playbooks/AzHunter.Playbook.UAL.Exporter.ps1
Function Start-AzHunterPlaybook { <# .SYNOPSIS A PowerShell function to run a hunting playbook .DESCRIPTION This playbook will export UnifiedAuditLog records to CSV files on disk. .PARAMETER Records An array of records to apply different data transformations to. Each individual record needs to be of type [AzHunterBase] .NOTES Please use this with care and for legitimate purposes. The author does not take responsibility on any damage performed as a result of employing this script. #> [CmdletBinding( SupportsShouldProcess=$False )] Param ( [Parameter( Mandatory=$False, ValueFromPipeline=$False, ValueFromPipelineByPropertyName=$False, Position=0, HelpMessage='Azure UAL Records' )] [ValidateNotNullOrEmpty()] $Records, [Parameter( Mandatory=$False, ValueFromPipeline=$False, ValueFromPipelineByPropertyName=$False, Position=2, HelpMessage='Whether we want records returned back to the console' )] [ValidateNotNullOrEmpty()] [switch]$PassThru ) BEGIN { # *** BEGIN: GENERAL *** # # *** Getting a handle to the running script path so that we can refer to it *** # if ($PSScriptRoot) { $ScriptPath = [System.IO.DirectoryInfo]::new($PSScriptRoot) if($ScriptPath.FullName -match "source"){ $ScriptPath = $ScriptPath.Parent.Parent } } else { $ScriptPath = [System.IO.DirectoryInfo]::new($pwd) } $PlaybookName = 'AzHunter.Playbook.UAL.Exporter' # Initialize Logger if(!$Global:Logger){ $Logger = [Logger]::New() } $Logger.LogMessage("[$PlaybookName] Loading Playbook", "INFO", $null, $null) # *** END: GENERAL *** # # Configure Output File # Create output folder for Playbook inside default parent output folder for this session $PlaybookOutputFolder = New-OutputFolder -FolderName $PlaybookName if(!$Global:AzExporterExportFileName) { $strTimeNow = (Get-Date).ToUniversalTime().ToString("yyMMdd-HHmmss") $Global:AzExporterExportFileName = "$PlaybookOutputFolder\AzHunter.UAL.Exporter.$($env:COMPUTERNAME)-$strTimeNow.csv" } else { $Logger.LogMessage("[$PlaybookName] Found Handle to open Export File: $Global:AzExporterExportFileName", "INFO", $null, $null) } } PROCESS { $Logger.LogMessage("[$PlaybookName] Exporting records to file $Global:AzExporterExportFileName", "INFO", $null, $null) $Records | Export-Csv $Global:AzExporterExportFileName -NoTypeInformation -NoClobber -Append } END { $Logger.LogMessage("[$PlaybookName] Finished running playbook", "INFO", $null, $null) if($PassThru){ return $Records } } } |