From b4672df9b962e3c878b6037a28717a8e155d54d0 Mon Sep 17 00:00:00 2001 From: Pouyan Khabazi Date: Fri, 16 Oct 2020 16:35:45 +0200 Subject: [PATCH] !Deploy Release Version 0.6.11 (#119) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters * Add filtering by lastModified (#107) * updating AggregationKind class and enum (#111) * Release of Import-AzSentinelDataConnector function (#116) * extra check for Import-AzSentinelDataConnector * fixing class issue (#118) Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez --- .../Public/Disable-AzSentinelAlertRule.ps1 | 36 ++++++++++++++++--- .../Public/Enable-AzSentinelAlertRule.ps1 | 35 +++++++++++++++--- 2 files changed, 61 insertions(+), 10 deletions(-) diff --git a/AzSentinel/Public/Disable-AzSentinelAlertRule.ps1 b/AzSentinel/Public/Disable-AzSentinelAlertRule.ps1 index 2f5fb45..33f8821 100644 --- a/AzSentinel/Public/Disable-AzSentinelAlertRule.ps1 +++ b/AzSentinel/Public/Disable-AzSentinelAlertRule.ps1 @@ -60,15 +60,41 @@ function Disable-AzSentinelAlertRule { $rule.enabled = $false $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($rule.name)?api-version=2019-01-01-preview" - $bodyAlertProp = [AlertProp]::new( - ($rule | Select-Object * -ExcludeProperty lastModifiedUtc, etag, id) + $groupingConfiguration = [GroupingConfiguration]::new( + $rule.incidentConfiguration.groupingConfiguration.GroupingConfigurationEnabled, + $rule.incidentConfiguration.groupingConfiguration.ReopenClosedIncident, + $rule.incidentConfiguration.groupingConfiguration.LookbackDuration, + $rule.incidentConfiguration.groupingConfiguration.EntitiesMatchingMethod, + $rule.incidentConfiguration.groupingConfiguration.GroupByEntities ) - $body = [AlertRule]::new( - ($rule | Select-Object lastModifiedUtc, etag, id, name), - $bodyAlertProp + $incidentConfiguration = [IncidentConfiguration]::new( + $rule.incidentConfiguration.CreateIncident, + $groupingConfiguration ) + $bodyAlertProp = [ScheduledAlertProp]::new( + $rule.name, + $rule.DisplayName, + $rule.Description, + $rule.Severity, + $rule.Enabled, + $rule.Query, + $rule.QueryFrequency, + $rule.QueryPeriod, + $rule.TriggerOperator, + $rule.TriggerThreshold, + $rule.SuppressionDuration, + $rule.SuppressionEnabled, + $rule.Tactics, + $rule.PlaybookName, + $incidentConfiguration, + $rule.AggregationKind + ) + + $body = [AlertRule]::new( $rule.name, $rule.etag, $bodyAlertProp, $rule.Id, 'Scheduled') + + try { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) Write-Verbose $result diff --git a/AzSentinel/Public/Enable-AzSentinelAlertRule.ps1 b/AzSentinel/Public/Enable-AzSentinelAlertRule.ps1 index 43826bd..3e2b7c5 100644 --- a/AzSentinel/Public/Enable-AzSentinelAlertRule.ps1 +++ b/AzSentinel/Public/Enable-AzSentinelAlertRule.ps1 @@ -60,15 +60,40 @@ function Enable-AzSentinelAlertRule { $rule.enabled = $true $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($rule.name)?api-version=2019-01-01-preview" - $bodyAlertProp = [AlertProp]::new( - ($rule | Select-Object * -ExcludeProperty lastModifiedUtc, etag, id) + $groupingConfiguration = [GroupingConfiguration]::new( + $rule.incidentConfiguration.groupingConfiguration.GroupingConfigurationEnabled, + $rule.incidentConfiguration.groupingConfiguration.ReopenClosedIncident, + $rule.incidentConfiguration.groupingConfiguration.LookbackDuration, + $rule.incidentConfiguration.groupingConfiguration.EntitiesMatchingMethod, + $rule.incidentConfiguration.groupingConfiguration.GroupByEntities ) - $body = [AlertRule]::new( - ($rule | Select-Object lastModifiedUtc, etag, id, name), - $bodyAlertProp + $incidentConfiguration = [IncidentConfiguration]::new( + $rule.incidentConfiguration.CreateIncident, + $groupingConfiguration ) + $bodyAlertProp = [ScheduledAlertProp]::new( + $rule.name, + $rule.DisplayName, + $rule.Description, + $rule.Severity, + $rule.Enabled, + $rule.Query, + $rule.QueryFrequency, + $rule.QueryPeriod, + $rule.TriggerOperator, + $rule.TriggerThreshold, + $rule.SuppressionDuration, + $rule.SuppressionEnabled, + $rule.Tactics, + $rule.PlaybookName, + $incidentConfiguration, + $rule.AggregationKind + ) + + $body = [AlertRule]::new( $rule.name, $rule.etag, $bodyAlertProp, $rule.Id, 'Scheduled') + try { $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings) Write-Verbose $result