Merge pull request KelvinTegelaar#1346 from kris6673/incidents-alerts

New Defender incident alert and add alltenant support

Author: KelvinTegelaar

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDefenderIncidents.ps1

@@ -0,0 +1,24 @@
+
+function Get-CIPPAlertDefenderIncidents {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+    try {
+        $AlertData = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/security/incidents?`$top=50&`$filter=status eq 'active'" -tenantid $TenantFilter | ForEach-Object {
+            "Incident ID $($_.id): Created at $($_.createdDateTime). Severity: $($_.severity). `nIncident name: $($_.displayName). Incident URL: $($_.incidentWebUrl)."
+        }
+        Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+
+    } catch {
+        # Pretty sure this one is gonna be spammy cause of licensing issues, so it's commented out -Bobby
+        # Write-AlertMessage -tenant $($TenantFilter) -message "Could not get Defender incident data for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNoCAConfig.ps1

@@ -12,16 +12,14 @@ function Get-CIPPAlertNoCAConfig {
     )
 
     try {
-        $CAAvailable = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus' -tenantid $TenantFilter -erroraction stop).serviceplans
+        $CAAvailable = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus' -tenantid $TenantFilter -ErrorAction Stop).serviceplans
         if ('AAD_PREMIUM' -in $CAAvailable.servicePlanName) {
             $CAPolicies = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $TenantFilter)
             if (!$CAPolicies.id) {
                 $AlertData = 'Conditional Access is available, but no policies could be found.'
                 Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
-
             }
         }
-
     } catch {
         Write-AlertMessage -tenant $($TenantFilter) -message "Conditional Access Config Alert: Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
     }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertUnusedLicenses.ps1

@@ -11,15 +11,14 @@ function Get-CIPPAlertUnusedLicenses {
         $TenantFilter
     )
 
-
     try {
         $LicenseTable = Get-CIPPTable -TableName ExcludedLicenses
         $ExcludedSkuList = Get-CIPPAzDataTableEntity @LicenseTable
         $AlertData = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus' -tenantid $TenantFilter | ForEach-Object {
-            $skuid = $_
-            foreach ($sku in $skuid) {
+            $skuId = $_
+            foreach ($sku in $skuId) {
                 if ($sku.skuId -in $ExcludedSkuList.GUID) { continue }
-                $PrettyName = ($ConvertTable | Where-Object { $_.GUID -eq $sku.skuid }).'Product_Display_Name' | Select-Object -Last 1
+                $PrettyName = ($ConvertTable | Where-Object { $_.GUID -eq $sku.skuId }).'Product_Display_Name' | Select-Object -Last 1
                 if (!$PrettyName) { $PrettyName = $sku.skuPartNumber }
                 if ($sku.prepaidUnits.enabled - $sku.consumedUnits -gt 0) {
                     "$PrettyName has unused licenses. Using $($_.consumedUnits) of $($_.prepaidUnits.enabled)."

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecIncidentsListAllTenants.ps1

@@ -3,9 +3,7 @@ function Push-ExecIncidentsListAllTenants {
     .FUNCTIONALITY
         Entrypoint
     #>
-    param(
-        $Item
-    )
+    param($Item)
 
     $Tenant = Get-Tenants -TenantFilter $Item.customerId
     $domainName = $Tenant.defaultDomainName

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ListBasicAuthAllTenants.ps1

@@ -8,6 +8,8 @@ Function Push-ListBasicAuthAllTenants {
 
     $domainName = $Item.defaultDomainName
 
+    # XXX; This function seems to be unused in the frontend. -Bobby
+
     $currentTime = Get-Date -Format 'yyyy-MM-ddTHH:MM:ss'
     $ts = (Get-Date).AddDays(-30)
     $endTime = $ts.ToString('yyyy-MM-ddTHH:MM:ss')

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ListMailQuarantineAllTenants.ps1

