src/Update-AzDataCollectionRuleResetTransformKqlDefault.ps1
Function Update-AzDataCollectionRuleResetTransformKqlDefault { <# .SYNOPSIS Updates the tranformKql parameter on an existing DCR - and resets it back to default .DESCRIPTION Used to set transformation back to default, where all data is being sent in - with needed TimeGenerated column .VERSION 1.0 .AUTHOR Morten Knudsen, Microsoft MVP - https://mortenknudsen.net .LINK https://github.com/KnudsenMorten/AzLogDcrIngestPS .PARAMETER $DcrResourceId This is the resource id of the data collection rule .PARAMETER AzAppId This is the Azure app id og an app with Contributor permissions in LogAnalytics + Resource Group for DCRs .PARAMETER AzAppSecret This is the secret of the Azure app .PARAMETER TenantId This is the Azure AD tenant id .INPUTS None. You cannot pipe objects .OUTPUTS Output of REST PUT command. Should be 200 for success .EXAMPLE $TableName = 'InvClientComputerOSInfoTest5V2' # must not contain _CL $DcrName = "dcr-" + $AzDcrPrefixClient + "-" + $TableName + "_CL" $TenantId = "xxxxx" $LogIngestAppId = "xxxxx" $LogIngestAppSecret = "xxxxx" $DceName = "dce-log-platform-management-client-demo1-p" $LogAnalyticsWorkspaceResourceId = "/subscriptions/xxxxxx/resourceGroups/rg-logworkspaces/providers/Microsoft.OperationalInsights/workspaces/log-platform-management-client-demo1-p" $AzDcrPrefixClient = "clt1" $AzDcrSetLogIngestApiAppPermissionsDcrLevel = $false $AzDcrLogIngestServicePrincipalObjectId = "xxxxxx" $AzLogDcrTableCreateFromReferenceMachine = @() $AzLogDcrTableCreateFromAnyMachine = $true # building global variable with all DCEs, which can be viewed by Log Ingestion app $global:AzDceDetails = Get-AzDceListAll -AzAppId $LogIngestAppId -AzAppSecret $LogIngestAppSecret -TenantId $TenantId -Verbose:$Verbose # building global variable with all DCRs, which can be viewed by Log Ingestion app $global:AzDcrDetails = Get-AzDcrListAll -AzAppId $LogIngestAppId -AzAppSecret $LogIngestAppSecret -TenantId $TenantId -Verbose:$Verbose Write-Output "" Write-Output "Collecting Defender demo data" $DataVariable = Get-MpComputerStatus #------------------------------------------------------------------------------------------- # Preparing data structure #------------------------------------------------------------------------------------------- # convert CIM array to PSCustomObject and remove CIM class information $DataVariable = Convert-CimArrayToObjectFixStructure -data $DataVariable -Verbose:$verbose # add CollectionTime to existing array $DataVariable = Add-CollectionTimeToAllEntriesInArray -Data $DataVariable -Verbose:$verbose # add Computer & UserLoggedOn info to existing array $DataVariable = Add-ColumnDataToAllEntriesInArray -Data $DataVariable -Column1Name Computer -Column1Data $Env:ComputerName -Column2Name UserLoggedOn -Column2Data $UserLoggedOn -Verbose:$verbose # Validating/fixing schema data structure of source data $DataVariable = ValidateFix-AzLogAnalyticsTableSchemaColumnNames -Data $DataVariable -Verbose:$verbose # Aligning data structure with schema (requirement for DCR) $DataVariable = Build-DataArrayToAlignWithSchema -Data $DataVariable -Verbose:$verbose #------------------------------------------------------------------------------------------- # Create/Update Schema for LogAnalytics Table & Data Collection Rule schema #------------------------------------------------------------------------------------------- CheckCreateUpdate-TableDcr-Structure -AzLogWorkspaceResourceId $LogAnalyticsWorkspaceResourceId ` -AzAppId $LogIngestAppId -AzAppSecret $LogIngestAppSecret -TenantId $TenantId ` -DceName $DceName -DcrName $DcrName -TableName $TableName -Data $DataVariable ` -LogIngestServicePricipleObjectId $AzDcrLogIngestServicePrincipalObjectId ` -AzDcrSetLogIngestApiAppPermissionsDcrLevel $AzDcrSetLogIngestApiAppPermissionsDcrLevel ` -AzLogDcrTableCreateFromAnyMachine $AzLogDcrTableCreateFromAnyMachine ` -AzLogDcrTableCreateFromReferenceMachine $AzLogDcrTableCreateFromReferenceMachine # building global variable with all DCEs, which can be viewed by Log Ingestion app $global:AzDceDetails = Get-AzDceListAll -AzAppId $LogIngestAppId -AzAppSecret $LogIngestAppSecret -TenantId $TenantId -Verbose:$Verbose # building global variable with all DCRs, which can be viewed by Log Ingestion app $global:AzDcrDetails = Get-AzDcrListAll -AzAppId $LogIngestAppId -AzAppSecret $LogIngestAppSecret -TenantId $TenantId -Verbose:$Verbose $AzDcrDceDetails = Get-AzDcrDceDetails -DcrName $DcrName ` -AzAppId $LogIngestAppId -AzAppSecret $AzAppSecret -TenantId $TenantId -Verbose:$Verbose # make a DCR Event Log collection of security events - can be done through Sentinel $DcrResourceId = $AzDcrDceDetails[0] # check the schema for an column name where we want to retrieve data from Get-ObjectSchemaAsArray -Data $DataVariable -Verbose:$Verbose # set new transformation where we are adding a column AntivirusVersion with data from AMEngineVersion $transformKql = "source | extend TimeGenerated = now() | extend AntivirusVersion = AMEngineVersion" Update-AzDataCollectionRuleTransformKql -DcrResourceId $DcrResourceId -transformKql $transformKql -Verbose:$Verbose #------------------------------------------------------------------------------------------- # Output #------------------------------------------------------------------------------------------- VERBOSE: GET with 0-byte payload VERBOSE: received 4735-byte response of content type application/json; charset=utf-8 Updating transformKql for DCR /subscriptions/fce4f282-fcc6-43fb-94d8-bf1701b862c3/resourceGroups/rg-dcr-log-platform-management-client-demo1-p/providers/microsoft.insig hts/dataCollectionRules/dcr-clt1-InvClientComputerOSInfoTest6V2_CL VERBOSE: PUT with -1-byte payload VERBOSE: received 4735-byte response of content type application/json; charset=utf-8 # force a reset of the tranformation Update-AzDataCollectionRuleResetTransformKqlDefault -DcrResourceId $DcrResourceId -Verbose:$true #------------------------------------------------------------------------------------------- # Output #------------------------------------------------------------------------------------------- VERBOSE: GET with 0-byte payload VERBOSE: received 4735-byte response of content type application/json; charset=utf-8 Resetting transformKql to default for DCR /subscriptions/fce4f282-fcc6-43fb-94d8-bf1701b862c3/resourceGroups/rg-dcr-log-platform-management-client-demo1-p/providers/microsoft.insig hts/dataCollectionRules/dcr-clt1-InvClientComputerOSInfoTest6V2_CL VERBOSE: PUT with -1-byte payload VERBOSE: received 4691-byte response of content type application/json; charset=utf-8 #> [CmdletBinding()] param( [Parameter(mandatory)] [string]$DcrResourceId, [Parameter()] [string]$AzAppId, [Parameter()] [string]$AzAppSecret, [Parameter()] [string]$TenantId ) #-------------------------------------------------------------------------- # Variables #-------------------------------------------------------------------------- $DefaultTransformKqlDcrLogIngestCustomLog = "source | extend TimeGenerated = now()" #-------------------------------------------------------------------------- # Connection #-------------------------------------------------------------------------- $Headers = Get-AzAccessTokenManagement -AzAppId $AzAppId ` -AzAppSecret $AzAppSecret ` -TenantId $TenantId -Verbose:$Verbose #-------------------------------------------------------------------------- # get existing DCR #-------------------------------------------------------------------------- $DcrUri = "https://management.azure.com" + $DcrResourceId + "?api-version=2022-06-01" $DCR = Invoke-RestMethod -Uri $DcrUri -Method GET -Headers $Headers #-------------------------------------------------------------------------- # update payload object #-------------------------------------------------------------------------- If ($DCR.properties.dataFlows[0].transformKql) { # changing value on existing property $DCR.properties.dataFlows[0].transformKql = $DefaultTransformKqlDcrLogIngestCustomLog } Else { # Adding new property to object $DCR.properties.dataFlows[0] | Add-Member -NotePropertyName transformKql -NotePropertyValue $transformKql -Force } #-------------------------------------------------------------------------- # update existing DCR #-------------------------------------------------------------------------- Write-host " Resetting transformKql to default for DCR" Write-host $DcrResourceId # convert modified payload to JSON-format $DcrPayload = $Dcr | ConvertTo-Json -Depth 20 # update changes to existing DCR $DcrUri = "https://management.azure.com" + $DcrResourceId + "?api-version=2022-06-01" $DCR = Invoke-RestMethod -Uri $DcrUri -Method PUT -Body $DcrPayload -Headers $Headers } |