MyPSFunctions.Az.ps1
|
<#
=========================================================================== Created with: SAPIEN Technologies, Inc., PowerShell Studio 2021 v5.8.196 Created on: 10/26/2023 7:57 PM Created by: John@MyPSFunctions.com Organization: MyPSFunctions Filename: MyPSFunctions.Az.psm1 ------------------------------------------------------------------------- Module Name: MyPSFunctions.Az =========================================================================== #> #region Basics #################################################### ############################## Basics ################ #################################################### Function Write-AzureLog { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateSet('Info', 'Warning', 'Error')] [string]$Level, [Parameter(Mandatory = $false)] [string]$LogPath, [Parameter(Mandatory = $true)] [string]$Message ) switch ($Level) { Warning { # Write warning log if ($LogPath) { Write-Output "[$(Get-Date -Format "yyyy-MM-dd HH:mm:ss")] WARNING: $Message" | Out-File -FilePath $LogPath -Append } Write-Output "[$(Get-Date -Format "yyyy-MM-dd HH:mm:ss")] WARNING: $Message" } Error { # Write Error log if ($LogPath) { Write-Output "[$(Get-Date -Format "yyyy-MM-dd HH:mm:ss")] ERROR: $Message" | Out-File -FilePath $LogPath -Append } Write-Output "[$(Get-Date -Format "yyyy-MM-dd HH:mm:ss")] ERROR: $Message" } default { # Write Information log if ($LogPath) { Write-Output "[$(Get-Date -Format "yyyy-MM-dd HH:mm:ss")] INFO: $Message" | Out-File -FilePath $LogPath -Append } Write-Output "[$(Get-Date -Format "yyyy-MM-dd HH:mm:ss")] INFO: $Message" } } } #endregion #region Azure #################################################### ############################## Azure ################ #################################################### Function Generate-AzDefenderReportForAllSubscriptions { [CmdletBinding()] param () # Report for Permission as Subscription level Try { Write-Log warning -Message "The script is retreiving all the AzSubscriptions" $AzSubs = Get-AzSubscription $AzSubsCount = ($AzSubs | Measure).count Write-Log Info -Message "The script found $AzSubsCount AzSubscriptions" } Catch { $ErrorMessage = $Error[0].Exception.Message $CMDLet = $Error[0].InvocationInfo.Line $FailedItem = $Error[0].Exception.ItemName Write-Log Error -Message "Failed to found all AzSubscriptions" Write-Log Error -Message "Failed to run the following CMDLet: $CMDLet" Write-Log Error -Message "Failed with Error:$ErrorMessage" } [Int]$i = 1 $Table = $Null $Table = @() ForEach ($AzSub in $AzSubs) { $AzSubName = $Null $AzSubName = $AzSub.name $AzSubID = $Null $AzSubID = $AzSub.Id Write-log Warning -message "The script is analyzing the Subscription: $Name ….. --- $i/$AzSubsCount" Set-AzContext -Subscription $AzSubID # Get Role Assignment at the Subsciption Level Try { Write-Log warning -Message "The script is retreiving all Defender Services" $AzSubscriptionAzSecurityPricings = $Null $AzSubscriptionAzSecurityPricings = get-AzSecurityPricing # Name,PricingTier,SubPlan $AzSubscriptionAzSecurityPricingsCount = ($AzSubscriptionAzSecurityPricings | Measure).count Write-Log Info -Message "All Defender Services at the Subscription level are retrieved ( $AzSubscriptionAzSecurityPricingsCount)" } Catch { $ErrorMessage = $Error[0].Exception.Message $CMDLet = $Error[0].InvocationInfo.Line $FailedItem = $Error[0].Exception.ItemName Write-Log Error -Message "Failed to retreive all Defender Services" Write-Log Error -Message "Failed to run the following CMDLet: $CMDLet" Write-Log Error -Message "Failed with Error:$ErrorMessage" } $AzSubscriptionAzSecurityPricings | ft Name, PricingTier, SubPlan $AzSubscriptionAzSecurityPricingsVirtualMachines = $Null $AzSubscriptionAzSecurityPricingsVirtualMachines = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "VirtualMachines" } $AzSubscriptionAzSecurityPricingsPricingTierVirtualMachines = $Null $AzSubscriptionAzSecurityPricingsPricingTierVirtualMachines = $AzSubscriptionAzSecurityPricingsVirtualMachines.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanVirtualMachines = $Null $AzSubscriptionAzSecurityPricingsSubPlanVirtualMachines = $AzSubscriptionAzSecurityPricingsVirtualMachines.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanVirtualMachines) { $VirtualMachines = $AzSubscriptionAzSecurityPricingsSubPlanVirtualMachines + "(" + $AzSubscriptionAzSecurityPricingsPricingTierVirtualMachines + ")" } Else { $VirtualMachines = $AzSubscriptionAzSecurityPricingsPricingTierVirtualMachines } $AzSubscriptionAzSecurityPricingsSqlServers = $Null $AzSubscriptionAzSecurityPricingsSqlServers = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "SqlServers" } $AzSubscriptionAzSecurityPricingsPricingTierSqlServers = $Null $AzSubscriptionAzSecurityPricingsPricingTierSqlServers = $AzSubscriptionAzSecurityPricingsSqlServers.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanSqlServers = $Null $AzSubscriptionAzSecurityPricingsSubPlanSqlServers = $AzSubscriptionAzSecurityPricingsSqlServers.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanSqlServers) { $SqlServers = $AzSubscriptionAzSecurityPricingsSubPlanSqlServers + "(" + $AzSubscriptionAzSecurityPricingsPricingTierSqlServers + ")" } Else { $SqlServers = $AzSubscriptionAzSecurityPricingsPricingTierSqlServers } $AzSubscriptionAzSecurityPricingsAppServices = $Null $AzSubscriptionAzSecurityPricingsAppServices = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "AppServices" } $AzSubscriptionAzSecurityPricingsPricingTierAppServices = $Null $AzSubscriptionAzSecurityPricingsPricingTierAppServices = $AzSubscriptionAzSecurityPricingsAppServices.