adding sample script to import GitHub YAML rules

2021-03-08 19:20:51 +01:00 · 2021-03-08 19:20:51 +01:00 · 1da3ac7cf9
--- a/Tools/Az.SecurityInsights-Samples/Alert
+++ b/Tools/Az.SecurityInsights-Samples/Alert
@ -66,7 +66,7 @@ if (!(Test-Path -Path $ruleExportPath))
 try {
    $rules = Get-AzSentinelAlertRule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName | Where-Object {$_.Kind -eq "Scheduled"} 
    Write-Host ("Exporting " + $rules.count + " Scheduled rules...") -ForegroundColor Yellow
-    $rules | ConvertTo-Json -Depth 15 | Out-File ($ruleExportPath + "Scheduled.json") -Force
+    $rules | ConvertTo-Json -Depth 15 | Out-File ($ruleExportPath + "\" + "Scheduled.json") -Force
 }
 catch {
    Write-Warning "Either your Azure connection is invalid or your Azure Sentinel settings are incorrect"
@ -79,7 +79,7 @@ catch {
 try {
    $rules = Get-AzSentinelAlertRule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName | Where-Object {$_.Kind -eq "Fusion"} 
    Write-Host ("Exporting " + $rules.count + " Fusion rules...") -ForegroundColor Yellow
-    $rules | ConvertTo-Json -Depth 15 | Out-File ($ruleExportPath + "Fusion.json") -Force
+    $rules | ConvertTo-Json -Depth 15 | Out-File ($ruleExportPath + "\" + "Fusion.json") -Force
 }
 catch {
    Write-Warning "Either your Azure connection is invalid or your Azure Sentinel settings are incorrect"
@ -91,7 +91,7 @@ catch {
 try {
    $rules = Get-AzSentinelAlertRule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName | Where-Object {$_.Kind -eq "MicrosoftSecurityIncidentCreation"} 
    Write-Host ("Exporting " + $rules.count + " MicrosoftSecurityIncidentCreation rules...") -ForegroundColor Yellow
-    $rules | ConvertTo-Json -Depth 15 | Out-File ($ruleExportPath + "MicrosoftSecurityIncidentCreation.json") -Force
+    $rules | ConvertTo-Json -Depth 15 | Out-File ($ruleExportPath + "\" + "MicrosoftSecurityIncidentCreation.json") -Force
 }
 catch {
    Write-Warning "Either your Azure connection is invalid or your Azure Sentinel settings are incorrect"
--- a/Tools/Az.SecurityInsights-Samples/Alert
+++ b/Tools/Az.SecurityInsights-Samples/Alert
@ -0,0 +1,181 @@
+param (
+    #The subscription that holds your Azure Sentinel workspace
+    [parameter(Mandatory = $true)]
+    [string] $subscriptionId,
+    # The resource group name which holds your Azure Sentinel workspace
+    [parameter(Mandatory = $true)]
+    # The Azure Sentinel workspace name
+    [string] $resourceGroupName,
+    [parameter(Mandatory = $true)]
+    [string] $workspaceName,
+    # The import folder name where your rule files are in, for example C:\SentinelRules\Import
+    [parameter(Mandatory = $true)]
+    [string] $YAMLimportPath,
+    # The full GitHub path, for example: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Detections/ (notice the end backslash)
+    [parameter(Mandatory = $true)]
+    [string] $GitHubPath
+)
+
+$ErrorActionPreference = "Stop"
+
+#Array - containing GitHub detection rules yaml files download - please the subfolder as well
+$GitHubYAMLRulesToExport = @(
+    "W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml",
+    "MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml",
+    "SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml",
+    "SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml"
+)
+
+# Check powershell version, needs to be 5 or higher
+if ($host.Version.Major -lt 5) {
+    Write-Warning "Supported PowerShell version for this script is 5 or above"
+    Write-Warning "Aborting...."
+    break
+}
+
+#Check if the Az.SecurityInsights module is installed, if not install it
+#This will auto install the Az.Accounts module if it is not installed
+$AzSecurityInsightsModule = Get-InstalledModule -Name Az.SecurityInsights -ErrorAction SilentlyContinue
+if ($AzSecurityInsightsModule -eq $null) {
+    Write-Warning "The Az.SecurityInsights PowerShell module is not found"
+        #check for Admin Privleges
+        $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
+
+        if (-not ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))) {
+            #Not an Admin, install to current user
+            Write-Warning -Message "Can not install the Az.SecurityInsights module. You are not running as Administrator"
+            Write-Warning -Message "Installing Az.SecurityInsights module to current user Scope"
+            Install-Module Az.SecurityInsights -Scope CurrentUser -Force
+        }
+        Else {
+            #Admin, install to all users
+            Write-Warning -Message "Installing the Az.SecurityInsights module to all users"
+            Install-Module -Name Az.SecurityInsights -Force
+            Import-Module -Name Az.SecurityInsights -Force
+        }
+}
+
+#Check the Azure subscription context
+$AzAccountsModule = Get-Module -Name Az.Accounts
+if ($AzAccountsModule -eq $null) {
+    Write-Warning "Az.Accounts module has not been imported, trying to import...."
