Azure · dicolanl · Nov 12, 2021 · Nov 18, 2021 · Nov 23, 2021 · Nov 23, 2021
diff --git a/src/SecurityInsights/.gitattributes b/src/SecurityInsights/.gitattributes
@@ -0,0 +1 @@
+* text=auto
diff --git a/src/SecurityInsights/.gitignore b/src/SecurityInsights/.gitignore
@@ -0,0 +1,16 @@
+bin
+obj
+.vs
+generated
+internal
+exports
+tools
+custom/*.psm1
+custom/autogen-model-cmdlets
+test/*-TestResults.xml
+/*.ps1
+/*.ps1xml
+/*.psm1
+/*.snk
+/*.csproj
+/*.nuspec
diff --git a/src/SecurityInsights/Az.SecurityInsights.psd1 b/src/SecurityInsights/Az.SecurityInsights.psd1
@@ -0,0 +1,24 @@
+@{
+  GUID = '3a0e09d6-7b89-4078-a565-5db26e7455b8'
+  RootModule = './Az.SecurityInsights.psm1'
+  ModuleVersion = '1.2.0'
+  CompatiblePSEditions = 'Core', 'Desktop'
+  Author = 'Microsoft Corporation'
+  CompanyName = 'Microsoft Corporation'
+  Copyright = 'Microsoft Corporation. All rights reserved.'
+  Description = 'Microsoft Azure PowerShell: SecurityInsights cmdlets'
+  PowerShellVersion = '5.1'
+  DotNetFrameworkVersion = '4.7.2'
+  RequiredAssemblies = './bin/Az.SecurityInsights.private.dll'
+  FormatsToProcess = './Az.SecurityInsights.format.ps1xml'
+  FunctionsToExport = 'Get-AzSentinelAlertRule', 'Get-AzSentinelAlertRuleAction', 'Get-AzSentinelAlertRuleTemplate', 'Get-AzSentinelAutomationRule', 'Get-AzSentinelBookmark', 'Get-AzSentinelBookmarkRelation', 'Get-AzSentinelDataConnector', 'Get-AzSentinelEnrichment', 'Get-AzSentinelEntity', 'Get-AzSentinelEntityActivity', 'Get-AzSentinelEntityInsight', 'Get-AzSentinelEntityQuery', 'Get-AzSentinelEntityQueryTemplate', 'Get-AzSentinelEntityRelation', 'Get-AzSentinelEntityTimeline', 'Get-AzSentinelIncident', 'Get-AzSentinelIncidentAlert', 'Get-AzSentinelIncidentBookmark', 'Get-AzSentinelIncidentComment', 'Get-AzSentinelIncidentEntity', 'Get-AzSentinelIncidentRelation', 'Get-AzSentinelMetadata', 'Get-AzSentinelOnboardingState', 'Get-AzSentinelSetting', 'Get-AzSentinelSourceControlRepository', 'Get-AzSentinelThreatIntelligenceIndicator', 'Get-AzSentinelThreatIntelligenceIndicatorMetric', 'Invoke-AzSentinelThreatIntelligenceIndicatorQuery', 'New-AzSentinelAlertRule', 'New-AzSentinelAlertRuleAction', 'New-AzSentinelAutomationRule', 'New-AzSentinelBookmark', 'New-AzSentinelBookmarkRelation', 'New-AzSentinelDataConnector', 'New-AzSentinelEntityQuery', 'New-AzSentinelIncident', 'New-AzSentinelIncidentComment', 'New-AzSentinelIncidentRelation', 'New-AzSentinelIncidentTeam', 'New-AzSentinelOnboardingState', 'Remove-AzSentinelAlertRule', 'Remove-AzSentinelAlertRuleAction', 'Remove-AzSentinelAutomationRule', 'Remove-AzSentinelBookmark', 'Remove-AzSentinelBookmarkRelation', 'Remove-AzSentinelDataConnector', 'Remove-AzSentinelEntityQuery', 'Remove-AzSentinelIncident', 'Remove-AzSentinelIncidentComment', 'Remove-AzSentinelIncidentRelation', 'Remove-AzSentinelOnboardingState', 'Test-AzSentinelDataConnectorCheckRequirement', 'Update-AzSentinelAlertRule', 'Update-AzSentinelAlertRuleAction', 'Update-AzSentinelAutomationRule', 'Update-AzSentinelBookmark', 'Update-AzSentinelBookmarkRelation', 'Update-AzSentinelDataConnector', 'Update-AzSentinelEntityQuery', 'Update-AzSentinelIncident', 'Update-AzSentinelIncidentComment', 'Update-AzSentinelIncidentRelation', 'Update-AzSentinelSetting', '*'
+  AliasesToExport = '*'
+  PrivateData = @{
+    PSData = @{
+      Tags = 'Azure', 'ResourceManager', 'ARM', 'PSModule', 'SecurityInsights'
+      LicenseUri = 'https://aka.ms/azps-license'
+      ProjectUri = 'https://github.com/Azure/azure-powershell'
+      ReleaseNotes = ''
+    }
+  }
+}