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanAppServices = $Null $AzSubscriptionAzSecurityPricingsVirtualMachinesSubPlanAppServices = $AzSubscriptionAzSecurityPricingsAppServices.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanAppServices) { $AppServices = $AzSubscriptionAzSecurityPricingsSubPlanAppServices + "(" + $AzSubscriptionAzSecurityPricingsPricingTierAppServices + ")" } Else { $AppServices = $AzSubscriptionAzSecurityPricingsPricingTierAppServices } $AzSubscriptionAzSecurityPricingsStorageAccounts = $Null $AzSubscriptionAzSecurityPricingsStorageAccounts = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "StorageAccounts" } $AzSubscriptionAzSecurityPricingsPricingTierStorageAccounts = $Null $AzSubscriptionAzSecurityPricingsPricingTierStorageAccounts = $AzSubscriptionAzSecurityPricingsStorageAccounts.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanStorageAccounts = $Null $AzSubscriptionAzSecurityPricingsSubPlanStorageAccounts = $AzSubscriptionAzSecurityPricingsStorageAccounts.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanStorageAccounts) { $StorageAccounts = $AzSubscriptionAzSecurityPricingsSubPlanStorageAccounts + "(" + $AzSubscriptionAzSecurityPricingsPricingTierStorageAccounts + ")" } Else { $StorageAccounts = $AzSubscriptionAzSecurityPricingsPricingTierStorageAccounts } $AzSubscriptionAzSecurityPricingsSqlServerVirtualMachines = $Null $AzSubscriptionAzSecurityPricingsSqlServerVirtualMachines = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "SqlServerVirtualMachines" } $AzSubscriptionAzSecurityPricingsPricingTierSqlServerVirtualMachines = $Null $AzSubscriptionAzSecurityPricingsPricingTierSqlServerVirtualMachines = $AzSubscriptionAzSecurityPricingsSqlServerVirtualMachines.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanSqlServerVirtualMachines = $Null $AzSubscriptionAzSecurityPricingsSubPlanSqlServerVirtualMachines = $AzSubscriptionAzSecurityPricingsSqlServerVirtualMachines.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanSqlServerVirtualMachines) { $SqlServerVirtualMachines = $AzSubscriptionAzSecurityPricingsSubPlanSqlServerVirtualMachines + "(" + $AzSubscriptionAzSecurityPricingsPricingTierSqlServerVirtualMachines + ")" } Else { $SqlServerVirtualMachines = $AzSubscriptionAzSecurityPricingsPricingTierSqlServerVirtualMachines } $AzSubscriptionAzSecurityPricingsKubernetesService = $Null $AzSubscriptionAzSecurityPricingsKubernetesService = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "KubernetesService" } $AzSubscriptionAzSecurityPricingsPricingTierKubernetesService = $Null $AzSubscriptionAzSecurityPricingsPricingTierKubernetesService = $AzSubscriptionAzSecurityPricingsKubernetesService.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanKubernetesService = $Null $AzSubscriptionAzSecurityPricingsSubPlanKubernetesService = $AzSubscriptionAzSecurityPricingsKubernetesService.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanKubernetesService) { $KubernetesService = $AzSubscriptionAzSecurityPricingsSubPlanKubernetesService + "(" + $AzSubscriptionAzSecurityPricingsPricingTierKubernetesService + ")" } Else { $KubernetesService = $AzSubscriptionAzSecurityPricingsPricingTierKubernetesService } $AzSubscriptionAzSecurityPricingsContainerRegistry = $Null $AzSubscriptionAzSecurityPricingsContainerRegistry = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "ContainerRegistry" } $AzSubscriptionAzSecurityPricingsPricingTierContainerRegistry = $Null $AzSubscriptionAzSecurityPricingsPricingTierContainerRegistry = $AzSubscriptionAzSecurityPricingsContainerRegistry.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanContainerRegistry = $Null $AzSubscriptionAzSecurityPricingsSubPlanContainerRegistry = $AzSubscriptionAzSecurityPricingsContainerRegistry.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanContainerRegistry) { $ContainerRegistry = $AzSubscriptionAzSecurityPricingsSubPlanContainerRegistry + "(" + $AzSubscriptionAzSecurityPricingsPricingTierContainerRegistry + ")" } Else { $ContainerRegistry = $AzSubscriptionAzSecurityPricingsPricingTierContainerRegistry } $AzSubscriptionAzSecurityPricingsKeyVaults = $Null $AzSubscriptionAzSecurityPricingsKeyVaults = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "KeyVaults" } $AzSubscriptionAzSecurityPricingsPricingTierKeyVaults = $Null $AzSubscriptionAzSecurityPricingsPricingTierKeyVaults = $AzSubscriptionAzSecurityPricingsKeyVaults.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanKeyVaults = $Null $AzSubscriptionAzSecurityPricingsSubPlanKeyVaults = $AzSubscriptionAzSecurityPricingsKeyVaults.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanKeyVaults) { $KeyVaults = $AzSubscriptionAzSecurityPricingsSubPlanKeyVaults + "(" + $AzSubscriptionAzSecurityPricingsPricingTierKeyVaults + ")" } Else { $KeyVaults = $AzSubscriptionAzSecurityPricingsPricingTierKeyVaults } $AzSubscriptionAzSecurityPricingsDns = $Null $AzSubscriptionAzSecurityPricingsDns = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "Dns" } $AzSubscriptionAzSecurityPricingsPricingTierDns = $Null $AzSubscriptionAzSecurityPricingsPricingTierDns = $AzSubscriptionAzSecurityPricingsDns.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanDns = $Null $AzSubscriptionAzSecurityPricingsSubPlanDns = $AzSubscriptionAzSecurityPricingsDns.