forked from javiersoriano/sentinel-all-in-one
-
Notifications
You must be signed in to change notification settings - Fork 0
/
SentinelallInOne.ps1
367 lines (317 loc) · 16.7 KB
/
SentinelallInOne.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
param(
[Parameter(Mandatory=$true)]$ResourceGroup,
[Parameter(Mandatory=$true)]$Workspace,
[Parameter(Mandatory=$true)]$Location
)
function CheckModules($module) {
$service = Get-Module -ListAvailable -Name $module
if (-Not $service) {
Install-Module -Name $module -Scope CurrentUser -Force
}
}
CheckModules("Az.Resources")
CheckModules("Az.OperationalInsights")
CheckModules("AzSentinel")
Write-Host "`r`nIf not logged in to Azure already, you will now be asked to log in to your Azure environment. `nFor this script to work correctly, you need to provide credentials of a Global Admin or Security Admin for your organization. `nThis will allow the script to enable all required connectors.`r`n" -BackgroundColor Magenta
Read-Host -Prompt "Press enter to continue or CTRL+C to quit the script"
$context = Get-AzContext
if(!$context){
Connect-AzAccount
$context = Get-AzContext
}
$SubscriptionId = $context.Subscription.Id
$ConnectorsFile = ".\connectors.json"
#Create Resource Group
Get-AzResourceGroup -Name $ResourceGroup -ErrorVariable notPresent -ErrorAction SilentlyContinue
if ($notPresent){
Write-Host "Creating resource group $ResourceGroup in region $Location..."
New-AzResourceGroup -Name $ResourceGroup -Location $Location
}
else{
Write-Host "Resource Group $ResourceGroup already exists. Skipping..."
}
#Create Log Analytics workspace
try {
$WorkspaceObject = Get-AzOperationalInsightsWorkspace -Name $Workspace -ResourceGroupName $ResourceGroup -ErrorAction Stop
$ExistingLocation = $WorkspaceObject.Location
Write-Output "Workspace named $Workspace in region $ExistingLocation already exists. Skipping..."
} catch {
Write-Output "Creating new workspace named $Workspace in region $Location..."
# Create the new workspace for the given name, region, and resource group
New-AzOperationalInsightsWorkspace -Location $Location -Name $Workspace -Sku Standard -ResourceGroupName $ResourceGroup
}
$solutions = Get-AzOperationalInsightsIntelligencePack -resourcegroupname $ResourceGroup -WorkspaceName $Workspace -WarningAction:SilentlyContinue
if (($solutions | Where-Object Name -eq 'SecurityInsights').Enabled) {
Write-Host "Azure Sentinel is already installed on workspace $($Workspace)"
}
else {
Set-AzSentinel -WorkspaceName $Workspace -Confirm:$false
}
$msTemplates = Get-AzSentinelAlertRuleTemplates -workspace $Workspace -Kind MicrosoftSecurityIncidentCreation
#Resource URL to authentincate against
$Resource = "https://management.azure.com/"
#Urls to be used for Sentinel API calls
$baseUri = "/subscriptions/${SubscriptionId}/resourceGroups/${ResourceGroup}/providers/Microsoft.OperationalInsights/workspaces/${Workspace}"
$connectedDataConnectorsUri = "$baseUri/providers/Microsoft.SecurityInsights/dataConnectors/?api-version=2020-01-01"
function Get-ConnectedDataconnectors{
try {
$allConnectedDataconnectors = (Invoke-AzRestMethod -Path $connectedDataConnectorsUri -Method GET).Content | ConvertFrom-Json
}
catch {
$errorReturn = $_
Write-Error "Unable to invoke webrequest with error message: $errorReturn" -ErrorAction Stop
}
return $allConnectedDataconnectors
}
function checkDataConnector($dataConnector){
$currentDataconnector = "" | Select-Object -Property guid,etag,isEnabled
if ($allConnectedDataconnectors.value.Length -ne 0){
foreach ($value in $allConnectedDataconnectors.value){
if ($value.kind -eq $dataConnector) {
Write-Host "Successfully queried data connector $($value.kind) - already enabled"
Write-Verbose $value
$currentDataconnector.guid = $value.name
$currentDataconnector.etag = $value.etag
$currentDataconnector.isEnabled = $true
break
}
}
if ($currentDataconnector.isEnabled -ne $true)
{
$currentDataconnector.guid = (New-Guid).Guid
$currentDataconnector.etag = $null
$currentDataconnector.isEnabled = $false
}
}
else{
$currentDataconnector.guid = (New-Guid).Guid
$currentDataconnector.etag = $null
$currentDataconnector.isEnabled = $false
}
return $currentDataconnector
}
function BuildDataconnectorPayload($dataConnector, $guid, $etag, $isEnabled){
if ($dataConnector.kind -ne "AzureSecurityCenter")
{
