Merge pull request #24 from anders-alex/Sentinel_Deployment

Sentinel deployment

Sentinel_Deployment/deploymentScript.ps1

@@ -0,0 +1,51 @@
+param([string] $PackageUri, [string] $SubscriptionId, [string] $ResourceGroupName, [string] $FunctionAppName, [string] $FAScope, [string] $VnetScope, [string] $UAMIPrincipalId, [string] $RestrictedIPs)
+
+Set-AzContext -Subscription $SubscriptionId
+
+$tenantId = $env:TenantId
+$clientId = $env:ClientId
+$clientSecret = $env:ClientSecret
+$loginURL = "https://login.microsoftonline.com"
+$resource = "https://manage.office.com"
+
+#Get an Oauth 2 access token based on client id, secret and tenant domain
+$body = @{grant_type="client_credentials";resource=$resource;client_id=$clientId;client_secret=$clientSecret}
+$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantId/oauth2/token?api-version=1.0 -Body $body
+
+#Let's put the oauth token in the header
+$headerParams  = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
+
+#Enable auditing subscriptions if needed.
+$subs = Invoke-RestMethod -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantId/activity/feed/subscriptions/list"
+if (($subs | Where-Object contentType -eq DLP.All).status -ne 'enabled') {
+    Invoke-RestMethod -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantId/activity/feed/subscriptions/start?contentType=DLP.All"
+}
+
+#Download Function App package and publish.
+Invoke-WebRequest -Uri $PackageUri -OutFile functionPackage.zip
+Publish-AzWebapp -ResourceGroupName $ResourceGroupName -Name $FunctionAppName -ArchivePath functionPackage.zip -Force
+
+<#Run Enablement function.
+$functionApp = Get-AzFunctionApp -Name $FunctionAppName -ResourceGroupName $ResourceGroupName
+$hostname = $functionApp.DefaultHostName
+$key = ((Invoke-AzRestMethod -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ResourceProviderName Microsoft.Web -ResourceType sites -Name ("$FunctionAppName/host/default/listkeys") -ApiVersion 2022-03-01 -Method POST).Content | ConvertFrom-Json).masterKey
+Invoke-RestMethod -Method Post -Uri ("https://$hostname/admin/functions/Enablement") -Headers (@{"Content-Type" = "application/json"; "x-functions-key" = $key}) -Body '{}'
+#>
+
+#Add IP restrictions on Function App if specified.
+if ($RestrictedIPs -eq 'None') {
+    $resource = Get-AzResource -ResourceType Microsoft.Web/sites -ResourceGroupName $ResourceGroupName -ResourceName $FunctionAppName
+    $resource.Properties.publicNetworkAccess = 'Disabled'
+    $resource | Set-AzResource -Force
+}
+elseif ($RestrictedIPs -ne '') {
+    Add-AzWebAppAccessRestrictionRule -ResourceGroupName $ResourceGroupName -WebAppName $FunctionAppName `
+        -Name "Allowed" -IpAddress $RestrictedIPs.Replace(' ', ',') -Priority 100 -Action Allow
+
+    Add-AzWebAppAccessRestrictionRule -ResourceGroupName $ResourceGroupName -WebAppName $FunctionAppName `
+        -Name "Allowed" -IpAddress $RestrictedIPs.Replace(' ', ',') -Priority 100 -Action Allow -TargetScmSite
+}
+
+#Cleanup the Service Principal Owner role assignments now that access is no longer needed.
+Remove-AzRoleAssignment -ObjectId $UAMIPrincipalId -RoleDefinitionName Owner -Scope $FAScope
+if ($VnetScope -ne '') { Remove-AzRoleAssignment -ObjectId $UAMIPrincipalId -RoleDefinitionName Owner -Scope $VnetScope }

Sentinel_Deployment/functionPackage/QueueDLPEvents/function.json

@@ -0,0 +1,11 @@
+{
+  "bindings": [
+    {
+      "name": "Timer",
+      "type": "timerTrigger",
+      "direction": "in",
+      "schedule": "0 */1 * * * *"
+    }
+  ],
+  "disabled": false
+}