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanDns) { $Dns = $AzSubscriptionAzSecurityPricingsSubPlanDns + "(" + $AzSubscriptionAzSecurityPricingsPricingTierDns + ")" } Else { $Dns = $AzSubscriptionAzSecurityPricingsPricingTierDns } $AzSubscriptionAzSecurityPricingsArm = $Null $AzSubscriptionAzSecurityPricingsArm = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "Arm" } $AzSubscriptionAzSecurityPricingsPricingTierArm = $Null $AzSubscriptionAzSecurityPricingsPricingTierArm = $AzSubscriptionAzSecurityPricingsArm.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanArm = $Null $AzSubscriptionAzSecurityPricingsSubPlanArm = $AzSubscriptionAzSecurityPricingsArm.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanArm) { $Arm = $AzSubscriptionAzSecurityPricingsSubPlanArm + "(" + $AzSubscriptionAzSecurityPricingsPricingTierArm + ")" } Else { $Arm = $AzSubscriptionAzSecurityPricingsPricingTierArm } $AzSubscriptionAzSecurityPricingsOpenSourceRelationalDatabases = $Null $AzSubscriptionAzSecurityPricingsOpenSourceRelationalDatabases = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "OpenSourceRelationalDatabases" } $AzSubscriptionAzSecurityPricingsPricingTierOpenSourceRelationalDatabases = $Null $AzSubscriptionAzSecurityPricingsPricingTierOpenSourceRelationalDatabases = $AzSubscriptionAzSecurityPricingsOpenSourceRelationalDatabases.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanOpenSourceRelationalDatabases = $Null $AzSubscriptionAzSecurityPricingsSubPlanOpenSourceRelationalDatabases = $AzSubscriptionAzSecurityPricingsOpenSourceRelationalDatabases.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanOpenSourceRelationalDatabases) { $OpenSourceRelationalDatabases = $AzSubscriptionAzSecurityPricingsSubPlanOpenSourceRelationalDatabases + "(" + $AzSubscriptionAzSecurityPricingsPricingTierOpenSourceRelationalDatabases + ")" } Else { $OpenSourceRelationalDatabases = $AzSubscriptionAzSecurityPricingsPricingTierOpenSourceRelationalDatabases } $AzSubscriptionAzSecurityPricingsCosmosDbs = $Null $AzSubscriptionAzSecurityPricingsCosmosDbs = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "CosmosDbs" } $AzSubscriptionAzSecurityPricingsPricingTierCosmosDbs = $Null $AzSubscriptionAzSecurityPricingsPricingTierCosmosDbs = $AzSubscriptionAzSecurityPricingsCosmosDbs.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanCosmosDbs = $Null $AzSubscriptionAzSecurityPricingsSubPlanCosmosDbs = $AzSubscriptionAzSecurityPricingsCosmosDbs.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanCosmosDbs) { $CosmosDbs = $AzSubscriptionAzSecurityPricingsSubPlanCosmosDbs + "(" + $AzSubscriptionAzSecurityPricingsPricingTierCosmosDbs + ")" } Else { $CosmosDbs = $AzSubscriptionAzSecurityPricingsPricingTierCosmosDbs } $AzSubscriptionAzSecurityPricingsContainers = $Null $AzSubscriptionAzSecurityPricingsContainers = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "Containers" } $AzSubscriptionAzSecurityPricingsPricingTierContainers = $Null $AzSubscriptionAzSecurityPricingsPricingTierContainers = $AzSubscriptionAzSecurityPricingsContainers.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanContainers = $Null $AzSubscriptionAzSecurityPricingsSubPlanContainers = $AzSubscriptionAzSecurityPricingsContainers.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanContainers) { $Containers = $AzSubscriptionAzSecurityPricingsSubPlanContainers + "(" + $AzSubscriptionAzSecurityPricingsPricingTierContainers + ")" } Else { $Containers = $AzSubscriptionAzSecurityPricingsPricingTierContainers } $AzSubscriptionAzSecurityPricingsCloudPosture = $Null $AzSubscriptionAzSecurityPricingsCloudPosture = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "CloudPosture" } $AzSubscriptionAzSecurityPricingsPricingTierCloudPosture = $Null $AzSubscriptionAzSecurityPricingsPricingTierCloudPosture = $AzSubscriptionAzSecurityPricingsCloudPosture.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanCloudPosture = $Null $AzSubscriptionAzSecurityPricingsSubPlanCloudPosture = $AzSubscriptionAzSecurityPricingsCloudPosture.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanCloudPosture) { $CloudPosture = $AzSubscriptionAzSecurityPricingsSubPlanCloudPosture + "(" + $AzSubscriptionAzSecurityPricingsPricingTierCloudPosture + ")" } Else { $CloudPosture = $AzSubscriptionAzSecurityPricingsPricingTierCloudPosture } $AzSubscriptionAzSecurityPricingsApi = $Null $AzSubscriptionAzSecurityPricingsApi = $AzSubscriptionAzSecurityPricings | where { $_.Name -eq "Api" } $AzSubscriptionAzSecurityPricingsPricingTierApi = $Null $AzSubscriptionAzSecurityPricingsPricingTierApi = $AzSubscriptionAzSecurityPricingsApi.PricingTier $AzSubscriptionAzSecurityPricingsSubPlanApi = $Null $AzSubscriptionAzSecurityPricingsSubPlanApi = $AzSubscriptionAzSecurityPricingsApi.SubPlan If ($AzSubscriptionAzSecurityPricingsSubPlanApi) { $Api = $AzSubscriptionAzSecurityPricingsSubPlanApi + "(" + $AzSubscriptionAzSecurityPricingsPricingTierApi + ")" } Else { $Api = $AzSubscriptionAzSecurityPricingsPricingTierApi } $Table += New-object PSobject -Property ([Ordered] @{ AzSubName = $AzSubName; CSPM = $CloudPosture; 'Resource Manager' = $Arm; Servers = $VirtualMachines; 'Key Vault' = $KeyVaults; Storage = $StorageAccounts; Containers = $Containers; 'Container: Registry' = $ContainerRegistry; 'Container: KubernetesService' = $KubernetesService; Dns = $Dns; AppServices = $AppServices; 'Databases: Azure SQL Databases' = $SqlServers; 'Databases: SQL Servers on machines' = $SqlServerVirtualMachines; 'Databases: OpenSourceRelationalDatabases' = $OpenSourceRelationalDatabases; 'Databases: Azure Cosmos DB' = $CosmosDbs; APIs = $Api; }) $i++ } $Table | ft $DateFull = Get-Date -Format "ddMMyyyy_HH-mm-ss" $ReportFilexlsx = ".