-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCreate-NewSolutionAndRulesFromList.ps1
More file actions
206 lines (182 loc) · 10.1 KB
/
Create-NewSolutionAndRulesFromList.ps1
File metadata and controls
206 lines (182 loc) · 10.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
param(
[Parameter(Mandatory = $true)][string]$ResourceGroup,
[Parameter(Mandatory = $true)][string]$Workspace,
[Parameter(Mandatory = $true)][string]$Region,
[Parameter(Mandatory = $false)][string[]]$Solutions,
[Parameter(Mandatory = $false)][string[]]$SeveritiesToInclude = @("Informational", "Low", "Medium", "High"),
[Parameter(Mandatory = $false)][bool]$enableAnalytics = $false
)
$context = Get-AzContext
if (!$context) {
Connect-AzAccount
$context = Get-AzContext
}
Write-Host "Connected to Azure with subscription: " $context.Subscription
$context = Get-AzContext
$instanceProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($instanceProfile)
$token = $profileClient.AcquireAccessToken($context.Subscription.TenantId)
$authHeader = @{
'Content-Type' = 'application/json'
'Authorization' = 'Bearer ' + $token.AccessToken
}
$SubscriptionId = $context.Subscription.Id
$baseUri = "https://management.azure.com/subscriptions/${SubscriptionId}/resourceGroups/${ResourceGroup}/providers/Microsoft.OperationalInsights/workspaces/${Workspace}"
$alertUri = "$baseUri/providers/Microsoft.SecurityInsights/alertRules/"
# Get a list of all the solutions
$url = $baseUri + "/providers/Microsoft.SecurityInsights/contentProductPackages?api-version=2023-04-01-preview"
$allSolutions = (Invoke-RestMethod -Method "Get" -Uri $url -Headers $authHeader ).value
#Deploy each single solution
#$templateParameter = @{"workspace-location" = $Region; workspace = $Workspace }
foreach ($deploySolution in $Solutions) {
$singleSolution = $allSolutions | Where-Object { $_.properties.displayName -Contains $deploySolution }
if ($null -eq $singleSolution) {
Write-Error "Unable to get find solution with name $deploySolution"
}
else {
$solutionURL = $baseUri + "/providers/Microsoft.SecurityInsights/contentProductPackages/$($singleSolution.name)?api-version=2023-04-01-preview"
$solution = (Invoke-RestMethod -Method "Get" -Uri $solutionURL -Headers $authHeader )
Write-Host "Solution name: " $solution.name
$packagedContent = $solution.properties.packagedContent
#Some of the post deployment instruction contains invalid characters and since this is not displayed anywhere
#get rid of them.
foreach ($resource in $packagedContent.resources) {
if ($null -ne $resource.properties.mainTemplate.metadata.postDeployment ) {
$resource.properties.mainTemplate.metadata.postDeployment = $null
}
}
$installBody = @{"properties" = @{
"parameters" = @{
"workspace" = @{"value" = $Workspace }
"workspace-location" = @{"value" = $Region }
}
"template" = $packagedContent
"mode" = "Incremental"
}
}
$deploymentName = ("allinone-" + $solution.name)
if ($deploymentName.Length -ge 64) {
$deploymentName = $deploymentName.Substring(0, 64)
}
$installURL = "https://management.azure.com/subscriptions/$($SubscriptionId)/resourcegroups/$($ResourceGroup)/providers/Microsoft.Resources/deployments/" + $deploymentName + "?api-version=2021-04-01"
#$templateUri = $singleSolution.plans.artifacts | Where-Object -Property "name" -EQ "DefaultTemplate"
Write-Host "Deploying solution: $deploySolution"
try {
Invoke-RestMethod -Uri $installURL -Method Put -Headers $authHeader -Body ($installBody | ConvertTo-Json -EnumsAsStrings -Depth 50 -EscapeHandling EscapeNonAscii)
Write-Host "Deployed solution: $deploySolution"
}
catch {
$errorReturn = $_
Write-Error $errorReturn
}
}
}
if ($enableAnalytics) {
#####
#create rules from any rule templates that came from solutions
#####
if (($SeveritiesToInclude -eq "None") -or ($null -eq $SeveritiesToInclude)) {
Exit
}
#Give the system time to update all the needed databases before trying to install the rules.
