-
Notifications
You must be signed in to change notification settings - Fork 0
/
EnableRulesByCondition.ps1
152 lines (126 loc) · 5.55 KB
/
EnableRulesByCondition.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
[CmdletBinding()]
param (
[string]$csvPath = (Join-Path -Path $PWD -ChildPath "./AzureSentinelRules.csv"),
[array]$inputConnectors = @(),
[array]$inputDataTypes = @(),
[string]$ruleTypeFilter,
[array]$inputTactics = @(),
[array]$inputTechniques = @()
)
function Parse-DataConnectors {
param (
[string]$dataConnectorsString
)
$connectorDataTypeMap = @{}
$connectors = $dataConnectorsString -split ';'
foreach ($connector in $connectors) {
$parts = $connector -split ':'
if ($parts.Length -eq 2) {
$connectorName = $parts[0].Trim()
$dataTypes = $parts[1].Trim() -split ','
if (-not $connectorDataTypeMap.ContainsKey($connectorName)) {
$connectorDataTypeMap[$connectorName] = @()
}
foreach ($dataType in $dataTypes) {
$connectorDataTypeMap[$connectorName] += $dataType.Trim()
}
$connectorDataTypeMap[$connectorName] = $connectorDataTypeMap[$connectorName] | Sort-Object -Unique
}
}
return $connectorDataTypeMap
}
function Should-EnableRule {
param (
[hashtable]$ruleConnectors,
[array]$inputConnectors,
[array]$inputDataTypes,
[array]$ruleTactics,
[array]$ruleTechniques,
[array]$inputTactics,
[array]$inputTechniques
)
# 1. Check connectors and data types if provided
if ($inputConnectors.Count -gt 0) {
foreach ($connector in $ruleConnectors.Keys) {
if (-not $inputConnectors -contains $connector) {
return $false # Exclude if the connector is not in inputConnectors
}
}
}
if ($inputDataTypes.Count -gt 0) {
foreach ($connector in $ruleConnectors.Keys) {
$ruleDataTypes = $ruleConnectors[$connector]
foreach ($dataType in $ruleDataTypes) {
if (-not $inputDataTypes -contains $dataType) {
return $false # Exclude if the data type is not in inputDataTypes
}
}
}
}
# 2. Check tactics if provided
if ($inputTactics.Count -gt 0) {
if ($ruleTactics.Count -eq 0 -or ($ruleTactics | Where-Object { $inputTactics -notcontains $_ }).Count -gt 0) {
return $false # Exclude if ruleTactics don't match inputTactics
}
}
# 3. Check techniques if provided
if ($inputTechniques.Count -gt 0) {
if ($ruleTechniques.Count -eq 0 -or ($ruleTechniques | Where-Object { $inputTechniques -notcontains $_ }).Count -gt 0) {
return $false # Exclude if ruleTechniques don't match inputTechniques
}
}
return $true
}
function Update-Csv {
param (
[string]$csvPath,
[array]$inputConnectors,
[array]$inputDataTypes,
[string]$ruleTypeFilter,
[array]$inputTactics,
[array]$inputTechniques
)
$csvData = Import-Csv -Path $csvPath
$counter = 0
foreach ($row in $csvData) {
# Skip rules that are already enabled
if ($row.CurrentlyEnabled -eq "True") {
continue
}
# Filter by rule type if provided (filter IN)
if ($ruleTypeFilter -and $row.Type -ne $ruleTypeFilter) {
continue
}
$requiredDataConnectors = $row.RequiredDataConnectors
$ruleTactics = if ($row.Tactics -ne $null) { $row.Tactics -split ',' } else { @() }
$ruleTechniques = if ($row.RelevantTechniques -ne $null) { $row.RelevantTechniques -split ',' } else { @() }
$ruleConnectors = Parse-DataConnectors -dataConnectorsString $requiredDataConnectors
$shouldEnable = Should-EnableRule -ruleConnectors $ruleConnectors `
-inputConnectors $inputConnectors `
-inputDataTypes $inputDataTypes `
-ruleTactics $ruleTactics `
-ruleTechniques $ruleTechniques `
-inputTactics $inputTactics `
-inputTechniques $inputTechniques
if ($shouldEnable) {
$row.CurrentlyEnabled = "True"
Write-Host "Rule $($row.Id) enabled based on the input criteria." -ForegroundColor Green
$counter += 1
}
}
# Ensure proper column order for exporting
$orderedCsvData = $csvData | Select-Object "RequiredDataConnectors", "TriggerThreshold", "Metadata", "QueryFrequency", "Version", "Name", "Tactics", "EntityMappings", "Link", "Description", "FriendlyName", "Severity", "NameGuid", "RelevantTechniques", "CurrentlyEnabled", "QueryPeriod", "SuppressionEnabled", "AlertDetailsOverride", "Id", "Type", "CustomDetails", "Added", "TriggerOperator", "SuppressionDuration", "Query"
# Export the updated CSV back without adding quotes unnecessarily
$orderedCsvData | Export-Csv -Path $csvPath -NoTypeInformation -Force
Write-Host "$counter rules were updated and enabled."
}
if (Test-Path $csvPath) {
Update-Csv -csvPath $csvPath `
-inputConnectors $inputConnectors `
-inputDataTypes $inputDataTypes `
-ruleTypeFilter $ruleTypeFilter `
-inputTactics $inputTactics `
-inputTechniques $inputTechniques
} else {
Write-Host "$csvPath does not exist. Please provide a valid CSV file path."
}