+        break
     }
 }
diff --git a/AzSentinel/Public/Get-AzSentinelAlertRuleAction.ps1 b/AzSentinel/Public/Get-AzSentinelAlertRuleAction.ps1
@@ -25,11 +25,11 @@ function Get-AzSentinelAlertRuleAction {
         [Parameter(Mandatory = $false,
             ParameterSetName = "Sub")]
         [ValidateNotNullOrEmpty()]
-        [string] $SubscriptionId,
+        [string]$SubscriptionId,
 
         [Parameter(Mandatory)]
         [ValidateNotNullOrEmpty()]
-        [string] $WorkspaceName,
+        [string]$WorkspaceName,
 
         [Parameter(Mandatory = $false)]
         [ValidateNotNullOrEmpty()]

diff --git a/AzSentinel/Public/Import-AzSentinelAlertRule.ps1 b/AzSentinel/Public/Import-AzSentinelAlertRule.ps1
@@ -135,7 +135,7 @@ function Import-AzSentinelAlertRule {
 
             $guid = (New-Guid).Guid
 
-            $content = $allRulesContent | Where-Object displayName -eq $item.displayName
+            $content = $allRulesContent | Where-Object {$_.kind -eq 'Scheduled' -and $_.displayName -eq $item.displayName}
 
             Write-Verbose -Message "Get rule $($item.description)"
 
@@ -204,11 +204,11 @@ function Import-AzSentinelAlertRule {
                     $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | Select-Object * -ExcludeProperty Properties.PlaybookName | ConvertTo-Json -Depth 10 -EnumsAsStrings)
 
                     if (($compareResult | Where-Object PropertyName -eq "playbookName").DiffValue) {
-                        $PlaybookResult = New-AzSentinelAlertRuleAction @arguments -PlayBookName ($body.Properties.playbookName) -RuleId $($body.Name)
+                        $PlaybookResult = New-AzSentinelAlertRuleAction @arguments -PlayBookName ($item.playbookName) -RuleId $($body.Name)
                         $body.Properties | Add-Member -NotePropertyName PlaybookStatus -NotePropertyValue $PlaybookResult -Force
                     }
                     elseif (($compareResult | Where-Object PropertyName -eq "playbookName").RefValue) {
-                        $PlaybookResult = Remove-AzSentinelAlertRuleAction @arguments -RuleId $($body.Name) -Confirm:$false
+                        $PlaybookResult = Remove-AzSentinelAlertRuleAction @arguments -RuleId $body.Name -Confirm:$false
                         $body.Properties | Add-Member -NotePropertyName PlaybookStatus -NotePropertyValue $PlaybookResult -Force
                     }
                     else {
@@ -261,7 +261,7 @@ function Import-AzSentinelAlertRule {
 
             $guid = (New-Guid).Guid
 
-            $content = $allRulesContent | Where-Object displayName -eq $item.displayName
+            $content = $allRulesContent | Where-Object {$_.kind -eq 'Fusion' -and $_.displayName -eq $item.displayName}
 
             Write-Verbose -Message "Get rule $($item.description)"
 
@@ -314,7 +314,7 @@ function Import-AzSentinelAlertRule {
 
             $guid = (New-Guid).Guid
 
-            $content = $allRulesContent | Where-Object displayName -eq $item.displayName
+            $content = $allRulesContent | Where-Object {$_.kind -eq 'MLBehaviorAnalytics' -and $_.displayName -eq $item.displayName}
 
             Write-Verbose -Message "Get rule $($item.description)"
 
@@ -368,7 +368,7 @@ function Import-AzSentinelAlertRule {
 
             $guid = (New-Guid).Guid
 
-            $content = $allRulesContent | Where-Object displayName -eq $item.displayName
+            $content = $allRulesContent | Where-Object {$_.kind -eq 'MicrosoftSecurityIncidentCreation' -and $_.displayName -eq $item.displayName}
 
             Write-Verbose -Message "Get rule $($item.description)"
             $content = Get-AzSentinelAlertRule @arguments -RuleName $($item.displayName) -ErrorAction SilentlyContinue

diff --git a/AzSentinel/Public/New-AzSentinelAlertRuleAction.ps1 b/AzSentinel/Public/New-AzSentinelAlertRuleAction.ps1
@@ -28,15 +28,15 @@ function New-AzSentinelAlertRuleAction {
         [Parameter(Mandatory = $false,
             ParameterSetName = "Sub")]
         [ValidateNotNullOrEmpty()]
-        [string] $SubscriptionId,
+        [string]$SubscriptionId,
 
         [Parameter(Mandatory)]
         [ValidateNotNullOrEmpty()]
-        [string] $WorkspaceName,
+        [string]$WorkspaceName,
 
         [Parameter(Mandatory)]
         [ValidateNotNullOrEmpty()]
-        [string] $PlayBookName,
+        [string]$PlayBookName,
 
         [Parameter(Mandatory = $false)]
         [ValidateNotNullOrEmpty()]
@@ -73,6 +73,7 @@ function New-AzSentinelAlertRuleAction {
 
         $action = $null
 
+
         if ($SubscriptionId) {
             $playBook = Get-AzSentinelPlayBook -SubscriptionId $SubscriptionId -Name $PlayBookName
         }
@@ -82,8 +83,7 @@ function New-AzSentinelAlertRuleAction {
 
         $action = Get-AzSentinelAlertRuleAction @arguments -RuleId $alertId -ErrorAction SilentlyContinue
 
-
-        if ($null -eq $action) {
+        if (($null -eq $action) -or ((($action.properties.logicAppResourceId).Split('/')[-1]) -ne $PlayBookName.Split('/')[-1])) {
             $guid = New-Guid
 
             $body = @{
@@ -98,23 +98,22 @@ function New-AzSentinelAlertRuleAction {
             }
 
             $uri = "$($Script:baseUri)/providers/Microsoft.SecurityInsights/alertRules/$($alertId)/actions/$($guid)?api-version=2019-01-01-preview"
+
             try {
                 $return = Invoke-WebRequest -Method Put -Uri $uri -Headers $Script:authHeader -Body ($body | ConvertTo-Json -Depth 10)
                 Write-Verbose "Successfully created Action for Rule: $($RuleName) with Playbook $($PlayBookName) Status: $($return.StatusDescription)"
                 return $return.StatusDescription
             }
             catch {
                 Write-Error "Unable to create Action for Rule: $($RuleName) with Playbook $($PlayBookName) Error: $($_.Exception.Message)"
+                Write-Verbose $_
                 return $_.Exception.Message
-                Write-Verbose $_.
             }
         }
         elseif ((($action.properties.logicAppResourceId).Split('/')[-1]) -eq $PlayBookName) {
-            Write-Output "Alert Rule: $($alertId) has already playbook assigned: $(($action.properties.logicAppResourceId).Split('/')[-1])"
-        }
-        elseif ((($action.properties.logicAppResourceId).Split('/')[-1]) -ne $PlayBookName) {
-            Write-Output "Alert rule $($RuleName) assigned to a different playbook with name $(($action.properties.logicAppResourceId).Split('/')[-1])"
+            Write-Output "Alert Rule: $($alertId) is already assigned to playbook: $(($action.properties.logicAppResourceId).Split('/')[-1])"
         }
+
         else {
             #nothing?
         }