Start-Sleep -Seconds 60
#URL to get all the needed Analytic Rule templates
$solutionURL = $baseUri + "/providers/Microsoft.SecurityInsights/contentTemplates?api-version=2023-05-01-preview"
#Add a filter only return analytic rule templates
$solutionURL += "&%24filter=(properties%2FcontentKind%20eq%20'AnalyticsRule')"
$results = (Invoke-RestMethod -Uri $solutionURL -Method Get -Headers $authHeader).value
$BaseAlertUri = $baseUri + "/providers/Microsoft.SecurityInsights/alertRules/"
$BaseMetaURI = $baseURI + "/providers/Microsoft.SecurityInsights/metadata/analyticsrule-"
Write-Host "Severities to include..." $SeveritiesToInclude
#Iterate through all the rule templates
foreach ($result in $results ) {
#Make sure that the template's severity is one we want to include
$severity = $result.properties.mainTemplate.resources.properties[0].severity
Write-Host "Rule Template's severity is... " $severity
#Write-Host "condition is..." $SeveritiesToInclude.Contains($severity)
if ($SeveritiesToInclude.Contains($severity)) {
Write-Host "Enabling alert rule template... " $result.properties.template.resources.properties.displayName
$templateVersion = $result.properties.mainTemplate.resources.properties[1].version
$template = $result.properties.mainTemplate.resources.properties[0]
$kind = $result.properties.mainTemplate.resources.kind
$displayName = $template.displayName
$eventGroupingSettings = $template.eventGroupingSettings
if ($null -eq $eventGroupingSettings) {
$eventGroupingSettings = [ordered]@{aggregationKind = "SingleAlert" }
}
$body = ""
$properties = $result.properties.mainTemplate.resources[0].properties
$properties.enabled = $true
#Add the field to link this rule with the rule template so that the rule template will show up as used
#We had to use the "Add-Member" command since this field does not exist in the rule template that we are copying from.
$properties | Add-Member -NotePropertyName "alertRuleTemplateName" -NotePropertyValue $result.properties.mainTemplate.resources[0].name
$properties | Add-Member -NotePropertyName "templateVersion" -NotePropertyValue $result.properties.mainTemplate.resources[1].properties.version
#Depending on the type of alert we are creating, the body has different parameters
switch ($kind) {
"MicrosoftSecurityIncidentCreation" {
$body = @{
"kind" = "MicrosoftSecurityIncidentCreation"
"properties" = $properties
}
}
"NRT" {
$body = @{
"kind" = "NRT"
"properties" = $properties
}
}
"Scheduled" {
$body = @{
"kind" = "Scheduled"
"properties" = $properties
}
}
Default { }
}
#If we have created the body...
if ("" -ne $body) {
#Create the GUId for the alert and create it.
$guid = (New-Guid).Guid
#Create the URI we need to create the alert.
$alertUri = $BaseAlertUri + $guid + "?api-version=2022-12-01-preview"
try {
Write-Host "Attempting to create rule $($displayName)"
$verdict = Invoke-RestMethod -Uri $alertUri -Method Put -Headers $authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings -Depth 50)
#Invoke-RestMethod -Uri $installURL -Method Put -Headers $authHeader -Body ($installBody | ConvertTo-Json -EnumsAsStrings -Depth 50)
Write-Output "Succeeded"
$solution = $allSolutions.properties | Where-Object -Property "contentId" -Contains $result.properties.packageId
$metabody = @{
"apiVersion" = "2022-01-01-preview"
"name" = "analyticsrule-" + $verdict.name
"type" = "Microsoft.OperationalInsights/workspaces/providers/metadata"
"id" = $null
"properties" = @{
"contentId" = $verdict.name
"parentId" = $verdict.id
"kind" = "AnalyticsRule"
"version" = $templateVersion
"source" = $solution.source
"author" = $solution.author
"support" = $solution.support
}
}
Write-Output " Updating metadata...."
$metaURI = $BaseMetaURI + $verdict.name + "?api-version=2022-01-01-preview"
$metaVerdict = Invoke-RestMethod -Uri $metaURI -Method Put -Headers $authHeader -Body ($metabody | ConvertTo-Json -EnumsAsStrings -Depth 5)
Write-Output "Succeeded"
}
catch {
#The most likely error is that there is a missing dataset. There is a new
#addition to the REST API to check for the existance of a dataset but
#it only checks certain ones. Hope to modify this to do the check
#before trying to create the alert.
$errorReturn = $_
Write-Error $errorReturn
}
#This pauses for 5 second so that we don't overload the workspace.
Start-Sleep -Seconds 1
}
}
}
}
return $return