Add small bugfix for unreleased feature and added test

f-bader · Nov 17, 2023 · 7062d01 · 7062d01
1 parent bcc4cea
commit 7062d01
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/src/public/Convert-SentinelARYamlToArm.ps1 b/src/public/Convert-SentinelARYamlToArm.ps1
@@ -278,7 +278,7 @@ function Convert-SentinelARYamlToArm {
 
         # Remove duplicate techniques
         if ($ARMTemplate.techniques) {
-            $ARMTemplate.techniques = $ARMTemplate.techniques | Sort-Object -Unique
+            $ARMTemplate.techniques = @($ARMTemplate.techniques | Sort-Object -Unique)
         }
 
         # Remove any invalid or non-existent tactics from the tactics array
@@ -288,17 +288,19 @@ function Convert-SentinelARYamlToArm {
 
         # Remove duplicate tactics
         if ($ARMTemplate.tactics) {
-            $ARMTemplate.tactics = $ARMTemplate.tactics | Sort-Object -Unique
+            $ARMTemplate.tactics = @($ARMTemplate.tactics | Sort-Object -Unique)
         }
 
         # Add startRunningAt property if specified
-        if ($StartRunningAt) {
+        if ($StartRunningAt -and $analyticRule.kind -eq "Scheduled") {
             # Remove existing startTimeUtc property
             if ("startTimeUtc" -in $ARMTemplate.Keys) {
                 $ARMTemplate.Remove("startTimeUtc")
             }
             # Add new startTimeUtc property
             $ARMTemplate.Add("startTimeUtc", $StartRunningAt.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ"))
+        } elseif ($StartRunningAt) {
+            Write-Warning "StartRunningAt parameter is only supported for scheduled rules. Ignoring parameter."
         }
 
         # Convert hashtable to JSON

diff --git a/tests/Convert-SentinelARYamlToArm.tests.ps1 b/tests/Convert-SentinelARYamlToArm.tests.ps1
@@ -338,6 +338,10 @@ Describe "Convert-SentinelARYamlToArm" {
         It "Should not contain non-existent MITRE techniques" {
             $armTemplate.resources[0].properties.techniques | Should -Not -Contain "T9912" -Because "T9912 is not an existend technique"
         }
+
+        It "Should be of type array" {
+            $armTemplate.resources[0].properties.techniques -is [System.Array] | Should -Be $true
+        }
     }
 
     Context "Scheduled with TTP invalid tactics" -Tag Integration {
@@ -365,6 +369,10 @@ Describe "Convert-SentinelARYamlToArm" {
         It "Should not contain non-existent MITRE tactics" {
             $armTemplate.resources[0].properties.tactics | Should -Not -Contain "SneakySquirrel" -Because "Sneaky Squirrel is not an officially recognized tactic"
         }
+
+        It "Should be of type array" {
+            $armTemplate.resources[0].properties.tactics -is [System.Array] | Should -Be $true
+        }
     }
 
     AfterAll {