Optimized some of the code.

2022-12-31 16:22:30 -07:00 · 2022-12-31 16:22:30 -07:00 · 512cdfbcb1
--- a/DataConnectors/M365Defender-VulnerabilityManagement/azureDeploy.json
+++ b/DataConnectors/M365Defender-VulnerabilityManagement/azureDeploy.json
@ -5,7 +5,7 @@
    "_generator": {
      "name": "bicep",
      "version": "0.13.1.58284",
-      "templateHash": "16170835107442725722"
+      "templateHash": "16350299991353580710"
    }
  },
  "parameters": {
@ -239,8 +239,8 @@
      "name": "[parameters('AppServicePlanName')]",
      "location": "[variables('Location')]",
      "sku": {
-        "name": "B2",
-        "tier": "Basic"
+        "name": "P1v2",
+        "tier": "PremiumV2"
      },
      "kind": "linux",
      "properties": {
--- a/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip
+++ b/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip
--- a/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage/GetMDVMData/run.ps1
+++ b/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage/GetMDVMData/run.ps1
@ -15,7 +15,7 @@ function Get-RequestHeaders {
    return @{"Authorization" = "Bearer $Token"; "Content-Type" = "application/json" }
 }

-#Function to get data via REST API.
+#Function to get data via REST API and send to Azure Monitor.
 function Import-Data {
    param ($SourceUri, $SourceToken, $Table, $DataSourceName, $JsonDepth, $RecommendationId, $AzureResources)
    $count = 1
@ -48,18 +48,20 @@ function Import-Data {
                $recommendations += $content
            }
        }
-        $configurations = New-Object System.Collections.ArrayList
+        $objectsReceived = $content.Count
+        $totalObjectsReceived += $objectsReceived
+        Write-Host "Objects received in current request:" $content.Count
        $content | Add-Member -NotePropertyName 'TimeGenerated' -NotePropertyValue $snapshotTime
-        foreach ($item in ($content)) {  
-            switch ($DataSourceName) {
-                'MDVM Recommendations' { $item | Add-Member -NotePropertyName recId -NotePropertyValue $item.Id }
-                'MDVM Recommendations Machine References' { 
-                    $item | Add-Member -NotePropertyName recordId -NotePropertyValue $item.Id
-                    $item | Add-Member -NotePropertyName recommendationId -NotePropertyValue $RecommendationId
-                }
-                'MDVM Vulnerabilities by Device' {
-                    $item | Add-Member -NotePropertyName vulnId -NotePropertyValue $item.Id
-                    $azSearch = $AzureResources | Where-Object deviceName -eq $item.deviceName.Substring(0, $item.deviceName.IndexOf('.')).ToLower()
+        switch ($DataSourceName) {
+            'MDVM Recommendations' { $content | Add-Member -MemberType AliasProperty -Name recId -Value id }
+            'MDVM Recommendations Machine References' { 
+                $content | Add-Member -MemberType AliasProperty -Name recordId -Value id
+                $content | Add-Member -NotePropertyName recommendationId -NotePropertyValue $RecommendationId
+            }
+            'MDVM Vulnerabilities by Device' {
+                $content | Add-Member -MemberType AliasProperty -Name vulnId -Value id
+                foreach ($item in $content) {
+                    $azSearch = $AzureResources.($item.deviceName.Substring(0, $item.deviceName.IndexOf('.')).ToLower())
                    if ($null -ne $azSearch) {
                        $item | Add-Member -NotePropertyName azResourceId -NotePropertyValue $azSearch.id
                    }
@ -67,36 +69,35 @@ function Import-Data {
                        $item | Add-Member -NotePropertyName azResourceId -NotePropertyValue ''
                    }
                }
-                'MDVM CVE KB' { $item | Add-Member -NotePropertyName cveId -NotePropertyValue $item.Id }
-                'NIST CVE KB' { 
-                    $item | Add-Member -NotePropertyName cveId -NotePropertyValue $item.Id
-                    if ($item | Get-Member configurations) {
-                        $configuration = New-Object psobject
-                        $configurationNumber = 0
-                        foreach ($configuration in $item.configurations) {
-                            $configurationNumber += 1
-                            $nodes = $configuration | Select-Object -ExpandProperty nodes
-                            foreach ($node in $nodes) {
-                                $cpes = $node | Select-Object -ExpandProperty cpeMatch
-                                $cpes | Add-Member -NotePropertyName configurationNumber -NotePropertyValue $configurationNumber
-                                $cpes | Add-Member -NotePropertyName configurationOperator -NotePropertyValue $configuration.operator
-                                $cpes | Add-Member -NotePropertyName configurationNegate -NotePropertyValue $configuration.negate
-                                $cpes | Add-Member -NotePropertyName nodeOperator -NotePropertyValue $node.operator
-                                $cpes | Add-Member -NotePropertyName nodeNegate -NotePropertyValue $node.negate
-                                $cpes | Add-Member -NotePropertyName cveId -NotePropertyValue $item.id
-                                $cpes | Add-Member -NotePropertyName TimeGenerated -NotePropertyValue $snapshotTime
-                                $configurations.Add($cpes) | Out-Null
-                            }
+            }
+            'MDVM CVE KB' { $content | Add-Member -NotePropertyName cveId -NotePropertyValue id }
+            'NIST CVE KB' { 
+                $content | Add-Member -MemberType AliasProperty -Name cveId -Value id
+                $configurations = New-Object System.Collections.ArrayList
+                foreach ($item in $content | Where-Object configurations -ne $null) {
+                    $configuration = New-Object psobject
+                    $configurationNumber = 0
+                    foreach ($configuration in $item.configurations) {
+                        $configurationNumber += 1
+                        $nodes = $configuration | Select-Object -ExpandProperty nodes
+                        foreach ($node in $nodes) {
+                            $cpes = $node | Select-Object -ExpandProperty cpeMatch
+                            $cpes | Add-Member -NotePropertyMembers @{
+                                configurationNumber   = $configurationNumber
+                                configurationOperator = $configuration.operator
+                                configurationNegate   = $configuration.negate
+                                nodeOperator          = $node.operator
+                                nodeNegate            = $node.negate
+                                cveId                 = $item.cveId
+                                TimeGenerated         = $snapshotTime
+                            } -PassThru | Out-Null
+                            $configurations.Add($cpes) | Out-Null
                        }
-                        $item.PSObject.Properties.Remove('configurations')
                    }
+                    $item.PSObject.Properties.Remove('configurations')
                }
            }
-            if ($null -ne $item.id) { $item.PSObject.Properties.Remove('id') }
        }
-        $objectsReceived = $content.Count
-        $totalObjectsReceived += $objectsReceived
-        Write-Host "Objects received in current request:" $content.Count
        if ($objectsReceived -eq 0) { return }
        $logIngestionClient.UploadAsync($dcrImmutableId, "Custom-$Table", ($content | ConvertTo-Json -Depth $JsonDepth -AsArray)) | Out-Null
        if ($configurations.Count -ne 0) {
@ -176,12 +177,11 @@ resources
 | extend deviceName = iif(deviceName == '', name, deviceName)
 | project id = tolower(id), deviceName = tolower(deviceName)"

