Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release support for watchlist #176

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
finish get and remove
pkhabazi committed Mar 20, 2021

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
commit 15538f3c5dc76cb1df191fc133c81475c3968b29
61 changes: 30 additions & 31 deletions AzSentinel/Public/Get-AzSentinelWatchlist.ps1
Original file line number Diff line number Diff line change
@@ -6,30 +6,28 @@ function Get-AzSentinelWatchlist {
.SYNOPSIS
Get Azure Sentinel Watchlist
.DESCRIPTION
With this function you can get a list of open incidents from Azure Sentinel.
You can can also filter to Incident with speciefiek case namber or Case name
With this function you can get a list of open watchLists from Azure Sentinel.
You can can also filter to watchList with speciefiek case namber or Case name
.PARAMETER SubscriptionId
Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
.PARAMETER WorkspaceName
Enter the Workspace name
.PARAMETER IncidentName
Enter incident name, this is the same name as the alert rule that triggered the incident
.PARAMETER CaseNumber
Enter the case number to get specfiek details of a open case
.PARAMETER DisplayName
Enter watchList name, this is the same name as the alert rule that triggered the watchList
.PARAMETER All
Use -All switch to get a list of all the incidents
Use -All switch to get a list of all the watchLists
.EXAMPLE
Get-AzSentinelIncident -WorkspaceName ""
Get a list of the last 200 Incidents
Get-AzSentinelwatchList -WorkspaceName ""
Get a list of the last 200 watchLists
.EXAMPLE
Get-AzSentinelIncident -WorkspaceName "" -All
Get a list of all Incidents
Get-AzSentinelwatchList -WorkspaceName "" -All
Get a list of all watchLists
.EXAMPLE
Get-AzSentinelIncident -WorkspaceName "" -CaseNumber
Get information of a specifiek incident with providing the casenumber
Get-AzSentinelwatchList -WorkspaceName "" -Name
Get information of a specifiek watchList with providing the name
.EXAMPLE
Get-AzSentinelIncident -WorkspaceName "" -IncidentName "", ""
Get information of one or more incidents with providing a incident name, this is the name of the alert rule that triggered the incident
Get-AzSentinelwatchList -WorkspaceName "" -Name "", ""
Get information of one or more watchLists with providing a watchList name, this is the name of the alert rule that triggered the watchList
#>

[cmdletbinding(SupportsShouldProcess)]
@@ -45,7 +43,7 @@ function Get-AzSentinelWatchlist {

[Parameter(Mandatory = $false)]
[ValidateNotNullOrEmpty()]
[string[]]$DisplayName
[string[]]$Name

)

@@ -80,12 +78,12 @@ function Get-AzSentinelWatchlist {
Write-Verbose -Message "Using URI: $($uri)"

try {
$incidentRaw = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader)
$incident += $incidentRaw.value
$watchListRaw = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader)
$watchList += $watchListRaw.value

while ($incidentRaw.nextLink) {
$incidentRaw = (Invoke-RestMethod -Uri $($incidentRaw.nextLink) -Headers $script:authHeader -Method Get)
$incident += $incidentRaw.value
while ($watchListRaw.nextLink) {
$watchListRaw = (Invoke-RestMethod -Uri $($watchListRaw.nextLink) -Headers $script:authHeader -Method Get)
$watchList += $watchListRaw.value
}
}
catch {
@@ -95,34 +93,35 @@ function Get-AzSentinelWatchlist {

$return = @()

if ($incident) {
Write-Verbose "Found $($incident.count) watchlists"
if ($watchList) {
Write-Verbose "Found $($watchList.count) watchlists"

if ($DisplayName.Count -ge 1) {
foreach ($rule in $IncidentName) {
[PSCustomObject]$temp = $incident | Where-Object { $_.properties.name -like $rule }
if ($Name.Count -ge 1) {
foreach ($rule in $Name) {

if ($null -ne $temp) {
[PSCustomObject]$temp = $watchList | Where-Object { $_.name -like $rule }

if ($temp) {
$temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force
$temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force
$return += $temp.properties
}
else {
Write-Error "Unable to find incident: $rule"
Write-Error "WatchList ruole '$rule' could not be found"
}
}
return $return
}
else {
$incident | ForEach-Object {
$watchList | ForEach-Object {
$_.properties | Add-Member -NotePropertyName etag -NotePropertyValue $_.etag -Force
$_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force
}
return $incident.properties
return $watchList.properties
}
}
else {
Write-Verbose "No incident found on $($WorkspaceName)"
Write-Verbose "No watchList found on $($WorkspaceName)"
}
}
}
32 changes: 13 additions & 19 deletions AzSentinel/Public/Remove-AzSentinelWatchlist.ps1
Original file line number Diff line number Diff line change
@@ -4,24 +4,21 @@
function Remove-AzSentinelWatchlist {
<#
.SYNOPSIS
Remove Azure Sentinal Watchlist
Remove Azure Sentinal Watchlist rule
.DESCRIPTION
With this function you can remove Azure Sentinal Alert rules from Powershell, if you don't provide andy Rule name all rules will be removed
With this function you can remove Azure Sentinal Watchlist rules
.PARAMETER SubscriptionId
Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
.PARAMETER WorkspaceName
Enter the Workspace name
.PARAMETER RuleName
Enter the name of the rule that you wnat to remove
.PARAMETER Name
Enter the name of the watchlist rule that you wnat to remove
.EXAMPLE
Remove-AzSentinelWatchlist -WorkspaceName "" -DisplayName ""
In this example the defined rule will be removed from Azure Sentinel
Remove-AzSentinelWatchlist -WorkspaceName "" -Name ""
In this example the defined watchlist rule will be removed from Azure Sentinel
.EXAMPLE
Remove-AzSentinelWatchlist -WorkspaceName "" -DisplayName "","", ""
In this example you can define multiple rules that will be removed
.EXAMPLE
Remove-AzSentinelWatchlist -WorkspaceName ""
In this example no rule is specified, all rules will be removed one by one. For each rule you need to confirm the action
Remove-AzSentinelWatchlist -WorkspaceName "" -Name "","", ""
In this example you can define multiple watchlist rules that will be removed
#>

param (
@@ -36,7 +33,7 @@ function Remove-AzSentinelWatchlist {

[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[string[]]$DisplayName
[string[]]$Name
)

begin {
@@ -58,9 +55,9 @@ function Remove-AzSentinelWatchlist {
}
}

foreach ($rule in $DisplayName) {
foreach ($rule in $Name) {
try {
$item = Get-AzSentinelWatchlist @arguments -DisplayName $rule -ErrorAction Stop
$item = Get-AzSentinelWatchlist @arguments -Name $rule -ErrorAction Stop
}
catch {
$return = $_.Exception.Message
@@ -72,16 +69,13 @@ function Remove-AzSentinelWatchlist {

try {
$result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader
Write-Output "Successfully removed rule: $($rule) with status: $($result.StatusDescription)"
Write-Host "Successfully removed watchlist rule '$rule' with status: $($result.StatusDescription)" -ForegroundColor Green
}
catch {
Write-Verbose $_
Write-Error "Unable to remove rule: $($rule) with error message: $($_.Exception.Message)" -ErrorAction Continue
Write-Error "Failed to remove watchlist rule '$rule' with error message: '$($_.Exception.Message)'" -ErrorAction Continue
}
}
else {
Write-Warning "$rule not found in $WorkspaceName"
}
}
}
}