diff --git a/src/SecurityInsights/custom/New-AzSentinelAlertRule.ps1 b/src/SecurityInsights/custom/New-AzSentinelAlertRule.ps1
diff --git a/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1
diff --git a/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1
@@ -0,0 +1,216 @@
+
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.Synopsis
+Creates or updates the entity query.
+.Description
+Creates or updates the entity query.
+
+.Link
+https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelentityquery
+#>
+function New-AzSentinelEntityQuery {
+    [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery])]
+    [CmdletBinding(DefaultParameterSetName = 'Activity', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')]
+    param(
+        [Parameter()]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')]
+        [System.String]
+        # Gets subscription credentials which uniquely identify Microsoft Azure subscription.
+        # The subscription ID forms part of the URI for every service call.
+        ${SubscriptionId},
+
+        [Parameter(Mandatory)]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+        [System.String]
+        # The Resource Group Name.
+        ${ResourceGroupName},
+
+        [Parameter(Mandatory)]
+        #[Alias('DataConnectionName')]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+        [System.String]
+        # The name of the workspace.
+        ${WorkspaceName},
+
+        [Parameter()]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')]
+        [System.String]
+        # The Id of the Entity Query.
+        ${EntityQueryId},
+
+        [Parameter(Mandatory)]
+        [ArgumentCompleter( { param ( $CommandName, $EntityQueryName, $WordToComplete, $CommandAst, $FakeBoundParameters ) return @('Activity') })]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+        # Kind of the the Entity Query
+        ${Kind},
+
+        [Parameter(ParameterSetName = 'Activity', Mandatory)]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+        [System.String]
+        ${Title},
+
+        [Parameter(ParameterSetName = 'Activity', Mandatory)]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+        [System.String]
+        ${Content},
+
+        [Parameter(ParameterSetName = 'Activity', Mandatory)]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+        [System.String]
+        ${Description},
+
+        [Parameter(ParameterSetName = 'Activity', Mandatory)]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+        [System.String]
+        ${QueryDefinitionQuery},
+
+        [Parameter(ParameterSetName = 'Activity', Mandatory)]
+        [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType])]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType]
+        ${InputEntityType},
+
+        [Parameter(ParameterSetName = 'Activity')]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+        [String[]]
+        ${RequiredInputFieldsSet},
+
+        [Parameter(ParameterSetName = 'Activity')]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] 
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter]
+        ${EntitiesFilter},
+
+        [Parameter(ParameterSetName = 'Activity')]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+        [System.String]
+        ${TemplateName},
+
+        [Parameter()]
+        [Alias('AzureRMContext', 'AzureCredential')]
+        [ValidateNotNull()]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')]
+        [System.Management.Automation.PSObject]
+        # The credentials, account, tenant, and subscription used for communication with Azure.