\Report_All_AzSubscriptions_DefenderPlan_" + $DateFull + ".xlsx" $Table | Export-Excel $ReportFilexlsx -TableName "AzSubscriptionsDefenderPlan" -Title "AzSubscriptions DefenderPlan" -TitleBold -WorksheetName "AzSubscriptionsDefenderPlan" -TableStyle Medium9 -AutoSize -AutoFilter Write-log INFO -Message "Generate the following Report: $ReportFilexlsx" } Function Switch-AzSubscription { [CmdletBinding()] param () $AzContext = Get-AzContext $AzAccount = $AzContext.Account.ID $AzSubs = Get-AzSubscription $SelectedSub = $AzSubs | Select Name, State, Id | Out-GridView -PassThru -Title 'Select One Subscription, then click on OK to validate your selection' $SelectedSub_Id = $SelectedSub.Id $SelectedSub_Name = $SelectedSub.Name Set-AzContext -Subscription $SelectedSub_Id Write-Log Warning -Message "Switch to subscription: $SelectedSub_Name ($SelectedSub_Id)" $Host.UI.RawUI.WindowTitle = "$AzAccount connected to Sub: $SelectedSub_Name" } Function Connect-Az { param ( [Parameter(Position = 1)] [string]$AlternateID ) If ($AlternateID) { $MyPSFunctionsAzAdmin = $AlternateID } Write-Host -ForegroundColor Yellow "Please validate the Az Modules are installed" # Connect to Azure AD Try { Connect-AzAccount -AccountID $MyPSFunctionsAzAdmin $AzContext = Get-AzContext $AzAccount = $AzContext.Account.ID $AzSubs = Get-AzSubscription $SelectedSub = $AzSubs | Select Name, State, Id | Out-GridView -PassThru -Title 'Select One Subscription, then click on OK to validate your selection' -outp $SelectedSub_Id = $SelectedSub.Id $SelectedSub_Name = $SelectedSub.Name Set-AzContext -Subscription $SelectedSub_Id Write-Log Warning -Message "Switch to subscription: $SelectedSub_Name ($SelectedSub_Id)" $Host.UI.RawUI.WindowTitle = "$AzAccount connected to Sub: $SelectedSub_Name" } Catch { $ErrorMessage = $Error[0].Exception.Message $CMDLet = $Error[0].InvocationInfo.Line $FailedItem = $Error[0].Exception.ItemName Write-Log Error -Message "Failed to run the following CMDLet: $CMDLet" Write-Log Error -Message "Failed with Error:$ErrorMessage" } } Function Get-AzToken { [CmdletBinding()] param ( [Parameter(Mandatory = $true, Position = 1)] [String]$TenantID, [Parameter(Mandatory = $true, Position = 2)] [String]$AppID, [Parameter(Mandatory = $true, Position = 3)] [string]$AppSecret ) # Construct URI and body needed for authentication $URI = "https://login.microsoftonline.com/$tenantId/oauth2/token?api-version=2020-06-01" $Body = @{ Grant_Type = "client_credentials" resource = "https://management.core.windows.net/" Client_Id = $AppID Client_Secret = $AppSecret } # Get OAuth 2.0 Token $connection = Invoke-RestMethod -Uri $URI -Method POST -Body $body # Unpack Access Token $Token = $connection.access_token Return $Token } Function Create-AzArcLicense { [CmdletBinding()] param ( [Parameter(Mandatory = $true, Position = 1)] [string]$Subscription, [Parameter(Mandatory = $true, Position = 2)] [String]$ResourceGroupName, [Parameter(Mandatory = $true, Position = 3)] [String]$TenantId, [Parameter(Mandatory = $true, Position = 4)] [String]$ApplicationId, [Parameter(Mandatory = $true, Position = 5)] [String]$Secret, [Parameter(Mandatory = $true, Position = 6)] [String]$LicenseName ) $Token = Get-AzToken -TenantID $TenantId -AppID $ApplicationId -AppSecret $Secret $body = @{ "location" = "Canada Central" "properties" = @{ "licenseDetails" = @{ "state" = "Activated" "target" = "Windows Server 2012" "Edition" = "Datacenter" "Type" = "vCore" "Processors" = 8 } } } $URI = "https://management.azure.com/subscriptions/" + $SubscriptionId + "/resourceGroups/" + $RGName + "/providers/Microsoft.HybridCompute/licenses/" + $LicenseName + "?api-version=2023-06-20-preview" $param_NewResourceGroup = @{ Uri = $URI ContentType = "application/json" Method = 'PUT' headers = @{ authorization = "Bearer $Token" host = 'management.azure.com' } body = ($Body | ConvertTo-Json) } Invoke-RestMethod @param_NewResourceGroup } Function Backup-AzFirewallPolicies { [CmdletBinding()] param () $DateFull = Get-Date -Format "ddMMyyyy_HH-mm-ss" $AzContext = Get-AzContext $CurrentSubscriptionName = $AzContext.Subscription.Name #Azure Firewall Policies $AzResourcesFirewallPolicies = Get-AzResource | where { $_.ResourceType -eq "Microsoft.Network/firewallPolicies" } $SelectedAzFirewallPolicy = $AzResourcesFirewallPolicies | Select Name, ResourceGroupName, Location | Out-GridView -PassThru $SelectedAzFirewallPolicyName = $SelectedAzFirewallPolicy.Name $SelectedAzFirewallPolicyResourceGroupName = $SelectedAzFirewallPolicy.ResourceGroupName $AzFirewallPolicy = Get-AzFirewallPolicy -Name $SelectedAzFirewallPolicyName -ResourceGroupName $SelectedAzFirewallPolicyResourceGroupName $AzFirewallPolicyName = $AzFirewallPolicy.Name $AzFirewallPolicy_RuleCollectionGroups = $AzFirewallPolicy.RuleCollectionGroups $DateFull1 = Get-Date -Format "ddMMyyyy_HH-mm-ss" $AzFwPolicyXMLFile = "Backup_" + $AzFirewallPolicyName + "_" + $DateFull1 + ".xml" $AzFwPolicyXMLFile | Export-Clixml $AzFwPolicyXMLFile $AzFirewallPolicyRuleCollectionGroup = $Null $AzFirewallPolicyRuleCollectionGroup = @() $Table = $Null $Table = @() foreach ($AzFirewallPolicy_RuleCollectionGroup in $AzFirewallPolicy_RuleCollectionGroups) { $AzFirewallPolicy_RuleCollectionGroup_Name = $Null $AzFirewallPolicy_RuleCollectionGroupID = $Null $AzFirewallPolicy_RuleCollectionGroupID = $AzFirewallPolicy_RuleCollectionGroup.ID $AzFirewallPolicy_RuleCollectionGroup_Name = $AzFirewallPolicy_RuleCollectionGroupID.Substring($AzFirewallPolicy_RuleCollectionGroupID.LastIndexOf("/") + 