diff --git a/src/Public/Exabeam/Correlation/Get-ExaCorrelationRules.ps1 b/src/Public/Exabeam/Correlation/Get-ExaCorrelationRules.ps1 new file mode 100644 index 0000000..f336ad1 --- /dev/null +++ b/src/Public/Exabeam/Correlation/Get-ExaCorrelationRules.ps1 @@ -0,0 +1,92 @@ +using namespace System +using namespace System.IO +using namespace System.Collections.Generic + +Function Get-ExaCorrelationRules { + <# + .SYNOPSIS + Get a list of Correlation Rules. + .DESCRIPTION + Returns a list of all correlation rules that match the name. + .PARAMETER Credential + PSCredential containing an API Token in the Password field. + .INPUTS + The Name parameter can be provided via the PowerShell pipeline. + .OUTPUTS + PSCustomObject representing the specified LogRhythm List and its contents. + + If parameter ListItemsOnly is specified, a string collection is returned containing the + list's item values. + .EXAMPLE + PS C:\> Get-ExaCorrelationRules + --- + + .NOTES + Exabeam-API + .LINK + https://github.com/LogRhythm-Tools/LogRhythm.Tools + #> + + [CmdletBinding()] + Param( + [Parameter(Mandatory = $false, Position = 0)] + [ValidateNotNull()] + [string] $Name, + + [Parameter(Mandatory = $false, Position = 1)] + [ValidateNotNull()] + [pscredential] $Credential = $LrtConfig.Exabeam.ApiKey + ) + + Begin { + $Me = $MyInvocation.MyCommand.Name + Set-LrtExaToken + # Request Setup + $BaseUrl = $LrtConfig.Exabeam.BaseUrl + $Token = $LrtConfig.Exabeam.Token.access_token + + # Define HTTP Headers + $Headers = [Dictionary[string,string]]::new() + $Headers.Add("accept", "application/json") + $Headers.Add("Authorization", "Bearer $Token") + + # Define HTTP Method + $Method = $HttpMethod.Get + + # Define HTTP URI + $RequestUrl = $BaseUrl + "correlation-rules/v2/rules" + + # Check preference requirements for self-signed certificates and set enforcement for Tls1.2 + Enable-TrustAllCertsPolicy + } + + Process { + + + $QueryParams = [Dictionary[string,string]]::new() + + if ($Name) { + $QueryParams.Add('nameContains', $Name) + } + + + if ($QueryParams.Count -gt 0) { + $QueryString = $QueryParams | ConvertTo-QueryString + Write-Verbose "[$Me]: QueryString is [$QueryString]" + $RequestUrl += $QueryString + } + + Write-Verbose "[$Me]: Request URL: $RequestUrl" + + # Send Request + $Response = Invoke-RestAPIMethod -Uri $RequestUrl -Headers $Headers -Method $Method -Origin $Me + if (($null -ne $Response.Error) -and ($Response.Error -eq $true)) { + return $Response + } + + + return $Response + } + + End { } +} \ No newline at end of file diff --git a/src/Public/Exabeam/Search/Get-ExaSearch.ps1 b/src/Public/Exabeam/Search/Get-ExaSearch.ps1 index 6368795..a1b529a 100644 --- a/src/Public/Exabeam/Search/Get-ExaSearch.ps1 +++ b/src/Public/Exabeam/Search/Get-ExaSearch.ps1 @@ -43,6 +43,10 @@ Function Get-ExaSearch { [ValidateNotNull()] [string[]] $Fields, + [Parameter(Mandatory = $false, Position = 5)] + [ValidateNotNull()] + [int] $Limit = 1000000, + [Parameter(Mandatory = $false, Position = 5)] [ValidateNotNull()] [string[]] $ShaFields, @@ -109,7 +113,7 @@ Function Get-ExaSearch { } $body = [PSCustomObject]@{ - limit = 1000000 + limit = $Limit distinct = $Distinct filter = $Filter startTime = $startTime diff --git a/src/Public/RecordedFuture/General/Invoke-RfExaSync.ps1 b/src/Public/RecordedFuture/General/Invoke-RfExaSync.ps1 index c692c81..38c8a6f 100644 --- a/src/Public/RecordedFuture/General/Invoke-RfExaSync.ps1 +++ b/src/Public/RecordedFuture/General/Invoke-RfExaSync.ps1 @@ -114,7 +114,7 @@ Function Invoke-RfExaSync { } } - $Results = Add-ExaContextRecords -ContextId $ListStatusHash.id -Data $RfHashRiskDescriptions -Operation 'append' + $Results = Add-ExaContextRecords -ContextId $ListStatusHash.id -Data $RfHashRiskDescriptions -Operation 'replace' Start-Sleep -Seconds 30 # User Enabled Hash List @@ -165,7 +165,7 @@ Function Invoke-RfExaSync { } } - $Results = Add-ExaContextRecords -ContextId $ListStatusUrl.id -Data $RfUrlRiskDescriptions -Operation 'append' + $Results = Add-ExaContextRecords -ContextId $ListStatusUrl.id -Data $RfUrlRiskDescriptions -Operation 'replace' Start-Sleep -Seconds 30 # User Enabled URL List @@ -216,7 +216,7 @@ Function Invoke-RfExaSync { } } - $Results = Add-ExaContextRecords -ContextId $ListStatusDomain.id -Data $RfDomainRiskDescriptions -Operation 'append' + $Results = Add-ExaContextRecords -ContextId $ListStatusDomain.id -Data $RfDomainRiskDescriptions -Operation 'replace' Start-Sleep -Seconds 30 # User Enabled URL List @@ -267,7 +267,7 @@ Function Invoke-RfExaSync { } } - $Results = Add-ExaContextRecords -ContextId $ListStatusIP.id -Data $RfIPRiskDescriptions -Operation 'append' + $Results = Add-ExaContextRecords -ContextId $ListStatusIP.id -Data $RfIPRiskDescriptions -Operation 'replace' Start-Sleep -Seconds 30 # User Enabled URL List @@ -317,7 +317,7 @@ Function Invoke-RfExaSync { } } - $Results = Add-ExaContextRecords -ContextId $ListStatusVuln.id -Data $RfVulnRiskDescriptions -Operation 'append' + $Results = Add-ExaContextRecords -ContextId $ListStatusVuln.id -Data $RfVulnRiskDescriptions -Operation 'replace' Start-Sleep -Seconds 30 # User Enabled URL List @@ -400,7 +400,7 @@ Function Invoke-RfExaSync { }) } - $Results = Add-ExaContextRecords -ContextId $HashListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'append' + $Results = Add-ExaContextRecords -ContextId $HashListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'replace' } Write-Host "$(Get-TimeStamp) - Clearing Variables: Hash*" @@ -488,7 +488,7 @@ Function Invoke-RfExaSync { }) } - $Results = Add-ExaContextRecords -ContextId $UrlListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'append' + $Results = Add-ExaContextRecords -ContextId $UrlListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'replace' } Write-Host "$(Get-TimeStamp) - Clearing Variables: Url*" Clear-Variable -Name Url* -ErrorAction SilentlyContinue @@ -576,7 +576,7 @@ Function Invoke-RfExaSync { }) } - $Results = Add-ExaContextRecords -ContextId $DomainListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'append' + $Results = Add-ExaContextRecords -ContextId $DomainListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'replace' } Write-Host "$(Get-TimeStamp) - Clearing Variables: Domain*" @@ -666,7 +666,7 @@ Function Invoke-RfExaSync { }) } - $Results = Add-ExaContextRecords -ContextId $IPListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'append' + $Results = Add-ExaContextRecords -ContextId $IPListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'replace' } Write-Host "$(Get-TimeStamp) - Clearing Variables: IP*" @@ -758,7 +758,7 @@ Function Invoke-RfExaSync { }) } - $Results = Add-ExaContextRecords -ContextId $VulnListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'append' + $Results = Add-ExaContextRecords -ContextId $VulnListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'replace' } Write-Host "$(Get-TimeStamp) - Clearing Variables: Vuln*"