Release version 0.6.6

AzSentinel/AzSentinel.psd1

@@ -92,7 +92,9 @@
  'Update-AzSentinelIncident',
  'Get-AzSentinelAlertRuleAction',
  'New-AzSentinelAlertRuleAction',
- 'Remove-AzSentinelAlertRuleAction'
+ 'Remove-AzSentinelAlertRuleAction',
+ 'Get-AzSentinelAlertRuleTemplates',
+ 'Add-AzSentinelIncidentComment'
  )
 
  # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

AzSentinel/Classes/AlertRule.ps1

@@ -5,17 +5,17 @@ class AlertRule {
 
  [string]$type
 
- [string]$kind
+ [Kind]$kind = 'Scheduled'
 
  [pscustomobject]$Properties
 
  [string]$Id
 
- AlertRule ($Name, $Etag, $Properties, $Id) {
+ AlertRule ($Name, $Etag, $Properties, $Id, $kind) {
 
  $this.id = $Id
  $this.type = 'Microsoft.SecurityInsights/alertRules'
- $this.kind = 'Scheduled'
+ $this.kind = $kind
  $this.Name = $Name
  $this.Etag = $Etag
  $this.Properties = $Properties

AzSentinel/Classes/Fusion.ps1

@@ -0,0 +1,9 @@
+class Fusion {
+ [bool]$Enabled
+ [string]$AlertRuleTemplateName
+
+ Fusion ($Enabled, $AlertRuleTemplateName) {
+ $this.enabled = $Enabled
+ $this.AlertRuleTemplateName = $AlertRuleTemplateName
+ }
+}

AzSentinel/Classes/MLBehaviorAnalytics.ps1

@@ -0,0 +1,9 @@
+class MLBehaviorAnalytics {
+ [bool]$Enabled
+ [string]$AlertRuleTemplateName
+
+ MLBehaviorAnalytics ($Enabled, $AlertRuleTemplateName) {
+ $this.enabled = $Enabled
+ $this.AlertRuleTemplateName = $AlertRuleTemplateName
+ }
+}

AzSentinel/Classes/MicrosoftSecurityIncidentCreation.ps1

@@ -0,0 +1,17 @@
+class MicrosoftSecurityIncidentCreation {
+ [string] $DisplayName
+ [string]$Description
+ [bool]$Enabled
+ [string]$ProductFilter
+ [Severity[]]$SeveritiesFilter
+ [string]$DisplayNamesFilter
+
+ MicrosoftSecurityIncidentCreation ($DisplayName, $Description, $Enabled, $ProductFilter, $SeveritiesFilter, $DisplayNamesFilter) {
+ $this.displayName = $DisplayName
+ $this.description = $Description
+ $this.enabled = $Enabled
+ $this.productFilter = $ProductFilter
+ $this.severitiesFilter = $SeveritiesFilter
+ $this.displayNamesFilter = $DisplayNamesFilter
+ }
+}

AzSentinel/Classes/classes.psd1

@@ -1,5 +1,8 @@
 @{
  order = @(
+ ,'MicrosoftSecurityIncidentCreation'
+ ,'Fusion'
+ ,'MLBehaviorAnalytics'
  ,'groupingConfiguration'
  ,'IncidentConfiguration'
  ,'ScheduledAlertProp'

AzSentinel/Classes/groupingConfiguration.ps1

@@ -36,7 +36,7 @@ class GroupingConfiguration {
  }
 
  groupingConfiguration ($Enabled, $reopenClosedIncident, $lookbackDuration, $entitiesMatchingMethod, $groupByEntities) {
- $this.enabled = if ($Enabled) { $null -ne $Enabled } else { $true }
+ $this.enabled = if ($null -ne $Enabled ) { $Enabled } else { $true }
  $this.reopenClosedIncident = if ($null -ne $reopenClosedIncident) { $reopenClosedIncident } else { $false }
  $this.lookbackDuration = if ($lookbackDuration) { [groupingConfiguration]::TimeString($lookbackDuration) } else { "PT5H" }
  $this.entitiesMatchingMethod = if ($entitiesMatchingMethod) { $entitiesMatchingMethod } else { "All" }