1) $AzFirewallPolicyRuleCollectionGroup = Get-AzFirewallPolicyRuleCollectionGroup -AzureFirewallPolicyName $SelectedAzFirewallPolicyName -Name $AzFirewallPolicy_RuleCollectionGroup_Name -ResourceGroupName $SelectedAzFirewallPolicyResourceGroupName $AzFirewallPolicyRuleCollectionGroup_Properties = $AzFirewallPolicyRuleCollectionGroup.Properties.RuleCollection $DateFull2 = Get-Date -Format "ddMMyyyy_HH-mm-ss" $AzFwPolicyRuleCollectionGroupXMLFile = "Backup_" + $AzFirewallPolicy_RuleCollectionGroup_Name + "_" + $DateFull2 + ".xml" $AzFirewallPolicyRuleCollectionGroup_Properties | Export-Clixml $AzFwPolicyRuleCollectionGroupXMLFile $RCGCount = ($AzFirewallPolicyRuleCollectionGroup_Properties | Measure).count [Int]$i = 1 foreach ($AzFirewallPolicyRuleCollectionGroup_Property in $AzFirewallPolicyRuleCollectionGroup_Properties) { $AzFirewallPolicyRuleCollectionGroup_Property_Name = $Null $AzFirewallPolicyRuleCollectionGroup_Property_Priority = $Null $AzFirewallPolicyRuleCollectionGroup_Property_rules = $Null $AzFirewallPolicyRuleCollectionGroup_Property_Name = $AzFirewallPolicyRuleCollectionGroup_Property.Name $AzFirewallPolicyRuleCollectionGroup_Property_Priority = $AzFirewallPolicyRuleCollectionGroup_Property.Priority $AzFirewallPolicyRuleCollectionGroup_Property_rules = $AzFirewallPolicyRuleCollectionGroup_Property.rules Write-Log Warning -Message "Analysing Rule Collection Group: $AzFirewallPolicyRuleCollectionGroup_Property_Name --- $i/$RCGCount" $RulesCount = ($AzFirewallPolicyRuleCollectionGroup_Property_rules | Measure).count [Int]$ii = 1 foreach ($AzFirewallPolicyRuleCollectionGroup_Property_rule in $AzFirewallPolicyRuleCollectionGroup_Property_rules) { $RuleName = $Null $RuleType = $Null $Protocols = $Null $SourcesAddresses = $Null $SourceIPGroups = $Null $DestinationAddresses = $Null $DestinationIPGroups = $Null $DestionationPorts = $Null $TargetFqdns = $Null $RuleName = $AzFirewallPolicyRuleCollectionGroup_Property_rule.Name Write-Log Warning -Message "Analysing Rule: $RuleName --- $ii/$RulesCount" [string]$RuleType = $AzFirewallPolicyRuleCollectionGroup_Property_rule.RuleType If ($RuleType -eq "ApplicationRule") { $Protocols = $AzFirewallPolicyRuleCollectionGroup_Property_rule.Protocols.port -join "-" } else { [string]$Protocols = $AzFirewallPolicyRuleCollectionGroup_Property_rule.Protocols } [string]$SourceAddresses = $AzFirewallPolicyRuleCollectionGroup_Property_rule.SourceAddresses [string]$SourceIPGroups = $AzFirewallPolicyRuleCollectionGroup_Property_rule.SourceIPGroups [string]$DestinationAddresses = $AzFirewallPolicyRuleCollectionGroup_Property_rule.DestinationAddresses [string]$DestinationFqdns = $AzFirewallPolicyRuleCollectionGroup_Property_rule.DestinationFqdns [string]$DestinationIPGroups = $AzFirewallPolicyRuleCollectionGroup_Property_rule.DestinationIPGroups [string]$DestionationPorts = $AzFirewallPolicyRuleCollectionGroup_Property_rule.DestinationPorts [string]$TargetFqdns = $AzFirewallPolicyRuleCollectionGroup_Property_rule.TargetFqdns $Table += New-object PSobject -Property ([Ordered] @{ AzFirewallPolicyName = $SelectedAzFirewallPolicyName; ResourceGroup = $SelectedAzFirewallPolicyResourceGroupName; AzFirewallCollectionGroupName = $AzFirewallPolicy_RuleCollectionGroup_Name; RuleCollectionGroupName = $AzFirewallPolicyRuleCollectionGroup_Property_Name; RuleCollectionGroupPriority = $AzFirewallPolicyRuleCollectionGroup_Property_Priority; RuleName = $RuleName; RuleType = $RuleType; Protocols = $Protocols; SourcesAddresses = $SourceAddresses; SourceIPGroups = $SourceIPGroups; TargetFqdns = $TargetFqdns; DestinationAddresses = $DestinationAddresses; DestinationFqdns = $DestinationFqdns; DestinationIPGroups = $DestinationIPGroups; DestionationPorts = $DestionationPorts; }) $ii++ } $i++ } } $ReportFile = ".\Report_AzFirewall_Policy_" + $CurrentSubscriptionName + "_" + $SelectedAzFirewallPolicyName + "_" + $DateFull + ".csv" $ReportFilexlsx = ".\Report_AzFirewall_Policy_" + $CurrentSubscriptionName + "_" + $SelectedAzFirewallPolicyName + "_" + $DateFull + ".xlsx" $Table | Export-Csv $ReportFile -NoTypeInformation -Encoding UTF8 $Table | Export-Excel $ReportFilexlsx -TableName "AzFirewallRules" -Title "AzFirewall Rules" -TitleBold -WorksheetName "AzFirewallRules" -TableStyle Medium9 -AutoSize -AutoFilter Write-log INFO -Message "Generate the following Report: $ReportFile" Write-log INFO -Message "Generate the following Report: $ReportFilexlsx" } Function Generate-AzRoleAssignmentsReportForAllSubscriptions { [CmdletBinding()] param () # Report for Permission as Subscription level Try { Write-Log warning -Message "The script is retreiving all the AzSubscriptions" $AzSubs = Get-AzSubscription $AzSubsCount = ($AzSubs | Measure).count Write-Log Info -Message "The script found $AzSubsCount AzSubscriptions" } Catch { $ErrorMessage = $Error[0].Exception.Message $CMDLet = $Error[0].InvocationInfo.Line $FailedItem = $Error[0].Exception.ItemName Write-Log Error -Message "Failed to found all AzSubscriptions" Write-Log Error -Message "Failed to run the following CMDLet: $CMDLet" Write-Log Error -Message "Failed with Error:$ErrorMessage" } [Int]$i = 1 $Table = $Null $Table = @() ForEach ($AzSub in $AzSubs) { $AzSubName = $Null $AzSubName = $AzSub.name $AzSubID = $Null $AzSubID = $AzSub.Id Write-log Warning -message "The script is analyzing the Subscription: $Name ….. --- $i/$AzSubsCount" Set-AzContext -Subscription $AzSubID # Get Role Assignment at the Subsciption Level Try { Write-Log warning -Message "The script is retreiving all Role