+        ${DefaultProfile},
+
+        [Parameter()]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+        [System.Management.Automation.SwitchParameter]
+        # Run the command as a job
+        ${AsJob},
+
+        [Parameter(DontShow)]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+        [System.Management.Automation.SwitchParameter]
+        # Wait for .NET debugger to attach
+        ${Break},
+
+        [Parameter(DontShow)]
+        [ValidateNotNull()]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+        # SendAsync Pipeline Steps to be appended to the front of the pipeline
+        ${HttpPipelineAppend},
+
+        [Parameter(DontShow)]
+        [ValidateNotNull()]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+        # SendAsync Pipeline Steps to be prepended to the front of the pipeline
+        ${HttpPipelinePrepend},
+
+        [Parameter()]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+        [System.Management.Automation.SwitchParameter]
+        # Run the command asynchronously
+        ${NoWait},
+
+        [Parameter(DontShow)]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+        [System.Uri]
+        # The URI for the proxy server to use
+        ${Proxy},
+
+        [Parameter(DontShow)]
+        [ValidateNotNull()]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+        [System.Management.Automation.PSCredential]
+        # Credentials for a proxy server to use for the remote call
+        ${ProxyCredential},
+
+        [Parameter(DontShow)]
+        [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+        [System.Management.Automation.SwitchParameter]
+        # Use the default credentials for the proxy
+        ${ProxyUseDefaultCredentials}
+    )
+
+    process {
+        try {
+
+            if ($PSBoundParameters['Kind'] -eq 'Activity'){
+                $EntityQuery = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityCustomEntityQuery]::new()
+
+                $EntityQuery.Title = $PSBoundParameters['Title']
+                $null = $PSBoundParameters.Remove('Title')
+
+                $EntityQuery.Content = $PSBoundParameters['Content']
+                $null = $PSBoundParameters.Remove('Content')
+
+                $EntityQuery.Description = $PSBoundParameters['Description']
+                $null = $PSBoundParameters.Remove('Description')
+
+                $EntityQuery.QueryDefinitionQuery = $PSBoundParameters['QueryDefinitionQuery']
+                $null = $PSBoundParameters.Remove('QueryDefinitionQuery')
+
+                $EntityQuery.InputEntityType = $PSBoundParameters['InputEntityType']
+                $null = $PSBoundParameters.Remove('InputEntityType')
+
+                If($PSBoundParameters['RequiredInputFieldsSet']){
+                    $EntityQuery.RequiredInputFieldsSet = $PSBoundParameters['RequiredInputFieldsSet']
+                    $null = $PSBoundParameters.Remove('RequiredInputFieldsSet')
+                }
+
+                If($PSBoundParameters['EntitiesFilter']){
+                    $EntityQuery.EntitiesFilter = $PSBoundParameters['EntitiesFilter']
+                    $null = $PSBoundParameters.Remove('EntitiesFilter')
+                }
+
+                If($PSBoundParameters['TemplateName']){
+                    $EntityQuery.TemplateName = $PSBoundParameters['TemplateName']
+                    $null = $PSBoundParameters.Remove('TemplateName')
+                }
+            }
+            else {
+                Write-Error "This cmdlet only works with Entity Queries of the Activity kind."
+                break
+            }
+
+            #$EntityQuery.Kind = $PSBoundParameters['Kind']
+            $null = $PSBoundParameters.Remove('Kind')
+
+            $null = $PSBoundParameters.Add('EntityQuery', $EntityQuery)
+
+            Az.SecurityInsights.internal\New-AzSentinelEntityQuery @PSBoundParameters
+        }
+        catch {
+            throw
+        }
+    }
+}
diff --git a/src/SecurityInsights/custom/README.md b/src/SecurityInsights/custom/README.md
@@ -0,0 +1,41 @@
+# Custom
+This directory contains custom implementation for non-generated cmdlets for the `Az.SecurityInsights` module. Both scripts (`.ps1`) and C# files (`.cs`) can be implemented here. They will be used during the build process in `build-module.ps1`, and create cmdlets into the `../exports` folder. The only generated file into this folder is the `Az.SecurityInsights.custom.psm1`. This file should not be modified.
