Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added severity filter #10

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
+346 −123
Open

Added severity filter #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a73bf74
Added ability to filter by severity
garybushey Jan 12, 2023
b69d0d8
Added severity filter
garybushey Jan 13, 2023
ae4f017
Merge branch 'master' of https://github.com/garybushey/sentinel-all-i…
garybushey Jan 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
182 changes: 95 additions & 87 deletions ARMTemplates/Scripts/EnableRules.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
param(
[Parameter(Mandatory = $true)][string]$ResourceGroup,
[Parameter(Mandatory = $true)][string]$Workspace,
[Parameter(Mandatory = $true)][string[]]$Connectors
[Parameter(Mandatory = $true)][string[]]$Connectors,
[Parameter(Mandatory = $false)][string[]]$SeveritiesToInclude = @("Informational", "Low", "Medium", "High")
)

$context = Get-AzContext
Expand Down Expand Up @@ -32,102 +33,106 @@ $return = @()

if ($Connectors) {
foreach ($item in $alertRulesTemplates) {
switch ($item.kind) {
"Scheduled" {
foreach ($connector in $item.properties.requiredDataConnectors) {
if ($connector.connectorId -in $Connectors) {
#$return += $item.properties
$guid = New-Guid
$alertUriGuid = $alertUri + $guid + '?api-version=2022-12-01-preview'
#Make sure that the template's severity is one we want to include
if ($SeveritiesToInclude.Contains($item.properties.severity)) {
switch ($item.kind) {
"Scheduled" {
foreach ($connector in $item.properties.requiredDataConnectors) {
if ($connector.connectorId -in $Connectors) {
#$return += $item.properties
$guid = New-Guid
$alertUriGuid = $alertUri + $guid + '?api-version=2022-12-01-preview'

$properties = @{
displayName = $item.properties.displayName
enabled = $true
suppressionDuration = "PT5H"
suppressionEnabled = $false
alertRuleTemplateName = $item.name
description = $item.properties.description
query = $item.properties.query
queryFrequency = $item.properties.queryFrequency
queryPeriod = $item.properties.queryPeriod
severity = $item.properties.severity
tactics = $item.properties.tactics
triggerOperator = $item.properties.triggerOperator
triggerThreshold = $item.properties.triggerThreshold
techniques = $item.properties.techniques
eventGroupingSettings = $item.properties.eventGroupingSettings
templateVersion = $item.properties.version
entityMappings = $item.properties.entityMappings
}
$properties = @{
displayName = $item.properties.displayName
enabled = $true
suppressionDuration = "PT5H"
suppressionEnabled = $false
alertRuleTemplateName = $item.name
description = $item.properties.description
query = $item.properties.query
queryFrequency = $item.properties.queryFrequency
queryPeriod = $item.properties.queryPeriod
severity = $item.properties.severity
tactics = $item.properties.tactics
triggerOperator = $item.properties.triggerOperator
triggerThreshold = $item.properties.triggerThreshold
techniques = $item.properties.techniques
eventGroupingSettings = $item.properties.eventGroupingSettings
templateVersion = $item.properties.version
entityMappings = $item.properties.entityMappings
}

$alertBody = @{}
$alertBody | Add-Member -NotePropertyName kind -NotePropertyValue $item.kind -Force
$alertBody | Add-Member -NotePropertyName properties -NotePropertyValue $properties
$alertBody = @{}
$alertBody | Add-Member -NotePropertyName kind -NotePropertyValue $item.kind -Force
$alertBody | Add-Member -NotePropertyName properties -NotePropertyValue $properties

try {
Invoke-AzRestMethod -Path $alertUriGuid -Method PUT -Payload ($alertBody | ConvertTo-Json -Depth 3)
}
catch {
Write-Verbose $_
Write-Error "Unable to create alert rule with error code: $($_.Exception.Message)" -ErrorAction Stop
}
try {
Invoke-AzRestMethod -Path $alertUriGuid -Method PUT -Payload ($alertBody | ConvertTo-Json -Depth 3)
}
catch {
Write-Verbose $_
Write-Error "Unable to create alert rule with error code: $($_.Exception.Message)" -ErrorAction Stop
}

break
break
}
}
}
}
"NRT" {
foreach ($connector in $item.properties.requiredDataConnectors) {
if ($connector.connectorId -in $Connectors) {
#$return += $item.properties
$guid = New-Guid
$alertUriGuid = $alertUri + $guid + '?api-version=2022-12-01-preview'
"NRT" {
foreach ($connector in $item.properties.requiredDataConnectors) {
if ($connector.connectorId -in $Connectors) {
#$return += $item.properties
$guid = New-Guid
$alertUriGuid = $alertUri + $guid + '?api-version=2022-12-01-preview'

