Dev 1.4.0

src/Public/Exabeam/Correlation/Get-ExaCorrelationRules.ps1

@@ -0,0 +1,92 @@
+using namespace System
+using namespace System.IO
+using namespace System.Collections.Generic
+
+Function Get-ExaCorrelationRules {
+    <#
+    .SYNOPSIS
+        Get a list of Correlation Rules.
+    .DESCRIPTION
+        Returns a list of all correlation rules that match the name.
+    .PARAMETER Credential
+        PSCredential containing an API Token in the Password field.
+    .INPUTS
+        The Name parameter can be provided via the PowerShell pipeline.
+    .OUTPUTS
+        PSCustomObject representing the specified LogRhythm List and its contents.
+
+        If parameter ListItemsOnly is specified, a string collection is returned containing the
+        list's item values.
+    .EXAMPLE
+        PS C:\> Get-ExaCorrelationRules
+        ---
+
+    .NOTES
+        Exabeam-API 
+    .LINK
+        https://github.com/LogRhythm-Tools/LogRhythm.Tools
+    #>
+
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory = $false, Position = 0)]
+        [ValidateNotNull()]
+        [string] $Name,
+
+        [Parameter(Mandatory = $false, Position = 1)]
+        [ValidateNotNull()]
+        [pscredential] $Credential = $LrtConfig.Exabeam.ApiKey
+    )
+
+    Begin {
+        $Me = $MyInvocation.MyCommand.Name
+        Set-LrtExaToken
+        # Request Setup
+        $BaseUrl = $LrtConfig.Exabeam.BaseUrl
+        $Token = $LrtConfig.Exabeam.Token.access_token
+
+        # Define HTTP Headers
+        $Headers = [Dictionary[string,string]]::new()
+        $Headers.Add("accept", "application/json")
+        $Headers.Add("Authorization", "Bearer $Token")
+
+        # Define HTTP Method
+        $Method = $HttpMethod.Get
+
+        # Define HTTP URI
+        $RequestUrl = $BaseUrl + "correlation-rules/v2/rules"
+
+        # Check preference requirements for self-signed certificates and set enforcement for Tls1.2
+        Enable-TrustAllCertsPolicy
+    }
+
+    Process {
+
+
+        $QueryParams = [Dictionary[string,string]]::new()
+
+        if ($Name) {
+            $QueryParams.Add('nameContains', $Name)
+        }
+
+
+        if ($QueryParams.Count -gt 0) {
+            $QueryString = $QueryParams | ConvertTo-QueryString
+            Write-Verbose "[$Me]: QueryString is [$QueryString]"
+            $RequestUrl += $QueryString
+        }
+
+        Write-Verbose "[$Me]: Request URL: $RequestUrl"
+
+        # Send Request
+        $Response = Invoke-RestAPIMethod -Uri $RequestUrl -Headers $Headers -Method $Method -Origin $Me
+        if (($null -ne $Response.Error) -and ($Response.Error -eq $true)) {
+            return $Response
+        }
+
+
+        return $Response
+    }
+
+    End { }
+}

src/Public/Exabeam/Search/Get-ExaSearch.ps1

@@ -43,6 +43,10 @@ Function Get-ExaSearch {
         [ValidateNotNull()]
         [string[]] $Fields, 
 
+        [Parameter(Mandatory = $false, Position = 5)]
+        [ValidateNotNull()]
+        [int] $Limit = 1000000,
+
         [Parameter(Mandatory = $false, Position = 5)]
         [ValidateNotNull()]
         [string[]] $ShaFields, 
@@ -109,7 +113,7 @@ Function Get-ExaSearch {
         }
 
         $body = [PSCustomObject]@{
-            limit     = 1000000
+            limit     = $Limit
             distinct  = $Distinct
             filter    = $Filter
             startTime = $startTime

src/Public/RecordedFuture/General/Invoke-RfExaSync.ps1

@@ -114,7 +114,7 @@ Function Invoke-RfExaSync {
         }
     }
 
-    $Results = Add-ExaContextRecords -ContextId $ListStatusHash.id -Data $RfHashRiskDescriptions -Operation 'append'
+    $Results = Add-ExaContextRecords -ContextId $ListStatusHash.id -Data $RfHashRiskDescriptions -Operation 'replace'
 
