IxianPixel/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
d118b574a9
powershell-scripts/PMM/Set-PMMRules.ps1

230 lines
6.8 KiB
PowerShell
Raw Blame History

function Write-Title {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]$Title
)
Write-Host $Title
for ($i = $Title.Length -1; $i -ge 0 ; $i--) {
Write-Host "-" -NoNewline
}
Write-Host
}
function Set-AzureSubscriptionVariable {
Write-Title -Title "Azure Subscriptions"
$subscriptions = Get-AzSubscription
$index = 1
$subscriptionTable = @{}
foreach ($subscription in $subscriptions) {
Write-Host "$index. $($subscription.Name)"
$subscriptionTable["$index"] = $subscription.Id
$index++
}
Write-Host
$selectedValue = Read-Host -Prompt "Select Azure Subscription"
return $subscriptionTable[$selectedValue]
}
function New-ResourceGroup {
$resourceGroupName = Read-Host -Prompt "Enter the name of the resource group"
$resource = New-AzResourceGroup -Name $resourceGroupName -Location "uksouth"
return $resource.ResourceId
}
function Set-ResourceGroupVariable {
Write-Title -Title "Azure Resource Groups"
$resourceGroups = Get-AzResourceGroup
$index = 1
$resourceGroupTable = @{}
foreach ($resourceGroup in $resourceGroups) {
Write-Host "$index. $($resourceGroup.ResourceGroupName)"
$resourceGroupTable["$index"] = $resourceGroup.ResourceGroupName
$index++
}
Write-Host
$selectedValue = Read-Host -Prompt "Select Resource Group (or 0 to create a new one)"
if ($selectedValue -eq "0") {
return New-ResourceGroup
} else {
return $resourceGroupTable[$selectedValue]
}
}
function New-ActionGroup {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]$ResourceGroupName
)
$actionGroupName = Read-Host -Prompt "Enter the name of the action group"
$location = "global"
$emailReceiverParams = @{
Name = "PMM-EmailAlerts-Dev"
EmailAddress = "40db3afb.DOHERTYASSOCIATES.onmicrosoft.com@emea.teams.ms"
UseCommonAlertSchema = $false
}
$emailReceiver = New-AzActionGroupEmailReceiverObject @emailReceiverParams
$webhookReceiverParams = @{
Name = "LogAlertsV2"
ServiceUri = "https://7037684a-c132-4a29-ae42-556d05fae681.webhook.uks.azure-automation.net/webhooks?token=Rx%2fqYg642juKtsrhebjWV%2fOt3NlfFG5tXFVkByTejFA%3d"
UseCommonAlertSchema = $true
UseAadAuth = $false
}
$webhookReceiver = New-AzActionGroupWebhookReceiverObject @webhookReceiverParams
$actionGroupParams = @{
ResourceGroupName = $ResourceGroupName
Name = $actionGroupName
Location = $location
ShortName = $actionGroupName
EmailReceiver = $emailReceiver
WebhookReceiver = $webhookReceiver
Enabled = $true
}
$resource = New-AzActionGroup @actionGroupParams
return $resource.Id
}
function Set-ActionGroupVariable {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]$ResourceGroupName
)
Write-Title -Title "Azure Action Groups"
$actionGroups = Get-AzActionGroup
$index = 1
$actionGroupTable = @{}
foreach ($actionGroup in $actionGroups) {
Write-Host "$index. $($actionGroup.Name)"
$actionGroupTable["$index"] = $actionGroup.Id
$index++
}
Write-Host
$selectedValue = Read-Host -Prompt "Select Action Group (or 0 to create a new one)"
if ($selectedValue -eq "0") {
return New-ActionGroup -ResourceGroupName $ResourceGroupName
} else {
return $actionGroupTable[$selectedValue]
}
}
function Set-LogAnalyticsWorkspaceVariable {
Write-Title -Title "Azure Log Analytics Workspaces"
$logAnalyticsWorkspaces = Get-AzOperationalInsightsWorkspace
$index = 1
$lawTable = @{}
foreach ($logAnalyticsWorkspace in $logAnalyticsWorkspaces) {
Write-Host "$index. $($logAnalyticsWorkspace.Name)"
$lawTable["$index"] = $logAnalyticsWorkspace.ResourceId
$index++
}
Write-Host
$selectedValue = Read-Host -Prompt "Select Log Analytics Workspace"
return $lawTable[$selectedValue]
}
function Set-DetectionRules {
[Parameter(Mandatory=$true)]
[string]$ResourceGroupName,
[Parameter(Mandatory=$true)]
[string]$ActionGroupId,
[Parameter(Mandatory=$true)]
[string]$LogAnalyticsWorkspaceId
$rules = Get-ChildItem "Alert Detection Rules"
foreach ($rule in $rules) {
$query = Get-Content -Path $rule.FullName -Raw
$fileNameWithoutExtension = $rule.Name -replace "\.[^.]+$", ""
Write-Host "Processing $fileNameWithoutExtension..." -NoNewline
$detectionRuleParams = @{
Query = $query
Name = $fileNameWithoutExtension
ResourceGroupName = $resourceGroup
ActionGroupId = $actionGroup
LogAnalyticsWorkspaceId = $logAnalyticsWorkspace
}
Set-DetectionRule @detectionRuleParams
Write-Host "Done"
}
}
function Set-DetectionRule {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]$Query,
[Parameter(Mandatory=$true)]
[string]$Name,
[Parameter(Mandatory=$true)]
[string]$ResourceGroupName,
[Parameter(Mandatory=$true)]
[string]$ActionGroupId,
[Parameter(Mandatory=$true)]
[string]$LogAnalyticsWorkspaceId
)
$dimension = New-AzScheduledQueryRuleDimensionObject -Name AADTenantId -Operator Include -Value *
$condition=New-AzScheduledQueryRuleConditionObject -Dimension $dimension -Query $Query -TimeAggregation "Count" -Operator "GreaterThan" -Threshold "0"
$timespan = New-TimeSpan -Minutes 15
$location = "uksouth"
$severity = 3
$ruleParams = @{
DisplayName = $Name
Name = $Name
EvaluationFrequency = $timespan
Location = $location
WindowSize = $timespan
ResourceGroupName = $ResourceGroupName
TargetResource = $LogAnalyticsWorkspaceId
Severity = $severity
ActionGroup = $ActionGroupId
CriterionAllOf = $condition
Scope = $LogAnalyticsWorkspaceId
}
$resource = New-AzScheduledQueryRule @ruleParams
}
# Set-DetectionRules
$azureSubscription = Set-AzureSubscriptionVariable
Set-AzContext -Subscription $azureSubscription
Write-Host
$resourceGroup = Set-ResourceGroupVariable
Write-Host
$actionGroup = Set-ActionGroupVariable -ResourceGroupName $resourceGroup
Write-Host
$logAnalyticsWorkspace = Set-LogAnalyticsWorkspaceVariable
Set-DetectionRules -ResourceGroupName $resourceGroup -ActionGroupId $actionGroup -LogAnalyticsWorkspaceId $logAnalyticsWorkspace
Reference in New Issue View Git Blame Copy Permalink