+
+## Info
+- Modifiable: yes
+- Generated: partial
+- Committed: yes
+- Packaged: yes
+
+## Details
+For `Az.SecurityInsights` to use custom cmdlets, it does this two different ways. We **highly recommend** creating script cmdlets, as they are easier to write and allow access to the other exported cmdlets. C# cmdlets *cannot access exported cmdlets*.
+
+For C# cmdlets, they are compiled with the rest of the generated low-level cmdlets into the `./bin/Az.SecurityInsights.private.dll`. The names of the cmdlets (methods) and files must follow the `[cmdletName]_[variantName]` syntax used for generated cmdlets. The `variantName` is used as the `ParameterSetName`, so use something appropriate that doesn't clash with already created variant or parameter set names. You cannot use the `ParameterSetName` property in the `Parameter` attribute on C# cmdlets. Each cmdlet must be separated into variants using the same pattern as seen in the `generated/cmdlets` folder.
+
+For script cmdlets, these are loaded via the `Az.SecurityInsights.custom.psm1`. Then, during the build process, this module is loaded and processed in the same manner as the C# cmdlets. The fundamental difference is the script cmdlets use the `ParameterSetName` attribute and C# cmdlets do not. To create a script cmdlet variant of a generated cmdlet, simply decorate all parameters in the script with the new `ParameterSetName` in the `Parameter` attribute. This will appropriately treat each parameter set as a separate variant when processed to be exported during the build.
+
+## Purpose
+This allows the modules to have cmdlets that were not defined in the REST specification. It also allows combining logic using generated cmdlets. This is a level of customization beyond what can be done using the [readme configuration options](https://github.com/Azure/autorest/blob/master/docs/powershell/options.md) that are currently available. These custom cmdlets are then referenced by the cmdlets created at build-time in the `../exports` folder.
+
+## Usage
+The easiest way currently to start developing custom cmdlets is to copy an existing cmdlet. For C# cmdlets, copy one from the `generated/cmdlets` folder. For script cmdlets, build the project using `build-module.ps1` and copy one of the scripts from the `../exports` folder. After that, if you want to add new parameter sets, follow the guidelines in the `Details` section above. For implementing a new cmdlets, at minimum, please keep these parameters:
+- Break
+- DefaultProfile
+- HttpPipelineAppend
+- HttpPipelinePrepend
+- Proxy
+- ProxyCredential
+- ProxyUseDefaultCredentials
+
+These provide functionality to our HTTP pipeline and other useful features. In script, you can forward these parameters using `$PSBoundParameters` to the other cmdlets you're calling within `Az.SecurityInsights`. For C#, follow the usage seen in the `ProcessRecordAsync` method.
+
+### Attributes
+For processing the cmdlets, we've created some additional attributes:
+- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.DescriptionAttribute`
+  - Used in C# cmdlets to provide a high-level description of the cmdlet. This is propagated to reference documentation via [help comments](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_comment_based_help) in the exported scripts.
+- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.DoNotExportAttribute`
+  - Used in C# and script cmdlets to suppress creating an exported cmdlet at build-time. These cmdlets will *not be exposed* by `Az.SecurityInsights`.
+- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.InternalExportAttribute`
+  - Used in C# cmdlets to route exported cmdlets to the `../internal`, which are *not exposed* by `Az.SecurityInsights`. For more information, see [README.md](../internal/README.md) in the `../internal` folder.
+- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.ProfileAttribute`
+  - Used in C# and script cmdlets to define which Azure profiles the cmdlet supports. This is only supported for Azure (`--azure`) modules.