LR-Utilities/LR-CaseTags-Generator.ps1 at master · lrchma/LR-Utilities · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

#Mitre Attack Matrix
$_Types = @(
"Persistence",
"Privilege Escalation",
"Credential Access",
"Discovery",
"Lateral Movement",
"Execution",
"Collection",
"Exfiltration",
"C2"
)

$_ClassificationTypes = @(
"Audit",
"Operations",
"Security"
)

$_Classifications = @(
"Authentication Success",
"Authentication Failure",
"Access Success",
"Access Failure",
"Account Created",
"Account Deleted",
"Other Audit Success",
"Account Modified",
"Access Granted",
"Access Revoked",
"Startup and Shutdown",
"Policy",
"Configuration",
"Other Audit Failure",
"Other",
"Reconnaissance",
"Suspicious",
"Misuse",
"Attack",
"Malware",
"Denial of Service",
"Compromise",
"Vulnerability",
"Failed Attack",
"Failed Denial of Service",
"Failed Malware",
"Failed Suspicious",
"Failed Misuse",
"Failed Activity",
"Activity",
"Other",
"Critical",
"Error",
"Warning",
"Information",
"Network Allow",
"Network Deny",
"Network Traffic",
"Other"
)

$PersonID = -100
$RecordStatus = 1
$now = get-date -format s

try

{
    # ************************************
    # ******** Mitre Attack Types ********
    # ************************************
    foreach($type in $_Types){
        $a = "(N'_T:{0}',{1},{2},N'{3}')," -f $type, $PersonID, $RecordStatus, $now
        $b += $a
    }

    #Last VALUES group for insert will have trailing comma which we need strip off
    write-output "/* INSERT Mitre Case Types */"
    write-output "INSERT INTO [LogRhythm_CMDB].[dbo].[Tag] VALUES $($b.Substring(0,$b.Length-1))"
    write-output "`n"

    # *************************************
    # ***** LogRhythm Classifications *****
    # *************************************
    foreach($classification in $_Classifications){
        $c = "(N'_c:{0}',{1},{2},N'{3}')," -f $classification, $PersonID, $RecordStatus, $now
        $d += $c
    }

    #Last VALUES group for insert will have trailing comma which we need strip off
    write-output "/* INSERT LogRhythm Classifications */"
    write-output "INSERT INTO [LogRhythm_CMDB].[dbo].[Tag] VALUES $($d.Substring(0,$d.Length-1))"
    write-output "`n"

    # ******************************************
    # ***** LogRhythm Classification Types *****
    # ******************************************
    foreach($classificationType in $_ClassificationTypes){
        $e = "(N'_ct:{0}',{1},{2},N'{3}')," -f $classificationType, $PersonID, $RecordStatus, $now
        $f += $e
    }

    #Last VALUES group for insert will have trailing comma which we need strip off
    write-output "/* INSERT LogRhythm Classification Types */"
    write-output "INSERT INTO [LogRhythm_CMDB].[dbo].[Tag] VALUES $($f.Substring(0,$f.Length-1))"
    write-output "`n"


    <#
    #The above output has deliberately not been automated, but if you wanted to do so the below is a good starting point.
    #Switch the write-output statements above into your sqlQuery and go from there

    $sqlServer = "."

    $sqlQuery = @"
      INSERT INTO [LogRhythm_CMDB].[dbo].[Tag] VALUES $($b.Substring(0,$b.Length-0))
    "@

    $ds = Invoke-Sqlcmd -Query $sqlQuery -ServerInstance $sqlServer
    #>

}
    catch [System.SystemException] {
    $_
}


#Todo - should have the above a function, and passed the array to that function, but quick and dirty is as quick and dirty does!