SecurityInsights-1.1.0 (#15703)

* SecurityInsights-1.1.0

Update to Get-AzSentinelIncident

* Update ChangeLog.md

Co-authored-by: dicolanl <[email protected]>
Co-authored-by: Yabo Hu <[email protected]>

Author: 3 people

src/SecurityInsights/SecurityInsights/ChangeLog.md

@@ -19,6 +19,10 @@
 -->
 
 ## Upcoming Release
+* Updated to Get-AzSentinelIncident parameters
+    - Added -Filter to support OData filter
+    - Added -OrderBy to suppoert OData ordering
+    - Added -Max to support retrieving more than the default of 1000 incidents.
 
 ## Version 1.0.0
 * GA release for `Az.SecurityInsights`.

src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/GetIncidents.cs

@@ -14,7 +14,6 @@
 
 using System;
 using System.Management.Automation;
-using Microsoft.Azure.Commands.SecurityInsights;
 using Microsoft.Azure.Commands.SecurityInsights.Common;
 using Microsoft.Azure.Commands.SecurityInsights.Models.Incidents;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
@@ -26,8 +25,6 @@ namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents
     [Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelIncident", DefaultParameterSetName = ParameterSetNames.WorkspaceScope), OutputType(typeof(PSSentinelIncident))]
     public class GetIncidents : SecurityInsightsCmdletBase
     {
-        private const int MaxIncidentsToFetch = 1500;
-
         [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
         [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
         [ResourceGroupCompleter]
@@ -43,28 +40,38 @@ public class GetIncidents : SecurityInsightsCmdletBase
         [ValidateNotNullOrEmpty]
         public string IncidentId { get; set; }
 
+        [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = false, ValueFromPipeline = false, HelpMessage = ParameterHelpMessages.Filter)]
+        public string Filter { get; set; }
+
+        [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = false, ValueFromPipeline = false, HelpMessage = ParameterHelpMessages.OrderBy)]
+        public string OrderBy { get; set; }
+
+        [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = false, ValueFromPipeline = false, HelpMessage = ParameterHelpMessages.Max)]
+        [ValidateRange(1, int.MaxValue)]
+        public int Max { get; set; }
+
         [Parameter(ParameterSetName = ParameterSetNames.ResourceId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceId)]
         [ValidateNotNullOrEmpty]
         public string ResourceId { get; set; }
 
         public override void ExecuteCmdlet()
         {
-            int numberOfFetchedIncidents = 0;
             string nextLink = null;
             switch (ParameterSetName)
             {
                 case ParameterSetNames.WorkspaceScope:
-                    var incidents = SecurityInsightsClient.Incidents.List(ResourceGroupName, WorkspaceName);
+                    string filter = (Filter == default(string)) ? null : Filter;
+                    string orderby = (OrderBy == default(string)) ? null : OrderBy;
+                    int max = (Max == default(int)) ? 1000 : Max;
+                    var incidents = SecurityInsightsClient.Incidents.List(ResourceGroupName, WorkspaceName, filter: filter, orderby: orderby);
                     var incidentscount = incidents.Count();
                     WriteObject(incidents.ConvertToPSType(), enumerateCollection: true);
-                    numberOfFetchedIncidents += incidentscount;
                     nextLink = incidents?.NextPageLink;
-                    while (!string.IsNullOrWhiteSpace(nextLink) && numberOfFetchedIncidents < MaxIncidentsToFetch)
+                    while (!string.IsNullOrWhiteSpace(nextLink) && incidentscount < max)
                     {
                         incidents = SecurityInsightsClient.Incidents.ListNext(incidents.NextPageLink);
-                        incidentscount = incidents.Count();
                         WriteObject(incidents.ConvertToPSType(), enumerateCollection: true);
-                        numberOfFetchedIncidents += incidentscount;
+                        incidentscount += incidents.Count();
                         nextLink = incidents?.NextPageLink;
                     }
                     break;

