From dd37cc8e43c2bc07115484f81bc9e133b7eb3982 Mon Sep 17 00:00:00 2001 From: Fabian Bader Date: Tue, 26 Mar 2024 22:30:40 +0100 Subject: [PATCH 1/3] Add DisableIncidentCreation parameter to Convert-SentinelARYamlToArm.ps1 --- src/public/Convert-SentinelARYamlToArm.ps1 | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/src/public/Convert-SentinelARYamlToArm.ps1 b/src/public/Convert-SentinelARYamlToArm.ps1 index a652e1d..c69346e 100644 --- a/src/public/Convert-SentinelARYamlToArm.ps1 +++ b/src/public/Convert-SentinelARYamlToArm.ps1 @@ -42,6 +42,9 @@ Set the startTimeUtc property of the ARM template. Default is empty To successfully deploy the ARM template the startTimeUtc property must be set to a future date. Start time must be between 10 minutes and 30 days from now. This is not validated by the cmdlet. +.PARAMETER DisableIncidentCreation +If set, the incidentCreation property of the ARM template will be set to false. Default is to keep the value from the YAML file. + .EXAMPLE Convert-SentinelARYamlToArm -Filename "C:\Temp\MyRule.yaml" -OutFile "C:\Temp\MyRule.json" @@ -101,7 +104,10 @@ function Convert-SentinelARYamlToArm { [string]$Severity, [Parameter()] - [datetime]$StartRunningAt + [datetime]$StartRunningAt, + + [Parameter()] + [switch]$DisableIncidentCreation ) begin { @@ -303,6 +309,15 @@ function Convert-SentinelARYamlToArm { Write-Warning "StartRunningAt parameter is only supported for scheduled rules. Ignoring parameter." } + # Disable incident creation if specified + if ($DisableIncidentCreation) { + # Remove existing createIncident property + if ("createIncident" -in $ARMTemplate.incidentConfiguration.Keys) { + $ARMTemplate.incidentConfiguration.Remove("createIncident") + } + $ARMTemplate.incidentConfiguration.Add("createIncident", $false) + } + # Convert hashtable to JSON $JSON = $ARMTemplate | ConvertTo-Json -Depth 99 # Use ISO8601 format for timespan values From defd43bb24c942b5b243d723b61ce2e540a9f5a1 Mon Sep 17 00:00:00 2001 From: Fabian Bader Date: Tue, 26 Mar 2024 22:30:55 +0100 Subject: [PATCH 2/3] Add test case for disabling incident creation in scheduled YAML conversion --- tests/Convert-SentinelARYamlToArm.tests.ps1 | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/Convert-SentinelARYamlToArm.tests.ps1 b/tests/Convert-SentinelARYamlToArm.tests.ps1 index dc3bb06..b17da57 100644 --- a/tests/Convert-SentinelARYamlToArm.tests.ps1 +++ b/tests/Convert-SentinelARYamlToArm.tests.ps1 @@ -375,6 +375,24 @@ Describe "Convert-SentinelARYamlToArm" { } } + Context "Scheduled with disabled incident creation" { + BeforeAll { + Copy-Item -Path $exampleScheduledFilePath -Destination "TestDrive:/Scheduled.yaml" -Force + Convert-SentinelARYamlToArm -Filename "TestDrive:/Scheduled.yaml" -OutFile "TestDrive:/Scheduled.json" -DisableIncidentCreation + $armTemplate = Get-Content -Path "TestDrive:/Scheduled.json" -Raw | ConvertFrom-Json + } + + AfterEach { + if ( -not $RetainTestFiles) { + Remove-Item -Path "TestDrive:/*" -Include *.json -Force + } + } + + It "Should have the incident creation disabled" { + $armTemplate.resources[0].properties.incidentConfiguration.createIncident | Should -Be $false + } + } + AfterAll { Remove-Module SentinelARConverter -Force } From 60f1d23593efa72d3e6f1297e22509bce7fc1a8b Mon Sep 17 00:00:00 2001 From: Fabian Bader Date: Tue, 26 Mar 2024 22:31:00 +0100 Subject: [PATCH 3/3] Update module version to 2.2.4 --- src/SentinelARConverter.psd1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/SentinelARConverter.psd1 b/src/SentinelARConverter.psd1 index d92792a..def0297 100644 --- a/src/SentinelARConverter.psd1 +++ b/src/SentinelARConverter.psd1 @@ -12,7 +12,7 @@ RootModule = 'SentinelARConverter.psm1' # Version number of this module. - ModuleVersion = '2.2.3' + ModuleVersion = '2.2.4' # Supported PSEditions # CompatiblePSEditions = @()