Assignments at the Subscription level" $AzSubscriptionRoleAssignements = $Null $AzSubscriptionRoleAssignements = Get-AzRoleAssignment # DisplayName, RoleDefinitionName, ObjectType, Scope $AzSubscriptionRoleAssignementsCount = ($AzSubscriptionRoleAssignements | Measure).count Write-Log Info -Message "All Role Assignments at the Subscription level are retrieved ( $AzSubscriptionRoleAssignementsCount)" } Catch { $ErrorMessage = $Error[0].Exception.Message $CMDLet = $Error[0].InvocationInfo.Line $FailedItem = $Error[0].Exception.ItemName Write-Log Error -Message "Failed to retreive all Role Assignments at the Subscription level" Write-Log Error -Message "Failed to run the following CMDLet: $CMDLet" Write-Log Error -Message "Failed with Error:$ErrorMessage" } #Initiate the Hash Table [Int]$ii = 1 ForEach ($AzSubscriptionRoleAssignement in $AzSubscriptionRoleAssignements) { $AzSubscriptionRoleAssignementDisplayName = $Null $AzSubscriptionRoleAssignementRoleDefinitionName = $Null $AzSubscriptionRoleAssignementObjectType = $Null $AzSubscriptionRoleAssignementScope = $Null $AzSubscriptionRoleAssignementObjectId = $Null $AzSubscriptionRoleAssignementDisplayName = $AzSubscriptionRoleAssignement.DisplayName $AzSubscriptionRoleAssignementRoleDefinitionName = $AzSubscriptionRoleAssignement.RoleDefinitionName $AzSubscriptionRoleAssignementObjectType = $AzSubscriptionRoleAssignement.ObjectType $AzSubscriptionRoleAssignementScope = $AzSubscriptionRoleAssignement.Scope $AzSubscriptionRoleAssignementObjectId = $AzSubscriptionRoleAssignement.ObjectId Write-log Warning -message "The script is analyzing $AzSubscriptionRoleAssignementDisplayName ….. --- $ii/$AzSubscriptionRoleAssignementsCount" $Table += New-object PSobject -Property ([Ordered] @{ AzSubName = $AzSubName; DisplayName = $AzSubscriptionRoleAssignementDisplayName; ObjectId = $AzSubscriptionRoleAssignementObjectId; RoleDefinitionName = $AzSubscriptionRoleAssignementRoleDefinitionName; ObjectType = $AzSubscriptionRoleAssignementObjectType; Scope = $AzSubscriptionRoleAssignementScope; }) $ii++ } $i++ } $DateFull = Get-Date -Format "ddMMyyyy_HH-mm-ss" $ReportFilexlsx = ".\Report_All_AzSubscriptions_RoleAssignments_ " + $DateFull + ".xlsx" $Table | Export-Excel $ReportFilexlsx -TableName "AzSubscriptionsRoleAssignments" -Title "AzSubscriptions Role Assignments" -TitleBold -WorksheetName "AzSubscriptionsRoleAssignments" -TableStyle Medium9 -AutoSize -AutoFilter Write-log INFO -Message "Generate the following Report: $ReportFilexlsx" } Function Generate-AzRoleAssignmentsReportForAllSubscriptionsOld { Try { Write-Log Info -Message "The script is collecting all Subscriptions information" $AzSubscriptions = Get-AzSubscription -TenantId (Get-AzContext).Tenant $AzSubscriptionCount = ($AzSubscriptions | Measure).count Write-CLog warning -Message "The script find $AzSubscriptionCount subscriptions" #Initiate the Hash Table [Int]$i = 1 $Table = $Null $Table = @() ForEach ($AzSubscription in $AzSubscriptions) { $AzSubscriptionName = $Null $AzSubscriptionName = $AzSubscription.name $AzSubscriptionID = $Null $AzSubscriptionID = $AzSubscription.Id $AzSubscriptionState = $Null $AzSubscriptionState = $AzSubscription.State Write-CLog warning -message "The script is analyzing $AzSubscriptionName ….. --- $i/$AzSubscriptionCount" Select-AzSubscription -Subscription $AzSubscriptionName $AzResources = $Null $AzResources = Get-AzResourceGroup $AzResourcesCount = ($AzResources | Measure).count Write-Log warning -Message "The script find $AzResourcesCount Resource Groups" [Int]$ii = 1 Foreach ($AzResource in $AzResources) { $ResourceGroupName = $AzResource.ResourceGroupName $Location = $Null $Location = $AzResource.Location Write-Log warning -Message "The script is analyzing the following Resource Group: $ResourceGroupName --- $ii/$AzResourcesCount" $AzRoleAssignments = Get-AzRoleAssignment -ResourceGroupName $ResourceGroupName $AzRoleAssignmentsCount = ($AzRoleAssignments | Measure).count [Int]$iii = 1 Foreach ($AzRoleAssignment in $AzRoleAssignments) { $DisplayName = $Null $DisplayName = $AzRoleAssignment.DisplayName $SignInName = $Null $SignInName = $AzRoleAssignment.SignInName $RoleDefinitionName = $Null $RoleDefinitionName = $AzRoleAssignment.RoleDefinitionName $ObjectType = $Null $ObjectType = $AzRoleAssignment.ObjectType Write-Log Info -Message "The script is analyzing the following Role Assignment: $DisplayName --- $iii/$AzRoleAssignmentsCount" $Table += New-object PSobject -Property ([Ordered] @{ AzSubscriptionName = $AzSubscriptionName; AzSubscriptionID = $AzSubscriptionID; AzSubscriptionState = $AzSubscriptionState; ResourceGroupName = $ResourceGroupName; Location = $Location; DisplayName = $DisplayName; SignInName = $SignInName; RoleDefinitionName = $RoleDefinitionName; ObjectType = $ObjectType; }) $iii++ } $ii++ } $i++ } } Catch { $ErrorMessage = $Error[0].Exception.Message $CMDLet = $Error[0].InvocationInfo.Line $FailedItem = $Error[0].Exception.ItemName Write-Log Error -Message "Failed to run $CMDLet" Write-Log Error -Message "Failed to run the following CMDLet: $CMDLet" Write-Log Error -Message "Failed with Error:$ErrorMessage" $Status = "Failed" } $DateFull = Get-Date -Format "ddMMyyyy_HH-mm-ss" $ReportFilexlsx = ".