$connectorProperties = $dataConnector.properties
$connectorProperties | Add-Member -NotePropertyName tenantId -NotePropertyValue ${context}.Tenant.Id
}
else {
$connectorProperties = $dataConnector.properties
$connectorProperties | Add-Member -NotePropertyName subscriptionId -NotePropertyValue ${context}.Subscription.Id
}
if ($isEnabled) {
# Compose body for connector update scenario
Write-Host "Updating data connector $($dataConnector.kind)"
Write-Verbose "Name: $guid"
Write-Verbose "Etag: $etag"
$connectorBody = @{}
$connectorBody | Add-Member -NotePropertyName kind -NotePropertyValue $dataConnector.kind -Force
$connectorBody | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force
$connectorBody | Add-Member -NotePropertyName etag -NotePropertyValue $etag -Force
$connectorBody | Add-Member -NotePropertyName properties -NotePropertyValue $connectorProperties
}
else {
# Compose body for connector enable scenario
Write-Host "$($dataConnector.kind) data connector is not enabled yet"
Write-Host "Enabling data connector $($dataConnector.kind)"
Write-Verbose "Name: $guid"
$connectorBody = @{}
$connectorBody | Add-Member -NotePropertyName kind -NotePropertyValue $dataConnector.kind -Force
$connectorBody | Add-Member -NotePropertyName properties -NotePropertyValue $connectorProperties
}
return $connectorBody
}
function EnableOrUpdateDataconnector($baseUri, $guid, $connectorBody, $isEnabled){
$uri = "${baseUri}/providers/Microsoft.SecurityInsights/dataConnectors/${guid}?api-version=2020-01-01"
try {
$result = Invoke-AzRestMethod -Path $uri -Method PUT -Payload ($connectorBody | ConvertTo-Json -Depth 3)
if ($result.StatusCode -eq 200) {
if ($isEnabled){
Write-Host "Successfully updated data connector: $($connector.kind)" -ForegroundColor Green
}
else {
Write-Host "Successfully enabled data connector: $($connector.kind)" -ForegroundColor Green
}
}
else {
Write-Error "Unable to enable data connector $($connector.kind) with error: $($result.Content)"
}
Write-Host ($body.Properties | Format-List | Format-Table | Out-String)
}
catch {
$errorReturn = $_
Write-Verbose $_
Write-Error "Unable to invoke webrequest with error message: $errorReturn" -ErrorAction Stop
}
}
function EnableMSAnalyticsRule($msProduct){
try {
foreach ($rule in $msTemplates){
if ($rule.productFilter -eq $msProduct) {
New-AzSentinelAlertRule -WorkspaceName $Workspace -Kind MicrosoftSecurityIncidentCreation -DisplayName $rule.displayName -Description $rule.description -Enabled $true -ProductFilter $msProduct -DisplayNamesFilter "" |Out-Null
Write-Host "Done!" -ForegroundColor Green
}
}
}
catch {
$errorReturn = $_
Write-Verbose $_
Write-Error "Unable to create analytics rule with error message: $errorReturn" -ErrorAction Stop
}
}
#Getting all rules from file
$connectors = Get-Content -Raw -Path $ConnectorsFile | ConvertFrom-Json
#Getting all connected Data connectors
$allConnectedDataconnectors = Get-ConnectedDataconnectors
foreach ($connector in $connectors.connectors) {
Write-Host "`r`nProcessing connector: " -NoNewline
Write-Host "$($connector.kind)" -ForegroundColor Blue
#AzureActivityLog connector
if ($connector.kind -eq "AzureActivityLog") {
$SubNoHyphens = $SubscriptionId -replace '-',''
$uri = "$baseUri/datasources/${SubNoHyphens}?api-version=2015-11-01-preview"
$connectorBody = ""
$activityEnabled = $false
#Check if AzureActivityLog is already connected (there is no better way yet) [assuming there is only one AzureActivityLog from same subscription connected]
try {
# AzureActivityLog is already connected, compose body with existing etag for update
$result = Invoke-AzRestMethod -Path $uri -Method GET
if ($result.StatusCode -eq 200){
Write-Host "Successfully queried data connector ${connector.kind} - already enabled"
Write-Verbose $result
Write-Host "Updating data connector $($connector.kind)"
$activityEnabled = $true
}
else {
Write-Host "$($connector.kind) data connector is not enabled yet"
Write-Host "Enabling data connector $($connector.kind)"
$activityEnabled = $false
}
}
catch {
$errorReturn = $_
Write-Error "Unable to invoke webrequest with error message: $errorReturn" -ErrorAction Stop
}
$connectorProperties = @{
linkedResourceId = "/subscriptions/${SubscriptionId}/providers/microsoft.insights/eventtypes/management"
}
$connectorBody = @{}