     Start-Sleep -Seconds 30
     # User Enabled Hash List
@@ -165,7 +165,7 @@ Function Invoke-RfExaSync {
         }
     }
 
-    $Results = Add-ExaContextRecords -ContextId $ListStatusUrl.id -Data $RfUrlRiskDescriptions -Operation 'append'
+    $Results = Add-ExaContextRecords -ContextId $ListStatusUrl.id -Data $RfUrlRiskDescriptions -Operation 'replace'
 
     Start-Sleep -Seconds 30
     # User Enabled URL List
@@ -216,7 +216,7 @@ Function Invoke-RfExaSync {
         }
     }
 
-    $Results = Add-ExaContextRecords -ContextId $ListStatusDomain.id -Data $RfDomainRiskDescriptions -Operation 'append'
+    $Results = Add-ExaContextRecords -ContextId $ListStatusDomain.id -Data $RfDomainRiskDescriptions -Operation 'replace'
 
     Start-Sleep -Seconds 30
     # User Enabled URL List
@@ -267,7 +267,7 @@ Function Invoke-RfExaSync {
         }
     }
 
-    $Results = Add-ExaContextRecords -ContextId $ListStatusIP.id -Data $RfIPRiskDescriptions -Operation 'append'
+    $Results = Add-ExaContextRecords -ContextId $ListStatusIP.id -Data $RfIPRiskDescriptions -Operation 'replace'
 
     Start-Sleep -Seconds 30
     # User Enabled URL List
@@ -317,7 +317,7 @@ Function Invoke-RfExaSync {
         }
     }
 
-    $Results = Add-ExaContextRecords -ContextId $ListStatusVuln.id -Data $RfVulnRiskDescriptions -Operation 'append'
+    $Results = Add-ExaContextRecords -ContextId $ListStatusVuln.id -Data $RfVulnRiskDescriptions -Operation 'replace'
 
     Start-Sleep -Seconds 30
     # User Enabled URL List
@@ -400,7 +400,7 @@ Function Invoke-RfExaSync {
                         })
                     }
 
-                    $Results = Add-ExaContextRecords -ContextId $HashListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'append'
+                    $Results = Add-ExaContextRecords -ContextId $HashListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'replace'
                 }
 
                 Write-Host "$(Get-TimeStamp) - Clearing Variables: Hash*"
@@ -488,7 +488,7 @@ Function Invoke-RfExaSync {
                         })
                     }
 
-                    $Results = Add-ExaContextRecords -ContextId $UrlListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'append'
+                    $Results = Add-ExaContextRecords -ContextId $UrlListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'replace'
                 }
                 Write-Host "$(Get-TimeStamp) - Clearing Variables: Url*"
                 Clear-Variable -Name Url* -ErrorAction SilentlyContinue
@@ -576,7 +576,7 @@ Function Invoke-RfExaSync {
                         })
                     }
 
-                    $Results = Add-ExaContextRecords -ContextId $DomainListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'append'
+                    $Results = Add-ExaContextRecords -ContextId $DomainListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'replace'
                 }
 
                 Write-Host "$(Get-TimeStamp) - Clearing Variables: Domain*"
@@ -666,7 +666,7 @@ Function Invoke-RfExaSync {
                         })
                     }
 
-                    $Results = Add-ExaContextRecords -ContextId $IPListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'append'
+                    $Results = Add-ExaContextRecords -ContextId $IPListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'replace'
                 }
 
                 Write-Host "$(Get-TimeStamp) - Clearing Variables: IP*"
@@ -758,7 +758,7 @@ Function Invoke-RfExaSync {
                         })
                     }
 
-                    $Results = Add-ExaContextRecords -ContextId $VulnListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'append'
+                    $Results = Add-ExaContextRecords -ContextId $VulnListStatus.id -Data $($Data | Sort-Object risk_level ) -Operation 'replace'
                 }
 
                 Write-Host "$(Get-TimeStamp) - Clearing Variables: Vuln*"