+    Import-Module -Name Az.Accounts -Force
+}
+
+$subIdContext = (Get-AzContext).Subscription.Id 
+if ($subIdContext -ne $subscriptionId) {
+    $setSub = Set-AzContext -SubscriptionName $subscriptionId -ErrorAction SilentlyContinue
+    if ($setSub -eq $Null) {
+        Write-Warning "$subscriptionId is not set, please login"
+        Login-AzAccount
+        Set-AzContext -SubscriptionName $subscriptionId -ErrorAction SilentlyContinue
+    }
+}
+
+# If not installed, import the PowerShell-YAML community module, installed from https://www.powershellgallery.com/packages/powershell-yaml/0.4.2
+$powershellYamlModule = Get-Module -Name "powershell-yaml" -ErrorAction SilentlyContinue
+if ($powershellYamlModule -eq $null) {
+    Write-Warning "The PowerShell-YAML module is not found"
+        #check for Admin Privleges
+        $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
+
+        if (-not ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))) {
+            #Not an Admin, install to current user
+            Write-Warning -Message "Can not install the PowerShell-YAML module. You are not running as Administrator"
+            Write-Warning -Message "Installing the PowerShell-YAML module to current user Scope"
+            Install-Module powershell-yaml -Scope CurrentUser -Force
+        }
+        Else {
+            #Admin, install to all users
+            Write-Warning -Message "Installing the powershell-yaml module to all users"
+            Install-Module -Name powershell-yaml -Force
+            Import-Module -Name powershell-yaml -Force
+        }
+}
+
+# Import the Az.SecurityInsights module
+Import-Module -Name Az.SecurityInsights
+
+# Create YAML import folder if it does not exist
+if (!(Test-Path -Path $YAMLimportPath))
+{
+    Write-Warning ("Folder " + $YAMLimportPath + " does not exist, creating the folder for you....")
+    New-Item -itemType Directory -Path $YAMLimportPath
+}
+
+# Save the GitHub YAML files separately to a folder as YAML files
+foreach ($GitHubRule in $GitHubYAMLRulesToExport) {
+    $GitHubRuleShortName = $GitHubRule.Substring($GitHubRule.IndexOf('/')+1)
+    $myRuleObjectYAML = (New-Object System.Net.WebClient).DownloadString($GitHubPath + $GitHubRule)
+    $myRuleObject = $myRuleObjectYAML | ConvertFrom-Yaml
+    $myRuleObjectYAML | Out-File ($YAMLimportPath + "\" + $GitHubRuleShortName) -Force -Verbose
+}
+#endregion
+
+#region Import local GitHub rules
+$myNewRules = Get-ChildItem $YAMLimportPath -Filter *.yaml
+#Stop if we don't have YAML rules found to import
+if ($myNewRules -eq $null) {
+    Write-Warning "Cannot find YAML rules to import, is your path correct?"
+    break
+}
+
+foreach ($myNewRule in $myNewRules) {
+    $myRuleObject = [pscustomobject](Get-Content $myNewRule.FullName -Raw | ConvertFrom-Yaml)
+    $myRuleObject | Add-Member -MemberType NoteProperty -Name DisplayName -Value $myRuleObject.name
+
+    #Since rules need to be created in the ISO 8601 duration format, we need to do conversion
+    #Taking the last character, which represent the day, hr or minute unit
+    $QueryFrequencyUnit = $myRuleObject.QueryFrequency.Substring($myRuleObject.QueryFrequency.Length - 1, 1)
+    
+    if ($QueryFrequencyUnit.EndsWith("d")){
+        $QueryFrequencyValue = $myRuleObject.QueryFrequency.TrimEnd($QueryFrequencyUnit)
+        #converting to minutes
+        $QueryFrequencyValue = [int]$QueryFrequencyValue
+        $QueryFrequencyValue = ($QueryFrequencyValue * 24) * 60
+
+    }
+     elseif ($QueryFrequencyUnit.EndsWith("h")) {
+        $QueryFrequencyValue = $myRuleObject.QueryFrequency.TrimEnd($QueryFrequencyUnit)
+        #converting to minutes
+        $QueryFrequencyValue = [int]$QueryFrequencyValue
+        $QueryFrequencyValue = ($QueryFrequencyValue * 60)
+
+    }
+     elseif ($QueryFrequencyUnit.EndsWith("m")) {
+        $QueryFrequencyValue = $myRuleObject.QueryFrequency.TrimEnd($QueryFrequencyUnit)
+    }
+    #creating the ISO 8601 ticks value
+    $QueryFrequencyTicks = New-TimeSpan -Minutes $QueryFrequencyValue 
+    Write-Host ("Query Frequency: " + $QueryFrequencyTicks + "For rule: " + $myRuleObject.name)
+    $QueryFrequencyTicks
+
+    #QueryPeriodUnit
+    $queryPeriodUnit = $myRuleObject.QueryPeriod.Substring($myRuleObject.queryPeriod.Length - 1, 1)
+
+    if ($queryPeriodUnit.EndsWith("d")){
+        $queryPeriodUnitValue = $myRuleObject.queryPeriod.TrimEnd($queryPeriodUnit)
+        #converting to minutes
+        $queryPeriodUnitValue = [int]$queryPeriodUnitValue