src/SecurityInsights/SecurityInsights/Common/ParameterHelpMessages.cs

@@ -104,6 +104,9 @@ public static class ParameterHelpMessages
 
         #region Incidents
         public const string IncidentId = "Incident Id.";
+        public const string Filter = "Filters the results, based on a Boolean condition.";
+        public const string OrderBy = "Sorts the results";
+        public const string Max = "Maximum number of records to return";
         public const string Classificaton = "Incident Classificaiton.";
         public const string ClassificationComment = "Incident Classificaiton Comment.";
         public const string ClassificationReason = "Incident Classificaiton Reason.";

src/SecurityInsights/SecurityInsights/help/Az.SecurityInsights.md

@@ -2,15 +2,13 @@
 Module Name: Az.SecurityInsights
 Module Guid: 453d4fb9-65ec-4cf1-8358-6a0fbd995d19
 Download Help Link: https://docs.microsoft.com/powershell/module/az.securityinsights
-Help Version: 0.1.0
+Help Version: 1.1.0
 Locale: en-US
 ---
 
 # Az.SecurityInsights Module
 ## Description
-Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.<br/>
-The Azure Sentinel PowerShell module (Az.SecurityInsights) allows you to interact with the following  components: * Incidents
-* Analytics Rules (Alert Rules)
+Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.<br/> The Azure Sentinel PowerShell module (Az.SecurityInsights) allows you to interact with the following  components: * Incidents * Analytics Rules (Alert Rules)
 * Analytics Rules Templates
 * Analytics Rules Actions (like attaching an Azure Logic Apps Playbooks to your rule)
 * Bookmarks

src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncident.md

@@ -8,14 +8,14 @@ schema: 2.0.0
 # Get-AzSentinelIncident
 
 ## SYNOPSIS
-Get one or more Azure Sentinel Incidents.
+Gets one or more Azure Sentinel Incidents.
 
 ## SYNTAX
 
 ### WorkspaceScope (Default)
 ```
-Get-AzSentinelIncident -ResourceGroupName <String> -WorkspaceName <String>
- [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
+Get-AzSentinelIncident -ResourceGroupName <String> -WorkspaceName <String> [-Filter <String>]
+ [-OrderBy <String>] [-Max <Int32>] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
 ### IncidentId
@@ -32,7 +32,8 @@ Get-AzSentinelIncident -ResourceId <String> [-DefaultProfile <IAzureContextConta
 ## DESCRIPTION
 The **Get-AzSentinelIncident** cmdlet gets a specific or multiple Incidents from the specified workspace.
 If you specify the *IncidentId* parameter, a single **Incident** object is returned.
-If you do not specify the *IncidentId* parameter, an array containing all of the Incidents in the specified workspace is returned.
+If you do not specify the *IncidentId* parameter, an array containing Incidents in the specified workspace is returned.
+Default, the module returns 1000 incidents. To fetch more than 1000, use the -Max parameter.
 You can use the **Incident** object to update the Incident. For example you can add comments, change the severity, assign an owner, etc. to the **Incident**.
 
 *Note: An IncidentId is in the following format: c464bcd7-daee-47ff-ac58-1fbb73cf1d6b and is not the same as the Incident ID (number) as in the Azure Sentinel Incident view. The IncidentId can be found in the incident details view, in the "Incident link" field, represented in the last part of the https link.*
@@ -93,6 +94,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -Filter
+Filters the results, based on a Boolean condition.
+
+```yaml
+Type: System.String
+Parameter Sets: WorkspaceScope
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -IncidentId
 Incident Id.
 
@@ -108,6 +124,36 @@ Accept pipeline input: True (ByPropertyName)
 Accept wildcard characters: False
 ```
 
+### -Max
+Maximum number of records to return
+
+```yaml
+Type: System.Int32
+Parameter Sets: WorkspaceScope
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OrderBy
+Sorts the results
+
+```yaml
+Type: System.String
+Parameter Sets: WorkspaceScope
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ResourceGroupName
 Resource group name.