!Deploy Release version 0.6.8 (#105)

* Release '0.6.2' (#31)

* updating get alert and hunting rule function

* updated error handling

* Create Get-PlayBook.ps1

* cleaning up

* Release Update Incident function (#37)

* init release update incident function

* cleaning up

* updating

* updating incident function

* code cleanup

* Cleaning up and ready for release

* updating final docs folder

* Release Feature playbook configuration (#33)

* updating get alert and hunting rule function

* updated error handling

* Create Get-PlayBook.ps1

* init release for playbook

* cleaning up

* finishing playbook

* adding get alert rule action function

* releasing get logic app function

* release new- az sen alert action and some codue update

* init release playbook function

* uppdated gitignore

* init release remove azsentinel action rule

* fixed compare issue

* Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook

* updating pester test result

* updating readme

* updating readme

* updated docs and pester test results

* restoring version

* Fix/smallconflicts (#40)

* updating docs

* updating examples

* updating pipeline

* fixing Subscribtion parameter for playbook (#43)

* fixing Subscribtion parameter for playbook (#45)

* Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50)

* fix huntng rule

* fixing hunting rule issue

* Fix - new-azsentinelalertrule playbook property  (#49)

* fixing the if statement

* fixing the if statement

* Feature - get all incidents (#51)

* updating get incident

* updating get incident function and docs

* updating  powershell-yaml

* updating importmodule error

* workaround

* removing powershell-yaml depending

* fixing logicapp sas token (#52)

* Add support for day time periods (#61)

* Add missing dot to yml file extension (#59)

The Import-AZSentinelAlertRule function is not able to import yml files due
to missing dot in the file extension.

* adding support for resource provider in set-azsentinel (#69)

* New function for enabling and disabling Alert rules (#71)

* init release enable and disable function

* adding empty test files

* updating return message

* New feature change the displayName of an alert (#68)

* Release Rename Alert rule function

* updating rename function

* Handle nextLink for Playbooks (#78)

When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents.

* adding support for alert aggregation (#65)

* adding support for alert aggregation, classes created

* updaing classes

* updated the class and created first rule wih no error

* update class and made import function backwards compatible

* small changes

* tested with import method

* updating new function

* checking working code, starting cleanup

* updating documentation

* updating docs and cleaning up

* updating build errors

* change pester version

* updating pester version

* Update groupingConfiguration.ps1 (#87)

* Fix bug that causes loss of certain incident properties, add option to set incident description (#91)

* Feature - Adding support for all alert rule types (#90)

* init release

* updating docs

Co-authored-by: Khabazi <rob5614@robeco.nl>

* New Functionality to get alert rule templates provided by Microsoft (#94)

Co-authored-by: Antonio Ramirez <ramireza@ryanair.com>

* Update/get az sentinel alert rule templates (#95)

* udating Get-AzSentinelAlertRuleTemplates

* updated

Co-authored-by: Khabazi <rob5614@robeco.nl>

* Feature/add az sentinel incident comment (#96)

* udating Get-AzSentinelAlertRuleTemplates

* updated

* fixing playbook issue

* Add-AzSentinelIncidentComment

* release

Co-authored-by: Khabazi <rob5614@robeco.nl>

* fixing class error (#99)

* updating example files, ncluding multi rule yaml file (#104)

* Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102)

* fixing return issue

* fixing playbook issue

* init release Get-AzSentinelDataConnector function (#103)

* Fix - get-azsentinelhuntingrule updated get and remove function (#106)

* fixing hunitng rule get and remove issue

* cleaning up

* updating filters

Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com>
Co-authored-by: NVolcz <niklas.volcz@gmail.com>
Co-authored-by: stehod <34159548+stehod@users.noreply.github.com>
Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com>
Co-authored-by: Jonathan Holtmann <holtmann@usc.edu>
Co-authored-by: Khabazi <rob5614@robeco.nl>
Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com>
Co-authored-by: Antonio Ramirez <ramireza@ryanair.com>

AzSentinel/AzSentinel.psd1

@@ -94,7 +94,8 @@
  'New-AzSentinelAlertRuleAction',
  'Remove-AzSentinelAlertRuleAction',
  'Get-AzSentinelAlertRuleTemplates',
- 'Add-AzSentinelIncidentComment'
+ 'Add-AzSentinelIncidentComment',
+ 'Get-AzSentinelDataConnector'
  )
 
  # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

AzSentinel/Public/Get-AzSentinelAlertRule.ps1

@@ -62,7 +62,7 @@ function Get-AzSentinelAlertRule {
  }
  Get-LogAnalyticWorkspace @arguments
 
- $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules?api-version=2019-01-01-preview"
+ $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules?api-version=2020-01-01"
  Write-Verbose -Message "Using URI: $($uri)"
 
  try {
@@ -82,7 +82,7 @@ function Get-AzSentinelAlertRule {
  [PSCustomObject]$temp = $alertRules.value | Where-Object { $_.properties.displayName -eq $rule }
  if ($null -ne $temp) {
 
- $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($temp.name)[0]
+ $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId $temp.name
 
  if ($playbook) {
  $playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1]
@@ -140,7 +140,7 @@ function Get-AzSentinelAlertRule {
  }
  else {
  $alertRules.value | ForEach-Object {
- $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($temp.name)[0]
+ $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId $_.name
 
  if ($playbook) {
  $playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1]

AzSentinel/Public/Get-AzSentinelDataConnector.ps1

@@ -0,0 +1,92 @@
+#requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
+#requires -version 6.2
+
+function Get-AzSentinelDataConnector {
+ <#
+ .SYNOPSIS
+ Get Azure Sentinel Data connector
+ .DESCRIPTION
+ With this function you can get Azure Sentinel data connectors that are enabled on the workspace
+ .PARAMETER SubscriptionId
+ Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
+ .PARAMETER WorkspaceName
+ Enter the Workspace name
+ .PARAMETER DataConnectorName
+ Enter the Connector ID
+ .EXAMPLE
+ Get-AzSentinelDataConnector -WorkspaceName ""
+ List all enabled dataconnector
+ .EXAMPLE
+ Get-AzSentinelDataConnector -WorkspaceName "" -DataConnectorName "",""
+ Get specific dataconnectors
+ #>
+
+ param (
+ [Parameter(Mandatory = $false,
+ ParameterSetName = "Sub")]
+ [ValidateNotNullOrEmpty()]
+ [string] $SubscriptionId,
+
+ [Parameter(Mandatory)]
+ [ValidateNotNullOrEmpty()]
+ [string]$WorkspaceName,
+
+ [Parameter(Mandatory = $false,
+ ValueFromPipeline)]
+ [ValidateNotNullOrEmpty()]
+ [string[]]$DataConnectorName
+ )
+
+ begin {
+ precheck
+ }
+
+ process {
+ switch ($PsCmdlet.ParameterSetName) {
+ Sub {
+ $arguments = @{
+ WorkspaceName = $WorkspaceName
+ SubscriptionId = $SubscriptionId
+ }
+ }
+ default {
+ $arguments = @{
+ WorkspaceName = $WorkspaceName
+ }
+ }
+ }
+ Get-LogAnalyticWorkspace @arguments
+
+ if ($DataConnectorName) {
+ $dataConnectors = @()
+
+ foreach ($item in $DataConnectorName){
+
+ $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/dataConnectors/$($item)?api-version=2020-01-01"
+
+ try {
+ $result = Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader
+
+ $dataConnectors += $result
+ }
+ catch {
+ Write-Verbose $_
+ Write-Error "Unable to get alert rules with error code: $($_.Exception.Message)" -ErrorAction Stop
+ }
+ }
+ return $dataConnectors
+ }
+ else {
+ $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2020-01-01"
+
+ try {
+ $result = Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader
+ }
+ catch {
+ Write-Verbose $_
+ Write-Error "Unable to get alert rules with error code: $($_.Exception.Message)" -ErrorAction Stop
+ }
+ return $result.value
+ }
+ }
+}

AzSentinel/Public/Get-AzSentinelHuntingRule.ps1

@@ -41,7 +41,7 @@ function Get-AzSentinelHuntingRule {
 
  [Parameter(Mandatory = $false,
  ValueFromPipeline)]
- [ValidateNotNullOrEmpty()]
+ [validateset("Hunting Queries", "Log Management", "General Exploration")]
  [string]$Filter
  )
 
@@ -72,11 +72,10 @@ function Get-AzSentinelHuntingRule {
 
  try {
  if ($Filter) {
- $huntingRules = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader) | Where-Object $_.Category -eq $Filter
+ $huntingRules = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader).value | Where-Object { $_.properties.Category -eq $Filter }
  }
  else {
- $huntingRules = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader)
-
+ $huntingRules = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader).value
  }
  }
  catch {
@@ -86,35 +85,37 @@ function Get-AzSentinelHuntingRule {
 