$properties = @{
displayName = $item.properties.displayName
enabled = $true
suppressionDuration = "PT5H"
suppressionEnabled = $false
alertRuleTemplateName = $item.name
description = $item.properties.description
query = $item.properties.query
severity = $item.properties.severity
tactics = $item.properties.tactics
techniques = $item.properties.techniques
eventGroupingSettings = $item.properties.eventGroupingSettings
templateVersion = $item.properties.version
entityMappings = $item.properties.entityMappings
}
$properties = @{
displayName = $item.properties.displayName
enabled = $true
suppressionDuration = "PT5H"
suppressionEnabled = $false
alertRuleTemplateName = $item.name
description = $item.properties.description
query = $item.properties.query
severity = $item.properties.severity
tactics = $item.properties.tactics
techniques = $item.properties.techniques
eventGroupingSettings = $item.properties.eventGroupingSettings
templateVersion = $item.properties.version
entityMappings = $item.properties.entityMappings
}

$alertBody = @{}
$alertBody | Add-Member -NotePropertyName kind -NotePropertyValue $item.kind -Force
$alertBody | Add-Member -NotePropertyName properties -NotePropertyValue $properties
$alertBody = @{}
$alertBody | Add-Member -NotePropertyName kind -NotePropertyValue $item.kind -Force
$alertBody | Add-Member -NotePropertyName properties -NotePropertyValue $properties

try {
Invoke-AzRestMethod -Path $alertUriGuid -Method PUT -Payload ($alertBody | ConvertTo-Json -Depth 3)
}
catch {
Write-Verbose $_
Write-Error "Unable to create alert rule with error code: $($_.Exception.Message)" -ErrorAction Stop
}
try {
Invoke-AzRestMethod -Path $alertUriGuid -Method PUT -Payload ($alertBody | ConvertTo-Json -Depth 3)
}
catch {
Write-Verbose $_
Write-Error "Unable to create alert rule with error code: $($_.Exception.Message)" -ErrorAction Stop
}

break
break
}
}
}
}
}

}
}

#####
#create rules from any rule templates that came from solutions
#####
#####
#create rules from any rule templates that came from solutions
#####

$solutionURL = "https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01"
$solutionURL = "https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01"

#We only care about those rule templates that were created by Microsoft Sentinel solutions so
#this query will make sure to filter out anything else as well as provide some overview data (which is not used)
$query = @"
#We only care about those rule templates that were created by Microsoft Sentinel solutions so
#this query will make sure to filter out anything else as well as provide some overview data (which is not used)
$query = @"
Resources
| where type =~ 'Microsoft.Resources/templateSpecs/versions'
| where tags['hidden-sentinelContentType'] =~ 'AnalyticsRule'
Expand All @@ -141,16 +146,18 @@ if ($Connectors) {
| project contentId, version, properties
"@

$body = @{
"subscriptions" = @($SubscriptionId)
"query" = $query
}
$body = @{
"subscriptions" = @($SubscriptionId)
"query" = $query
}

#Load all the rule templates from solutions
$results = Invoke-AzRestMethod -Path $solutionURL -Method POST -Payload ($body | ConvertTo-Json -EnumAsStrings -Depth 5)
#Load all the rule templates from solutions
$results = Invoke-AzRestMethod -Path $solutionURL -Method POST -Payload ($body | ConvertTo-Json -EnumAsStrings -Depth 5)

#Iterate through all the rule templates
foreach ($result in $results.data) {
#Iterate through all the rule templates
foreach ($result in $results.data) {
#Make sure that the template's severity is one we want to include
if ($SeveritiesToInclude.Contains($result.properties.template.resources.properties.severity)) {
#Get to the actual template data
$template = $result.properties.template.resources.properties
$kind = $result.properties.template.resources.kind
Expand Down Expand Up @@ -280,5 +287,6 @@ if ($Connectors) {
}
}
}
}

return $return
return $return
Loading