function Write-Title { [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$Title ) Write-Host $Title for ($i = $Title.Length -1; $i -ge 0 ; $i--) { Write-Host "-" -NoNewline } Write-Host } function Set-AzureSubscriptionVariable { Write-Title -Title "Azure Subscriptions" $subscriptions = Get-AzSubscription $index = 1 $subscriptionTable = @{} foreach ($subscription in $subscriptions) { Write-Host "$index. $($subscription.Name)" $subscriptionTable["$index"] = $subscription.Id $index++ } Write-Host $selectedValue = Read-Host -Prompt "Select Azure Subscription" return $subscriptionTable[$selectedValue] } function New-ResourceGroup { $resourceGroupName = Read-Host -Prompt "Enter the name of the resource group" $resource = New-AzResourceGroup -Name $resourceGroupName -Location "uksouth" return $resource.ResourceId } function Set-ResourceGroupVariable { Write-Title -Title "Azure Resource Groups" $resourceGroups = Get-AzResourceGroup $index = 1 $resourceGroupTable = @{} foreach ($resourceGroup in $resourceGroups) { Write-Host "$index. $($resourceGroup.ResourceGroupName)" $resourceGroupTable["$index"] = $resourceGroup.ResourceGroupName $index++ } Write-Host $selectedValue = Read-Host -Prompt "Select Resource Group (or 0 to create a new one)" if ($selectedValue -eq "0") { return New-ResourceGroup } else { return $resourceGroupTable[$selectedValue] } } function New-ActionGroup { [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$ResourceGroupName ) $actionGroupName = Read-Host -Prompt "Enter the name of the action group" $location = "global" $emailReceiverParams = @{ Name = "PMM-EmailAlerts-Dev" EmailAddress = "40db3afb.DOHERTYASSOCIATES.onmicrosoft.com@emea.teams.ms" UseCommonAlertSchema = $false } $emailReceiver = New-AzActionGroupEmailReceiverObject @emailReceiverParams $webhookReceiverParams = @{ Name = "LogAlertsV2" ServiceUri = "https://7037684a-c132-4a29-ae42-556d05fae681.webhook.uks.azure-automation.net/webhooks?token=Rx%2fqYg642juKtsrhebjWV%2fOt3NlfFG5tXFVkByTejFA%3d" UseCommonAlertSchema = $true UseAadAuth = $false } $webhookReceiver = New-AzActionGroupWebhookReceiverObject @webhookReceiverParams $actionGroupParams = @{ ResourceGroupName = $ResourceGroupName Name = $actionGroupName Location = $location ShortName = $actionGroupName EmailReceiver = $emailReceiver WebhookReceiver = $webhookReceiver Enabled = $true } $resource = New-AzActionGroup @actionGroupParams return $resource.Id } function Set-ActionGroupVariable { [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$ResourceGroupName ) Write-Title -Title "Azure Action Groups" $actionGroups = Get-AzActionGroup $index = 1 $actionGroupTable = @{} foreach ($actionGroup in $actionGroups) { Write-Host "$index. $($actionGroup.Name)" $actionGroupTable["$index"] = $actionGroup.Id $index++ } Write-Host $selectedValue = Read-Host -Prompt "Select Action Group (or 0 to create a new one)" if ($selectedValue -eq "0") { return New-ActionGroup -ResourceGroupName $ResourceGroupName } else { return $actionGroupTable[$selectedValue] } } function Set-LogAnalyticsWorkspaceVariable { Write-Title -Title "Azure Log Analytics Workspaces" $logAnalyticsWorkspaces = Get-AzOperationalInsightsWorkspace $index = 1 $lawTable = @{} foreach ($logAnalyticsWorkspace in $logAnalyticsWorkspaces) { Write-Host "$index. $($logAnalyticsWorkspace.Name)" $lawTable["$index"] = $logAnalyticsWorkspace.ResourceId $index++ } Write-Host $selectedValue = Read-Host -Prompt "Select Log Analytics Workspace" return $lawTable[$selectedValue] } function Set-DetectionRules { [Parameter(Mandatory=$true)] [string]$ResourceGroupName, [Parameter(Mandatory=$true)] [string]$ActionGroupId, [Parameter(Mandatory=$true)] [string]$LogAnalyticsWorkspaceId $rules = Get-ChildItem "Alert Detection Rules" foreach ($rule in $rules) { $query = Get-Content -Path $rule.FullName -Raw $fileNameWithoutExtension = $rule.Name -replace "\.[^.]+$", "" Write-Host "Processing $fileNameWithoutExtension..." -NoNewline $detectionRuleParams = @{ Query = $query Name = $fileNameWithoutExtension ResourceGroupName = $resourceGroup ActionGroupId = $actionGroup LogAnalyticsWorkspaceId = $logAnalyticsWorkspace } Set-DetectionRule @detectionRuleParams Write-Host "Done" } } function Set-DetectionRule { [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$Query, [Parameter(Mandatory=$true)] [string]$Name, [Parameter(Mandatory=$true)] [string]$ResourceGroupName, [Parameter(Mandatory=$true)] [string]$ActionGroupId, [Parameter(Mandatory=$true)] [string]$LogAnalyticsWorkspaceId ) $dimension = New-AzScheduledQueryRuleDimensionObject -Name AADTenantId -Operator Include -Value * $condition=New-AzScheduledQueryRuleConditionObject -Dimension $dimension -Query $Query -TimeAggregation "Count" -Operator "GreaterThan" -Threshold "0" $timespan = New-TimeSpan -Minutes 15 $location = "uksouth" $severity = 3 $ruleParams = @{ DisplayName = $Name Name = $Name EvaluationFrequency = $timespan Location = $location WindowSize = $timespan ResourceGroupName = $ResourceGroupName TargetResource = $LogAnalyticsWorkspaceId Severity = $severity ActionGroup = $ActionGroupId CriterionAllOf = $condition Scope = $LogAnalyticsWorkspaceId } $resource = New-AzScheduledQueryRule @ruleParams } # Set-DetectionRules $azureSubscription = Set-AzureSubscriptionVariable Set-AzContext -Subscription $azureSubscription Write-Host $resourceGroup = Set-ResourceGroupVariable Write-Host $actionGroup = Set-ActionGroupVariable -ResourceGroupName $resourceGroup Write-Host $logAnalyticsWorkspace = Set-LogAnalyticsWorkspaceVariable Set-DetectionRules -ResourceGroupName $resourceGroup -ActionGroupId $actionGroup -LogAnalyticsWorkspaceId $logAnalyticsWorkspace