+        $queryPeriodUnitValue = ($queryPeriodUnitValue * 24) * 60
+
+    }
+     elseif ($queryPeriodUnit.EndsWith("h")) {
+        $queryPeriodUnitValue = $myRuleObject.queryPeriod.TrimEnd($queryPeriodUnit)
+        #converting to minutes
+        $queryPeriodUnitValue = [int]$queryPeriodUnitValue
+        $queryPeriodUnitValue = ($queryPeriodUnitValue * 60)
+
+    }
+     elseif ($queryPeriodUnit.EndsWith("m")) {
+        $queryPeriodUnitValue = $myRuleObject.queryPeriod.TrimEnd($queryPeriodUnit)
+    }
+    #creating the ISO 8601 ticks value
+    $QueryPeriodTicks = New-TimeSpan -Minutes $queryPeriodUnitValue 
+    Write-Host ("Query Period: " + $QueryPeriodTicks + "For rule: " + $myRuleObject.name)
+
+    New-AzSentinelAlertRule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName `
+    -Scheduled -DisplayName $myRuleObject.DisplayName -Description $myRuleObject.Description -Query $myRuleObject.Query `
+    -QueryFrequency $QueryFrequencyTicks -QueryPeriod $QueryPeriodTicks -Severity $myRuleObject.Severity -TriggerThreshold $myRuleObject.TriggerThreshold -Enabled
+}
+#endregion
--- a/Tools/Az.SecurityInsights-Samples/Alert
+++ b/Tools/Az.SecurityInsights-Samples/Alert
@ -0,0 +1,64 @@
+# Import GitHub YAML Analytics Rules
+*Author: Tiander Turpijn - Microsoft*
+<br/><br/>
+
+**Objective:** Import GitHub YAML rules to an existing Azure Sentinel Workspace <br/>
+
+This sample script allows you to import Azure Sentinel detection rules from GitHub, which are in the format of YAML.<br/>
+The most efficient way is to clone the Azure Sentinel GitHub repo so that you have all the rules locally. You can leverage the import sections to import a whole YAML folder<br/>
+This sample however is focused on importing specific YAML type detection rules which you specify in the sample script.<br/>
+The script will download your YAML files of choice (to be defined in the script's array) and will import these in your Azure Sentinel workspace.
+
+#### Credits
+This sample script uses a community PowerShell module called [powershell-yaml](https://www.powershellgallery.com/packages/powershell-yaml/0.4.2) authored by Gabriel Adrian Samfira and Alessandro Pilotti.
+<br/><br/>
+
+#### Script Parameters
+The script will prompt you for the following parameter values:
+* *subscriptionId* - the subscription ID where your Azure Sentinel workspace resides in
+* *resourceGroupName* - the Azure resource group name where the Azure Sentinel workspace resides in
+* *workspaceName* - the name of the Azure Sentinel workspace
+* *YAMLimportPath* - the name of the folder where your YAML files will stored and imported from, for example **C:\SentinelRules\Export**
+<br/><br/>
+
+**Prerequisites:**
+The following Azure PowerShell modules are required and will be installed if missing:
+* Az.Accounts
+* Az.SecurityInsights
+* powershell-yaml
+<br/><br/>
+
+#### Sections to update in the script
+For the parameter **$YAMLimportPath**, make sure to specify the raw GitHub URL, including a "/" at the end, like this:
+```powershell
+ https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Detections/
+```
+<br/>
+
+Update the array in the script and specify the **subfolder** and **filename**, like the sample below:
+```powershell
+#Array - containing GitHub detection rules yaml files download - please the subfolder as well
+$GitHubYAMLRulesToExport = @(
+    "W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml",
+    "MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml",
+    "SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml",
+    "SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml"
+)
+```
+<br/>
+
+#### Running the script 
+After your have downloaded the sample script, you can run the script with parameters as follows:
+```powershell
+.\ImportGitHubYAMLrules.ps1 -subscriptionId "12345678-c53c-4092-8d4a-12345678900c" -resourceGroupName "myResourceGroupName" -workspaceName "mySentinelworkspaceName" `
+-YAMLimportPath "C:\Sentinel\YAMLimport" -GitHubPath "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Detections/"
+```
+
+
+
+
+
+
+
+
+
--- a/Tools/Az.SecurityInsights-Samples/Alert
+++ b/Tools/Az.SecurityInsights-Samples/Alert
@ -10,6 +10,8 @@
 [Export Analytics Rules Sample](https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Az.SecurityInsights-Samples/Alert%20Rules/Export%20Analytics%20Rules)
 <br/>
 [Import Analytics Rules Sample](https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Az.SecurityInsights-Samples/Alert%20Rules/Import%20Analytics%20Rules)
+<br/>
+Import Azure Sentinel GitHub YAML rules