\Report_AzSubscriptionsPermissions_" + $DateFull + ".xlsx" $Table | Export-Excel $ReportFilexlsx -TableName "AzSubscriptionPermissions" -Title "AzSubscriptionPermissions" -TitleBold -WorksheetName "AzSubscriptionPermissions" -TableStyle Medium9 -AutoSize -AutoFilter Write-log INFO -Message "Generate the following Report: $ReportFilexlsx" } Function Generate-AzNSGForAllSubscriptions { [CmdletBinding()] param () # Report for Permission as Subscription level Try { Write-Log warning -Message "The script is retreiving all the AzSubscriptions" $AzSubs = Get-AzSubscription $AzSubsCount = ($AzSubs | Measure).count Write-Log Info -Message "The script found $AzSubsCount AzSubscriptions" } Catch { $ErrorMessage = $Error[0].Exception.Message $CMDLet = $Error[0].InvocationInfo.Line $FailedItem = $Error[0].Exception.ItemName Write-Log Error -Message "Failed to found all AzSubscriptions" Write-Log Error -Message "Failed to run the following CMDLet: $CMDLet" Write-Log Error -Message "Failed with Error:$ErrorMessage" } [Int]$i = 1 $Table = $Null $Table = @() ForEach ($AzSub in $AzSubs) { $AzSubName = $Null $AzSubName = $AzSub.name $AzSubId = $Null $AzSubId = $AzSub.Id # Get Role Assignment at the Subsciption Level Try { Write-log Warning -message "The script is analyzing the Subscription: $Name ….. --- $i/$AzSubsCount" Select-AzSubscription -SubscriptionId $AzSubId $NSGs = Get-AzNetworkSecurityGroup $NSGsCount = ($NSGs | Measure).count Write-Log Info -Message "The Script found NSGs: $NSGsCount" } Catch { $ErrorMessage = $Error[0].Exception.Message $CMDLet = $Error[0].InvocationInfo.Line $FailedItem = $Error[0].Exception.ItemName Write-Log Error -Message "Failed to find NSGs" Write-Log Error -Message "Failed to run the following CMDLet: $CMDLet" Write-Log Error -Message "Failed with Error:$ErrorMessage" } #Initiate the Hash Table [Int]$ii = 1 ForEach ($NSG in $NSGs) { $NSGRules = $Null $NSGName = $Null $NSGResourceGroupName = $Null $NSGRules = $NSG.SecurityRules $NSGName = $NSG.Name $NSGResourceGroupName = $NSG.ResourceGroupName Write-Log Warning -Message "The Script is analyzing the following NSGs: $NSGName --- $ii/$NSGsCount" [Int]$iii = 1 $NSGRulesCount = ($NSGRules | Measure).count Write-Log Warning -Message "NSG Rules found: $NSGRulesCount" ForEach ($NSGRule in $NSGRules) { $NSGRuleName = $Null $NSGRuleProtocol = $Null $NSGRuleSourcePortRange = $Null $NSGRuleSourceAddressPrefix = $Null $NSGRuleSourceApplicationSecurityGroups = $Null $NSGRuleDestinationPortRange = $Null $NSGRuleDestionationAddressPrefix = $Null $NSGRuleAccess = $Null $NSGRulePriority = $Null $NSGRuleDirection = $Null $NSGRuleName = $NSGRule.Name $NSGRuleProtocol = $NSGRule.Protocol $NSGRuleSourcePortRange = $NSGRule.SourcePortRange -join "-" $NSGRuleSourceAddressPrefix = $NSGRule.SourceAddressPrefix -join "-" $NSGRuleSourceApplicationSecurityGroups = $NSGRule.SourceApplicationSecurityGroups -join "-" $NSGRuleDestinationPortRange = $NSGRule.DestinationPortRange -join "-" $NSGRuleDestionationAddressPrefix = $NSGRule.DestionationAddressPrefix -join "-" $NSGRuleAccess = $NSGRule.Access $NSGRulePriority = $NSGRule.Priority $NSGRuleDirection = $NSGRule.Direction Write-log Warning -message "The script is analyzing $AzSubscriptionRoleAssignementDisplayName ….. --- $iii/$NSGRulesCount" $Table += New-object PSobject -Property ([Ordered] @{ AzSubName = $AzSubName; NSGName = $NSGName; NSGResourceGroupName = $NSGResourceGroupName; NSGRuleName = $NSGRuleName; NSGRuleProtocol = $NSGRuleProtocol; NSGRuleAccess = $NSGRuleAccess; NSGRulePriority = $NSGRulePriority; NSGRuleDirection = $NSGRuleDirection; NSGRuleSourcePortRange = $NSGRuleSourcePortRange; NSGRuleSourceAddressPrefix = $NSGRuleSourceAddressPrefix; NSGRuleSourceApplicationSecurityGroups = $NSGRuleSourceApplicationSecurityGroups; NSGRuleDestinationPortRange = $NSGRuleDestinationPortRange; NSGRuleDestionationAddressPrefix = $NSGRuleDestionationAddressPrefix; }) $iii++ } $ii++ } $i++ } $DateFull = Get-Date -Format "ddMMyyyy_HH-mm-ss" $ReportFilexlsx = ".\Report_All_AzSubscriptions_NSGs_ " + $DateFull + ".xlsx" $Table | Export-Excel $ReportFilexlsx -TableName "AzSubscriptionsNSGs" -Title "AzSubscriptions NSGs" -TitleBold -WorksheetName "AzSubscriptionsNSGs" -TableStyle Medium9 -AutoSize -AutoFilter Write-log INFO -Message "Generate the following Report: $ReportFilexlsx" } #endregion #region Sentinel #################################################### ############################## Sentinel ################ #################################################### Function Close-AzSentinelIncidentByTitle { param ( [Parameter(Mandatory = $true, Position = 1)] [string]$ResourceGroupName, [Parameter(Mandatory = $true, Position = 2)] [string]$WorkspaceName, [Parameter(Mandatory = $true, Position = 3)] [string]$ClosureComment, [Parameter(Mandatory = $true, Position = 4)] [String]$OwnerEmail ) # Connect and Select Az Sub #Connect-Az #Switch-AzSubscription Try { Write-Log warning -Message "The script will try to retreive all Sentinel incidents for review" # Get the list of incidents $AllIncidents = Get-AzSentinelIncident -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName $AllIncidentsCount = ($AllIncidents | Measure).count Write-Log info -Message "The script retreived all Sentinel incidents : $AllIncidentsCount" $Incidents = $AllIncidents | Where-Object { $_.Status -ne "Closed" } $AllClosedIncidentsCount = ($Incidents | Measure).count Write-Log info -Message "The script retreived all Closed Sentinel incidents for review : $AllClosedIncidentsCount" $SelectedIncidentsByTitle = $Incidents | group Title | Select Count, Name | sort Count -Descending | Out-GridView -PassThru -Title 'Select One Title, then click on OK to validate your selection' $FilteredIncidentTitle = $SelectedIncidentsByTitle.Name # Filter incidents by title $filteredIncidents = $incidents | Where-Object { $_.Title -eq $FilteredIncidentTitle } #$filteredIncidents = $filteredIncidents | select -First 3 $Count = ($filteredIncidents | Measure).count Write-Log Info -Message "The script will filter all Incidents based on Title ($FilteredIncidentTitle ) and status is not closed : $Count" $Status = "Success" } Catch { $ErrorMessage = $Error[0].Exception.Message $CMDLet = $Error[0].InvocationInfo.Line $FailedItem = $Error[0].Exception.ItemName Write-Log Error -Message "Failed to retreive Sentinel Incidents" Write-Log Error -Message "Failed to run the following CMDLet: $CMDLet" Write-Log Error -Message "Failed with Error:$ErrorMessage" $Status = "Failed" Read-Host "Exit" Exit } #Initiate the Hash Table [Int]$i = 1 $Table = $Null $Table = @() ForEach ($incident in $filteredIncidents) { $IncidentDescription = $Null $IncidentDescription = $incident.Description $IncidentName = $Null $IncidentName = $incident.Name $IncidentStatus = $Null $IncidentStatus = $incident.Status $IncidentSeverity = $Null $IncidentSeverity = $incident.Severity $IncidentTitle = $Null $IncidentTitle = $incident.Title $IncidentProviderIncidentId = $Null $IncidentProviderIncidentId = $incident.ProviderIncidentId Write-log Warning -message "The script is analyzing $IncidentProviderIncidentId : $IncidentTitle (Status: $IncidentStatus - Severity: $IncidentSeverity) ….. --- $i/$Count" Try { Write-Log warning -Message "The script will try to close the incident $IncidentProviderIncidentId " # Update the incident status to 'Closed' # Read-Host "Pause before change" Update-AzSentinelIncident -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -IncidentId $IncidentName -Status "Closed" -Classification "BenignPositive" -ClassificationComment $Comment -ClassificationReason "SuspiciousButExpected" -OwnerAssignedTo $OwnerEmail -Title $IncidentTitle -Severity "Low" Write-Log Info -Message "The script closed incident $IncidentProviderIncidentId" $ClosureStatus = "Success" } Catch { $ErrorMessage = $Error[0].Exception.Message $CMDLet = $Error[0].InvocationInfo.Line $FailedItem = $Error[0].Exception.ItemName Write-Log Error -Message "Failed to close incident $IncidentProviderIncidentId" Write-Log Error -Message "Failed to run the following CMDLet: $CMDLet" Write-Log Error -Message "Failed with Error:$ErrorMessage" $ClosureStatus = "Failed" } $Table += New-object PSobject -Property ([Ordered] @{ IncidentId = $IncidentProviderIncidentId; IncidentTitle = $IncidentTitle; IncidentStatus = $IncidentStatus; IncidentSeverity = $IncidentSeverity; ClosureStatus = $ClosureStatus; }) $i++ } $DateFull = Get-Date -Format "ddMMyyyy_HH-mm-ss" $ReportFilexlsx = ".\Report_Closed_SentinelIncidents_" + $FilteredIncidentTitle + "_by_" + $OwnerEmail + "_" + $DateFull + ".xlsx" $Table | Export-Excel $ReportFilexlsx -TableName "ClosedSentinelIncidents" -Title "Closed Sentinel Incidents" -TitleBold -WorksheetName "ClosedSentinelIncidents" -TableStyle Medium9 -AutoSize -AutoFilter Write-log INFO -Message "Generate the following Report: $ReportFilexlsx" } Function Query-MicrosoftSentinel { [CmdletBinding()] param ( [Parameter(Mandatory = $true, Position = 1)] [String]$WorkspaceID, [Parameter(Mandatory = $true, Position = 2)] [string]$SubscriptionID, [Parameter(Mandatory = $true, Position = 3)] [string]$SentinelQuery, [Parameter(Mandatory = $true, Position = 4)] [int]$Days, [Parameter(Mandatory = $true, Position = 5)] [pscredential]$Credential ) ###### Sentinel Variable $SentinelTimeSpan = New-TimeSpan -day $Days # Establish the connection to Azure (Sentinel) Try { #Write-AzureLog Warning $LogFile "The script will try to connect to Azure (Sentinel)" Login-AzAccount -Credential $Credential Update-AzConfig -DefaultSubscriptionForLogin $SubscriptionID #Write-AzureLog INFO $LogFile "The script successfully connect to Azure (Sentinel)" } Catch { $ErrorMessage = $Error[0].Exception.Message $CMDLet = $Error[0].InvocationInfo.Line $FailedItem = $Error[0].Exception.ItemName Write-AzureLog Error $LogFile "Failed to connect to Azure (Sentinel)" Write-AzureLog Error $LogFile "Failed to run the following CMDLet: $CMDLet" Exit } # Query Sentinel Try { #Write-AzureLog Warning $LogFile "The script will run Sentinel Query : $SentinelQuery within last $Days days" $SentinelQueryResults = $Null $SentinelQueryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId $WorkspaceID -Query $SentinelQuery -Timespan $SentinelTimeSpan | select Results -ExpandProperty Results #Write-AzureLog INFO $LogFile "The script successfully run Sentinel Query within the last $Days days" # Generate CSV file: $SentinelQueryResultsCount = ($SentinelQueryResults | Measure).count #Write-AzureLog Warning $LogFile "$SentinelQueryResultsCount Results from Sentinel Query." } Catch { $ErrorMessage = $Error[0].Exception.Message $CMDLet = $Error[0].InvocationInfo.Line $FailedItem = $Error[0].Exception.ItemName Write-AzureLog Error $LogFile "Failed to run Sentinel Query within the last $Days days: $ErrorMessage" Write-AzureLog Error $LogFile "Failed to run the following CMDLet: $CMDLet" } $SentinelQueryResults } #endregion #region OpenAI #################################################### ############################## OpenAI ################ #################################################### Function Connect-OpenAI { [CmdletBinding()] param ( [Parameter(Mandatory = $true, Position = 1)] [String]$Key ) $env:OpenAIKey = $Key } Function Ask-ChatGPT { [CmdletBinding()] param ( [Parameter(Mandatory = $true, Position = 1)] [String]$Question ) Get-GPT3Completion -prompt $Question } #endregion |