-$azResources = $null
-$response = $null
 do {
    $response = Search-AzGraph -Query $azureVMsQuery -SkipToken $response.SkipToken -First 1000
    $azResources += $response
 } until ($null -eq $response.SkipToken)
+$azResources = $azResources | Group-Object -AsHashTable -Property deviceName

 #Ingest Vulnerabilities by Device.
 $defenderUri = "https://api.securitycenter.windows.com/api/machines/SoftwareVulnerabilitiesByMachine"
@ -239,8 +239,8 @@ else {
 Import-Data -SourceUri $nistUri -DataSourceName 'NIST CVE KB' -JsonDepth 8 -Table 'MDVMNISTCVEKB_CL'

 #Validate data was written to Azure Monitor.
-Write-Host "Wating 3 minutes to allow for all data to get written to Azure Monitor before checking for any mismatches..."
-Start-Sleep -Seconds 180
+Write-Host "Wating 1 minute to allow for all data to get written to Azure Monitor before checking for any mismatches..."
+Start-Sleep -Seconds 60
 $lawQuery = "union withsource=MDVMTableName MDVM*
    | where TimeGenerated == todatetime('$snapshotTime')
    | summarize Count = count() by MDVMTableName, TimeGenerated"
@ -257,4 +257,4 @@ if ($tableStats | Where-Object Mismatch -eq $true) {
 }
 else {
    Write-Host ("All data has been successfully written to Azure Monitor. Per table details are below: `n" + $report)
-}
+}
--- a/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage/host.json
+++ b/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage/host.json
@ -7,5 +7,5 @@
    "id": "Microsoft.Azure.Functions.ExtensionBundle",
    "version": "[3.*, 4.0.0)"
  },
-  "functionTimeout": "02:00:00"
+  "functionTimeout": "04:00:00"
 }
--- a/DataConnectors/M365Defender-VulnerabilityManagement/main.bicep
+++ b/DataConnectors/M365Defender-VulnerabilityManagement/main.bicep
@ -164,8 +164,8 @@ resource hostingPlan 'Microsoft.Web/serverfarms@2021-03-01' = {
  name: AppServicePlanName
  location: Location
  sku: {
-    name: 'B2'
-    tier: 'Basic'
+    name: 'P1v2'
+    tier: 'PremiumV2'
  }
  kind: 'linux'
  properties: {