@@ -0,0 +1,43 @@
+function Push-ListMailQuarantineAllTenants {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    param($Item)
+
+    $Tenant = Get-Tenants -TenantFilter $Item.customerId
+    $domainName = $Tenant.defaultDomainName
+    $Table = Get-CIPPTable -TableName cacheQuarantineMessages
+    Write-Host "PowerShell queue trigger function processed work item: $($Tenant.defaultDomainName)"
+
+    try {
+        $quarantineMessages = New-ExoRequest -tenantid $domainName -cmdlet 'Get-QuarantineMessage' -cmdParams @{ 'PageSize' = 1000 } | Select-Object -ExcludeProperty *data.type*
+        $GraphRequest = foreach ($message in $quarantineMessages) {
+            $messageData = @{
+                QuarantineMessage = [string]($message | ConvertTo-Json -Depth 10 -Compress)
+                RowKey            = [string](New-Guid).Guid
+                PartitionKey      = 'QuarantineMessage'
+                Tenant            = [string]$domainName
+            }
+            Add-CIPPAzDataTableEntity @Table -Entity $messageData -Force | Out-Null
+        }
+    } catch {
+        $errorData = ConvertTo-Json -InputObject @{
+            Identity         = $null
+            ReceivedTime     = (Get-Date).ToString('s')
+            SenderAddress    = 'CIPP Error'
+            RecipientAddress = 'N/A'
+            Subject          = "Could not connect to Tenant: $($_.Exception.Message)"
+            Size             = 0
+            Type             = 'Error'
+            QuarantineReason = 'ConnectionError'
+        }
+        $messageData = @{
+            QuarantineMessage = [string]$errorData
+            RowKey            = [string]$domainName
+            PartitionKey      = 'QuarantineMessage'
+            Tenant            = [string]$domainName
+        }
+        Add-CIPPAzDataTableEntity @Table -Entity $messageData -Force | Out-Null
+    }
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ListMailboxRules.ps1

@@ -10,14 +10,18 @@ Function Invoke-ListMailboxRules {
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
 
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+    Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
+
     # Interact with query parameters or the body of the request.
-    $TenantFilter = $Request.Query.TenantFilter
+    $TenantFilter = $Request.Query.tenantFilter
 
     $Table = Get-CIPPTable -TableName cachembxrules
     if ($TenantFilter -ne 'AllTenants') {
         $Table.Filter = "Tenant eq '$TenantFilter'"
     }
-    $Rows = Get-CIPPAzDataTableEntity @Table | Where-Object -Property Timestamp -GT (Get-Date).Addhours(-1)
+    $Rows = Get-CIPPAzDataTableEntity @Table | Where-Object -Property Timestamp -GT (Get-Date).AddHours(-1)
 
     $Metadata = @{}
     if (!$Rows -or ($TenantFilter -eq 'AllTenants' -and ($Rows | Measure-Object).Count -eq 1)) {
@@ -43,7 +47,7 @@ Function Invoke-ListMailboxRules {
             }
             #Write-Host ($InputObject | ConvertTo-Json)
             $InstanceId = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
-            Write-Host "Started permissions orchestration with ID = '$InstanceId'"
+            Write-Host "Started mailbox rules orchestration with ID = '$InstanceId'"
         }
 
     } else {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Spamfilter/Invoke-ListMailQuarantine.ps1

@@ -9,22 +9,80 @@ function Invoke-ListMailQuarantine {
     param($Request, $TriggerMetadata)
 
     $APIName = $Request.Params.CIPPEndpoint
-    Write-LogMessage -headers $Request.Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
-    $Tenantfilter = $request.Query.tenantfilter
+    $Headers = $Request.Headers
+    Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
+
+    # Interact with query parameters or the body of the request.
+    $TenantFilter = $Request.Query.tenantFilter
 