$connectorBody | Add-Member -NotePropertyName kind -NotePropertyValue $connector.kind -Force
$connectorBody | Add-Member -NotePropertyName properties -NotePropertyValue $connectorProperties
#Enable or Update AzureActivityLog Connector with http puth method
try {
$result = Invoke-AzRestMethod -Path $uri -Method PUT -Payload ($connectorBody | ConvertTo-Json -Depth 3)
if ($result.StatusCode -eq 200) {
if ($activityEnabled){
Write-Host "Successfully updated data connector: $($connector.kind)" -ForegroundColor Green
}
else {
Write-Host "Successfully enabled data connector: $($connector.kind)" -ForegroundColor Green
}
}
else {
Write-Host "Unable to enable data connector $($connector.kind) with error: $($result.Content)"
}
Write-Verbose ($body.Properties | Format-List | Format-Table | Out-String)
}
catch {
$errorReturn = $_
Write-Verbose $_.Exception.Message
Write-Error "Unable to invoke webrequest with error message: $errorReturn" -ErrorAction Stop
}
}
#AzureSecurityCenter connector
elseif ($connector.kind -eq "AzureSecurityCenter") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
Write-Host "Adding Analytics Rule for data connector Azure Security Center..." -NoNewline
EnableMSAnalyticsRule "Azure Security Center"
}
#Office365 connector
elseif ($connector.kind -eq "Office365") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
}
#MicrosoftCloudAppSecurity connector
elseif ($connector.kind -eq "MicrosoftCloudAppSecurity") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
Write-Host "Adding Analytics Rule for data connector Microsoft Cloud App Security..." -NoNewline
EnableMSAnalyticsRule "Microsoft Cloud App Security"
}
#AzureAdvancedThreatProtection connector
elseif ($connector.kind -eq "AzureAdvancedThreatProtection") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
Write-Host "Adding Analytics Rule for data connector Azure Advanced Threat Protection..." -NoNewline
EnableMSAnalyticsRule "Azure Advanced Threat Protection"
}
#ThreatIntelligencePlatforms connector
elseif ($connector.kind -eq "ThreatIntelligence") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
}
#MicrosoftDefenderAdvancedThreatProtection connector
elseif ($connector.kind -eq "MicrosoftDefenderAdvancedThreatProtection") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
Write-Host "Adding Analytics Rule for data connector Microsoft Defender Advanced Threat Protection..." -NoNewline
EnableMSAnalyticsRule "Microsoft Defender Advanced Threat Protection"
}
#Azure Active Directory Identity Protection connector
elseif ($connector.kind -eq "AzureActiveDirectory") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
Write-Host "Adding Analytics Rule for data connector Azure Active Directory Identity Protection..." -NoNewline
EnableMSAnalyticsRule "Azure Active Directory Identity Protection"
}
#AzureActiveDirectory
elseif ($connector.kind -eq "AzureActiveDirectoryDiagnostics") {
<# Azure Active Directory Audit/SignIn logs - requires special call and is therefore not connectors file
# Be aware that you executing SPN needs Owner rights on tenant scope for this operation, can be added with following CLI
# az role assignment create --role Owner --scope "/" --assignee {13ece749-d0a0-46cf-8000-b2552b520631}#>
$uri = "/providers/microsoft.aadiam/diagnosticSettings/AzureSentinel_${Workspace}?api-version=2017-04-01"
$connectorProperties = $connector.properties
$connectorProperties | Add-Member -NotePropertyName workspaceId -NotePropertyValue "/subscriptions/${SubscriptionId}/resourcegroups/${ResourceGroup}/providers/Microsoft.OperationalInsights/workspaces/${Workspace}"
$connectorBody = @{}
$connectorBody | Add-Member -NotePropertyName name -NotePropertyValue "AzureSentinel_${Workspace}"
$connectorBody.Add("properties",$connectorProperties)
try {
$result = Invoke-AzRestMethod -Path $uri -Method PUT -Payload ($connectorBody | ConvertTo-Json -Depth 3)
if ($result.StatusCode -eq 200) {
Write-Host "Successfully enabled data connector: $($connector.kind)" -ForegroundColor Green
}
else {
Write-Error "Unable to enable data connector $($connector.kind) with error: $($result.Content)"
}
Write-Verbose ($body.Properties | Format-List | Format-Table | Out-String)
}
catch {
$errorReturn = $_
Write-Verbose $_
Write-Error "Unable to invoke webrequest with error message: $errorReturn" -ErrorAction Stop
}
}
}