-
Notifications
You must be signed in to change notification settings - Fork 82
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New function: Export-AzSentinel (#121)
* init code * Release Export-AzSentinel and some small fixes/updates
- Loading branch information
Showing
10 changed files
with
481 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,182 @@ | ||
function Export-AzSentinel { | ||
<# | ||
.SYNOPSIS | ||
Export Azure Sentinel | ||
.DESCRIPTION | ||
With this function you can export Azure Sentinel configuration | ||
.PARAMETER SubscriptionId | ||
Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used | ||
.PARAMETER WorkspaceName | ||
Enter the Workspace name | ||
.PARAMETER Kind | ||
Select what you want to export: Alert, Hunting, Templates or All | ||
.PARAMETER OutputFolder | ||
The Path where you want to export the JSON files | ||
.PARAMETER TemplatesKind | ||
Select which Kind of templates you want to export, if empy all Templates will be exported | ||
.EXAMPLE | ||
Export-AzSentinel -WorkspaceName '' -Path C:\Temp\ -Kind All | ||
In this example you export Alert, Hunting and Template rules | ||
.EXAMPLE | ||
Export-AzSentinel -WorkspaceName '' -Path C:\Temp\ -Kind Templates | ||
In this example you export only the Templates | ||
.EXAMPLE | ||
Export-AzSentinel -WorkspaceName '' -Path C:\Temp\ -Kind Alert | ||
In this example you export only the Scheduled Alert rules | ||
#> | ||
|
||
param ( | ||
[Parameter(Mandatory = $false, | ||
ParameterSetName = "Sub")] | ||
[ValidateNotNullOrEmpty()] | ||
[string] $SubscriptionId, | ||
|
||
[Parameter(Mandatory)] | ||
[ValidateNotNullOrEmpty()] | ||
[string]$WorkspaceName, | ||
|
||
[Parameter(Mandatory)] | ||
[System.IO.FileInfo]$OutputFolder, | ||
|
||
[Parameter(Mandatory, | ||
ValueFromPipeline)] | ||
[ExportType[]]$Kind, | ||
|
||
[Parameter(Mandatory = $false)] | ||
[ValidateNotNullOrEmpty()] | ||
[Kind[]]$TemplatesKind | ||
) | ||
|
||
begin { | ||
precheck | ||
} | ||
|
||
process { | ||
switch ($PsCmdlet.ParameterSetName) { | ||
Sub { | ||
$arguments = @{ | ||
WorkspaceName = $WorkspaceName | ||
SubscriptionId = $SubscriptionId | ||
} | ||
} | ||
default { | ||
$arguments = @{ | ||
WorkspaceName = $WorkspaceName | ||
} | ||
} | ||
} | ||
|
||
$date = Get-Date -Format HHmmss_ddMMyyyy | ||
|
||
<# | ||
Test export path | ||
#> | ||
if (Test-Path $OutputFolder) { | ||
Write-Verbose "Path Exists" | ||
} | ||
else { | ||
try { | ||
$null = New-Item -Path $OutputFolder -Force -ItemType Directory -ErrorAction Stop | ||
} | ||
catch { | ||
$ErrorMessage = $_.Exception.Message | ||
Write-Error $ErrorMessage | ||
Write-Verbose $_ | ||
Break | ||
} | ||
} | ||
|
||
<# | ||
Export Alert rules section | ||
#> | ||
if (($Kind -like 'Alert') -or ($Kind -like 'All')) { | ||
|
||
$rules = Get-AzSentinelAlertRule @arguments | ||
if ($rules) { | ||
$output = @{ | ||
Scheduled = @() | ||
Fusion = @() | ||
MLBehaviorAnalytics = @() | ||
MicrosoftSecurityIncidentCreation = @() | ||
} | ||
$rules.Kind | ForEach-Object { | ||
$output.$_ += $rules | Where-Object kind -eq $_ | ||
} | ||
|
||
try { | ||
$fullPath = "$($OutputFolder)AlertRules_$date.json" | ||
$output | ConvertTo-Json -EnumsAsStrings -Depth 15 | Out-File $fullPath -ErrorAction Stop | ||
Write-Output "Alert rules exported to: $fullPath" | ||
} | ||
catch { | ||
$ErrorMessage = $_.Exception.Message | ||
Write-Error $ErrorMessage | ||
Write-Verbose $_ | ||
Break | ||
} | ||
} | ||
} | ||
|
||
<# | ||
Export Hunting rules section | ||
#> | ||
if (($Kind -like 'Hunting') -or ($Kind -like 'All')) { | ||
$rules = Get-AzSentinelHuntingRule @arguments | ||
|
||
if ($rules) { | ||
$output = @{ | ||
Hunting = @() | ||
} | ||
$output.Hunting += $rules | ||
try { | ||
$fullPath = "$($OutputFolder)HuntingRules_$date.json" | ||
$output | ConvertTo-Json -EnumsAsStrings -Depth 15 | Out-File $fullPath -ErrorAction Stop | ||
Write-Output "Hunting rules exported to: $fullPath" | ||
} | ||
catch { | ||
$ErrorMessage = $_.Exception.Message | ||
Write-Error $ErrorMessage | ||
Write-Verbose $_ | ||
Break | ||
} | ||
} | ||
} | ||
|
||
<# | ||
Export Templates section | ||
#> | ||
if (($Kind -like 'Templates') -or ($Kind -like 'All')) { | ||
|
||
if ($TemplatesKind) { | ||
$templates = Get-AzSentinelAlertRuleTemplates @arguments -Kind $TemplatesKind | ||
} | ||
else { | ||
$templates = Get-AzSentinelAlertRuleTemplates @arguments | ||
} | ||
|
||
if ($templates) { | ||
$output = @{ | ||
Scheduled = @() | ||
Fusion = @() | ||
MLBehaviorAnalytics = @() | ||
MicrosoftSecurityIncidentCreation = @() | ||
} | ||
$templates.Kind | ForEach-Object { | ||
$output.$_ += $templates | Where-Object kind -eq $_ | ||
} | ||
|
||
try { | ||
$fullPath = "$($OutputFolder)Templates_$date.json" | ||
$output | ConvertTo-Json -EnumsAsStrings -Depth 15 | Out-File $fullPath -ErrorAction Stop | ||
Write-Output "Templates xported to: $fullPath" | ||
} | ||
catch { | ||
$ErrorMessage = $_.Exception.Message | ||
Write-Error $ErrorMessage | ||
Write-Verbose $_ | ||
Break | ||
} | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.