  $return = @()
 
- if ($huntingRules.value) {
- Write-Verbose "Found $($huntingRules.value.count) hunting rules"
+ if ($huntingRules) {
+ Write-Verbose "Found $($huntingRules.count) hunting rules"
  if ($RuleName.Count -ge 1) {
  foreach ($rule in $RuleName) {
- [PSCustomObject]$temp = $huntingRules.value | Where-Object { $_.displayName -eq $rule }
+ $temp = @()
+ [PSCustomObject]$temp = $huntingRules | Where-Object { ($_.properties).DisplayName -eq $rule }
+
  if ($null -ne $temp) {
  $temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force
  $temp.properties | Add-Member -NotePropertyName id -NotePropertyValue $temp.id -Force
  $temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force
 
  $return += $temp.Properties
  }
- else {
- Write-Warning "Unable to find hunting rule: $rule"
- }
  }
  return $return
  }
  else {
- $huntingRules.value | ForEach-Object {
+ $huntingRules | ForEach-Object {
+
  $_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force
  $_.properties | Add-Member -NotePropertyName id -NotePropertyValue $_.id -Force
  $_.properties | Add-Member -NotePropertyName etag -NotePropertyValue $_.etag -Force
- return $_.properties
+
+ $return += $_.properties
  }
+ return $return
  }
  }
  else {
- Write-Warning "No hunting rules found on $($WorkspaceName)"
+ Write-Verbose "No hunting rules found on $($WorkspaceName)"
  }
  }
 }

AzSentinel/Public/Remove-AzSentinelHuntingRule.ps1

@@ -64,7 +64,7 @@ function Remove-AzSentinelHuntingRule {
  if ($RuleName) {
  # remove defined rules
  foreach ($rule in $RuleName) {
- $item = Get-AzSentinelHuntingRule @arguments -Filter 'HuntingQueries' -RuleName $rule
+ $item = Get-AzSentinelHuntingRule @arguments -RuleName $rule
  if ($item) {
  $uri = "$script:baseUri/savedSearches/$($item.name)?api-version=2017-04-26-preview"
 
@@ -90,7 +90,7 @@ function Remove-AzSentinelHuntingRule {
  }
  else {
  Write-Warning "No hunting rule selected, All hunting rules will be removed one by one!"
- Get-AzSentinelHuntingRule @arguments -Filter 'HuntingQueries' | ForEach-Object {
+ Get-AzSentinelHuntingRule @arguments -Filter "Hunting Queries" | ForEach-Object {
  $uri = "$script:baseUri/savedSearches/$($_.name)?api-version=2017-04-26-preview"
  if ($PSCmdlet.ShouldProcess("Do you want to remove: $($_.displayName)")) {
  try {

AzSentinel/docs/Get-AzSentinelDataConnector.md

@@ -0,0 +1,93 @@
+---
+external help file: AzSentinel-help.xml
+Module Name: AzSentinel
+online version:
+schema: 2.0.0
+---
+
+# Get-AzSentinelDataConnector
+
+## SYNOPSIS
+Get Azure Sentinel Data connector
+
+## SYNTAX
+
+```
+Get-AzSentinelDataConnector [-SubscriptionId <String>] -WorkspaceName <String> [-DataConnectorName <String[]>]
+ [<CommonParameters>]
+```
+
+## DESCRIPTION
+With this function you can get Azure Sentinel data connectors that are enabled on the workspace
+
+## EXAMPLES
+
+### EXAMPLE 1
+```
+Get-AzSentinelDataConnector -WorkspaceName ""
+List all enabled dataconnector
+```
+
+### EXAMPLE 2
+```
+Get-AzSentinelDataConnector -WorkspaceName "" -DataConnectorName "",""
+Get specific dataconnectors
+```
+
+## PARAMETERS
+
+### -SubscriptionId
+Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+Enter the Workspace name
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DataConnectorName
+Enter the Connector ID
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS

AzSentinel/docs/README.md

@@ -19,3 +19,4 @@
 17. [New-AzSentinelAlertRuleAction](New-AzSentinelAlertRuleAction.md)
 18. [Remove-AzSentinelAlertRuleAction](Remove-AzSentinelAlertRuleAction.md)
 19. [Get-AzSentinelAlertRuleTemplates](Get-AzSentinelAlertRuleTemplates.md)
+20. [Get-AzSentinelDataConnector](Get-AzSentinelDataConnector.md)