AzSentinel/Public/Add-AzSentinelIncidentComment.ps1

@@ -0,0 +1,104 @@
+#requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
+#requires -version 6.2
+
+function Add-AzSentinelIncidentComment {
+ <#
+ .SYNOPSIS
+ Add Azure Sentinel Incident comment
+ .DESCRIPTION
+ With this function you can add comment to existing Azure Sentinel Incident.
+ .PARAMETER SubscriptionId
+ Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
+ .PARAMETER WorkspaceName
+ Enter the Workspace name
+ .PARAMETER Name
+ Enter the name of the incidnet in GUID format
+ .PARAMETER CaseNumber
+ Enter the case number to get specfiek details of a open case
+ .PARAMETER Comment
+ Enter Comment tekst to add comment to the incident
+ .EXAMPLE
+ Add-AzSentinelIncidentComment -WorkspaceName "" CaseNumber "" -Comment
+ Add a comment to existing incidnet
+ #>
+
+ [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
+ param (
+ [Parameter(Mandatory = $false,
+ ParameterSetName = "Sub")]
+ [ValidateNotNullOrEmpty()]
+ [string] $SubscriptionId,
+
+ [Parameter(Mandatory)]
+ [ValidateNotNullOrEmpty()]
+ [string]$WorkspaceName,
+
+ [Parameter(Mandatory = $false,
+ ValueFromPipeline)]
+ [ValidateNotNullOrEmpty()]
+ [guid]$Name,
+
+ [Parameter(Mandatory = $false,
+ ValueFromPipeline)]
+ [ValidateNotNullOrEmpty()]
+ [int]$CaseNumber,
+
+ [Parameter(Mandatory)]
+ [ValidateNotNullOrEmpty()]
+ [string]$Comment
+ )
+
+ begin {
+ precheck
+ }
+
+ process {
+ switch ($PsCmdlet.ParameterSetName) {
+ Sub {
+ $arguments = @{
+ WorkspaceName = $WorkspaceName
+ SubscriptionId = $SubscriptionId
+ }
+ }
+ default {
+ $arguments = @{
+ WorkspaceName = $WorkspaceName
+ }
+ }
+ }
+
+ Write-Verbose -Message "Using URI: $($uri)"
+
+ if ($CaseNumber) {
+ $incident = Get-AzSentinelIncident @arguments -CaseNumber $CaseNumber -All
+ }
+ elseif ($Name) {
+ $incident = Get-AzSentinelIncident @arguments -Name $Name
+ }
+ else {
+ Write-Error "Both CaseNumber and Name are empty" -ErrorAction Stop
+ }
+
+ if ($incident) {
+ $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/Cases/$($incident.name)/comments/$(New-Guid)?api-version=2019-01-01-preview"
+ $body = @{
+ "properties" = @{
+ "message" = $Comment
+ }
+ }
+
+ Write-Verbose "Found incident with case number: $($incident.caseNumber)"
+
+ try {
+ $return = Invoke-WebRequest -Uri $uri -Method Put -Body ($body | ConvertTo-Json -Depth 99 -EnumsAsStrings) -Headers $script:authHeader
+ return ($return.Content | ConvertFrom-Json).properties
+ }
+ catch {
+ $return = $_.Exception.Message
+ Write-Verbose $_
+ Write-Error "Unable to update Incident $($incident.caseNumber) with error message $return"
+ return $return
+ }
+ }
+ }
+}

AzSentinel/Public/Get-AzSentinelAlertRule.ps1

@@ -13,6 +13,8 @@ function Get-AzSentinelAlertRule {
  Enter the Workspace name
  .PARAMETER RuleName
  Enter the name of the Alert rule
+ .PARAMETER Kind
+ The alert rule kind
  .EXAMPLE
  Get-AzSentinelAlertRule -WorkspaceName "" -RuleName "",""
  In this example you can get configuration of multiple alert rules in once
@@ -32,7 +34,12 @@ function Get-AzSentinelAlertRule {
  [Parameter(Mandatory = $false,
  ValueFromPipeline)]
  [ValidateNotNullOrEmpty()]
- [string[]]$RuleName
+ [string[]]$RuleName,
+
+ [Parameter(Mandatory = $false,
+ ValueFromPipeline)]
+ [ValidateNotNullOrEmpty()]
+ [Kind[]]$Kind
  )
 
  begin {
@@ -67,7 +74,6 @@ function Get-AzSentinelAlertRule {
  }
 
  $return = @()
-
  if ($alertRules.value) {
  Write-Verbose "Found $($alertRules.value.count) Alert rules"
 
@@ -76,7 +82,38 @@ function Get-AzSentinelAlertRule {
  [PSCustomObject]$temp = $alertRules.value | Where-Object { $_.properties.displayName -eq $rule }
  if ($null -ne $temp) {
 
- $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($temp.name)
+ $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($temp.name)[0]
+
+ if ($playbook) {
+ $playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1]
+ }
+ else {
+ $playbookName = ""
+ }
+
+ $temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force
+ $temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force
+ $temp.properties | Add-Member -NotePropertyName id -NotePropertyValue $temp.id -Force
+ $temp.properties | Add-Member -NotePropertyName kind -NotePropertyValue $temp.kind -Force
+
+ if ($temp.kind -eq "Scheduled") {
+ $temp.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force
+ }
+
+ $return += $temp.properties
+ }
+ else {
+ Write-Verbose "Unable to find Rule: $rule"
+ }
+ }
+ return $return
+ }
+ elseif ($Kind.Count -ge 1) {
+ foreach ($rule in $Kind) {
+ [PSCustomObject]$temp = $alertRules.value | Where-Object { $_.Kind -eq $rule }
+ if ($null -ne $temp) {
+
+ $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($temp.name)[0]
 
  if ($playbook) {
  $playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1]
@@ -88,19 +125,22 @@ function Get-AzSentinelAlertRule {
  $temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force
  $temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force
  $temp.properties | Add-Member -NotePropertyName id -NotePropertyValue $temp.id -Force
- $temp.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force
+ $temp.properties | Add-Member -NotePropertyName kind -NotePropertyValue $temp.kind -Force
+ if ($temp.kind -eq "Scheduled") {
+ $temp.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force
+ }
 
  $return += $temp.properties
  }
  else {
- Write-Error "Unable to find Rule: $rule"
+ Write-Verbose "Unable to find Rule: $rule"
  }
  }
  return $return
  }
  else {
  $alertRules.value | ForEach-Object {
- $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($_.name)
+ $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($temp.name)[0]
 
  if ($playbook) {
  $playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1]
@@ -109,14 +149,18 @@ function Get-AzSentinelAlertRule {
  $playbookName = ""
  }
  $_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force
- $_.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force
+ $_.properties | Add-Member -NotePropertyName id -NotePropertyValue $_.id -Force
+ $_.properties | Add-Member -NotePropertyName kind -NotePropertyValue $_.kind -Force
+ if ($_.kind -eq "Scheduled") {
+ $_.properties | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force
+ }
 
  return $_.properties
  }
  }
  }
  else {
- Write-Warning "No rules found on $($WorkspaceName)"
+ Write-Verbose "No rules found on $($WorkspaceName)"
  }
  }
 }