     try {
-        $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-QuarantineMessage' -cmdParams @{ 'PageSize' = 1000 }
+        $GraphRequest = if ($TenantFilter -ne 'AllTenants') {
+            New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-QuarantineMessage' -cmdParams @{ 'PageSize' = 1000 } | Select-Object -ExcludeProperty *data.type*
+        } else {
+            $Table = Get-CIPPTable -TableName cacheQuarantineMessages
+            $PartitionKey = 'QuarantineMessage'
+            $Filter = "PartitionKey eq '$PartitionKey'"
+            $Rows = Get-CIPPAzDataTableEntity @Table -filter $Filter | Where-Object -Property Timestamp -GT (Get-Date).AddMinutes(-30)
+            $QueueReference = '{0}-{1}' -f $TenantFilter, $PartitionKey
+            $RunningQueue = Invoke-ListCippQueue | Where-Object { $_.Reference -eq $QueueReference -and $_.Status -notmatch 'Completed' -and $_.Status -notmatch 'Failed' }
+            # If a queue is running, we will not start a new one
+            if ($RunningQueue) {
+                $Metadata = [PSCustomObject]@{
+                    QueueMessage = 'Still loading data for all tenants. Please check back in a few more minutes'
+                }
+                [PSCustomObject]@{
+                    Waiting = $true
+                }
+            } elseif (!$Rows -and !$RunningQueue) {
+                # If no rows are found and no queue is running, we will start a new one
+                $TenantList = Get-Tenants -IncludeErrors
+                $Queue = New-CippQueueEntry -Name 'Mail Quarantine - All Tenants' -Reference $QueueReference -TotalTasks ($TenantList | Measure-Object).Count
+                $Metadata = [PSCustomObject]@{
+                    QueueMessage = 'Loading data for all tenants. Please check back in a few minutes'
+                }
+                $InputObject = [PSCustomObject]@{
+                    OrchestratorName = 'MailQuarantineOrchestrator'
+                    QueueFunction    = @{
+                        FunctionName = 'GetTenants'
+                        QueueId      = $Queue.RowKey
+                        TenantParams = @{
+                            IncludeErrors = $true
+                        }
+                        DurableName  = 'ListMailQuarantineAllTenants'
+                    }
+                    SkipLog          = $true
+                }
+                Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
+                [PSCustomObject]@{
+                    Waiting = $true
+                }
+            } else {
+                $messages = $Rows
+                foreach ($message in $messages) {
+                    $messageObj = $message.QuarantineMessage | ConvertFrom-Json
+                    $messageObj | Add-Member -NotePropertyName 'Tenant' -NotePropertyValue $message.Tenant -Force
+                    $messageObj
+                }
+            }
+        }
         $StatusCode = [HttpStatusCode]::OK
     } catch {
         $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
         $StatusCode = [HttpStatusCode]::Forbidden
         $GraphRequest = $ErrorMessage
     }
 
+    if (!$body) {
+        $StatusCode = [HttpStatusCode]::OK
+        $body = [PSCustomObject]@{
+            Results  = @($GraphRequest | Where-Object -Property Identity -NE $null | Sort-Object -Property ReceivedTime -Descending )
+            Metadata = $Metadata
+        }
+    }
+
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = $StatusCode
-            Body       = @($GraphRequest)
+            Body       = $body
         })
-
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Spamfilter/Invoke-ListMailQuarantineMessage.ps1

@@ -9,15 +9,19 @@ function Invoke-ListMailQuarantineMessage {
     param($Request, $TriggerMetadata)
 
     $APIName = $Request.Params.CIPPEndpoint
-    Write-LogMessage -headers $Request.Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
-    $Tenantfilter = $Request.Query.Tenantfilter
+    $Headers = $Request.Headers
+    Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
+
+    # Interact with query parameters or the body of the request.
+    $TenantFilter = $Request.Query.tenantFilter
+    $Identity = $Request.Query.Identity
 
     try {
-        $GraphRequest = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Export-QuarantineMessage' -cmdParams @{ 'Identity' = $Request.Query.Identity }
+        $GraphRequest = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Export-QuarantineMessage' -cmdParams @{ 'Identity' = $Identity }
         $EmlBase64 = $GraphRequest.Eml
         $EmlContent = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($EmlBase64))
         $Body = @{
-            'Identity' = $Request.Query.Identity
+            'Identity' = $Identity
             'Message'  = $EmlContent
         }
         $StatusCode = [HttpStatusCode]::OK

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Reports/Invoke-ListAzureADConnectStatus.ps1

@@ -12,10 +12,9 @@ Function Invoke-ListAzureADConnectStatus {
 
     $APIName = $Request.Params.CIPPEndpoint
     $Headers = $Request.Headers
-    $TenantFilter = $Request.Query.TenantFilter
-    Write-LogMessage -Headers $Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
-
+    Write-LogMessage -Headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
 
+    $TenantFilter = $Request.Query.TenantFilter
     $DataToReturn = $Request.Query.DataToReturn
     Write-Host "DataToReturn: $DataToReturn"