Sentinel_Deployment/functionPackage/QueueDLPEvents/run.ps1

@@ -0,0 +1,141 @@
+# Input bindings are passed in via param block.
+param($Timer)
+
+#Enumerators and object to wrap the objects
+$pageArray = @()
+$msgarray = @()
+
+#Sign in Parameters
+$clientID = "$env:clientID"
+$clientSecret = "$env:clientSecret"
+$loginURL = "https://login.microsoftonline.com"
+$tenantGUID = "$env:TenantGuid"
+$resource = "https://manage.office.com"
+
+#Workloads and end time default is on start
+$workloads = $env:contentTypes.split(",")
+$endTime = Get-date -format "yyyy-MM-ddTHH:mm:ss.fffZ"
+
+Foreach ($workload in $workloads) {
+
+    #Storage Account Settings
+    if ($workload -eq "dlp.all") { $storageQueue = "$env:storageQueue" }
+
+    #Load the Storage Queue
+    $storeAuthContext = New-AzStorageContext -ConnectionString $env:AzureWebJobsStorage
+    $myQueue = Get-AzStorageQueue -Name $storageQueue -Context $storeAuthContext
+    $messageSize = 10
+    if (-not ($myQueue)) { throw 'Failed to connect to Storage Queue' }
+
+    $Tracker = "D:\home\$workload.log" # change to location of choice this is the root.
+    if ((Test-Path -Path $Tracker) -eq $true) {
+        $storedTime = Get-content $Tracker
+    }
+    else {
+        $date = (Get-date).AddMinutes(-5).ToString('yyyy-MM-ddTHH:mm:ss.fffZ')
+        out-file d:\home\$workload.log -InputObject $date
+        $storedTime = Get-content $Tracker
+    }
+
+    #$StoredTime = "2020-01-27T20:00:35.464Z"
+
+    try {
+        $adjustTime = New-TimeSpan -start $storedTime -End $endTime    
+    }
+    catch {
+        throw "Unable to calculate start time. Ensure valid timestamp is in [workload].log file."
+    }
+
+    #If events are longer apart than 24 hours
+    If ($adjustTime.TotalHours -gt 24) {
+        $hours = $adjustTime.TotalHours - 23.9
+        $storedTime = (get-date $storedTime).AddHours($hours)
+    }
+
+    # Get an Oauth 2 access token based on client id, secret and tenant domain
+    $body = @{grant_type = "client_credentials"; resource = $resource; client_id = $ClientID; client_secret = $ClientSecret }
+
+    #oauthtoken in the header
+    $oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantGUID/oauth2/token?api-version=1.0 -Body $body 
+    $headerParams = @{'Authorization' = "$($oauth.token_type) $($oauth.access_token)" }
+
+    #Make the request
+    $rawRef = Invoke-WebRequest -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGUID/activity/feed/subscriptions/content?contenttype=$workload&startTime=$Storedtime&endTime=$endTime&PublisherIdentifier=$TenantGUID" -UseBasicParsing
+    if (-not ($rawRef)) { throw 'Failed to retrieve the content Blob Url' }
+
+    #If more than one page is returned capture and return in pageArray
+    if ($rawRef.Headers.NextPageUri) {
+
+        $pageTracker = $true
+        $pagedReq = $rawRef.Headers.NextPageUri
+        while ($pageTracker -ne $false) {   
+            $pageuri = "$pagedReq&PublisherIdentifier=$TenantGUID"
+
+            $CurrentPage = Invoke-WebRequest -Headers $headerParams -Uri $pageuri -UseBasicParsing
+            $pageArray += $CurrentPage
+
+            if ($CurrentPage.Headers.NextPageUri) {
+                $pageTracker = $true    
+            }
+            Else {
+                $pageTracker = $false
+            }
+
+            $pagedReq = $CurrentPage.Headers.NextPageUri
+        }
+
+    } 
+
+    $pageArray += $rawref
+
+    if ($pagearray.RawContentLength -gt 3) {
+        foreach ($page in $pageArray) {
+            $request = $page.content | convertfrom-json
+
+            $request
+            # Setting up the paging of the Message queue adding +1 to avoid misconfiguration
+            $runs = $request.Count / ($messageSize + 1)
+            if (($runs -gt 0) -and ($runs -le "1") ) { $runs = 1 }
+            $writeSize = $messageSize
+            $i = 0            
+            while ($runs -ge 1) { 
+
+                if ($request.count -eq "1") { $rawmessage += $request.contenturi }
+                Else { $rawmessage = $request[$i..$writeSize].contenturi }
+
+                foreach ($msg in $rawmessage) { 
+                    $msgarray += @($msg) 
+                }    
+                $message = $msgarray | convertto-json                
+                $queueMessage = [Microsoft.Azure.Storage.Queue.CloudQueueMessage]::new("$message")
+                $myqueue.CloudQueue.AddMessage($queuemessage)
+
+                $runs -= 1
+                $i += $messageSize + 1
+                $writeSize += $messageSize + 1      
+
+                Clear-Variable msgarray
+                Clear-Variable message
+                Clear-Variable rawMessage
+            }   
+
+        }
+        #Updating timers on success, registering the date from the latest entry returned from the API and adding 1 millisecond to avoid overlap
+        $time = $pagearray[0].Content | convertfrom-json
+
+        try {
+            $Lastentry = (get-date ($time[$Time.contentcreated.Count - 1].contentCreated)).AddMilliseconds(1).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")    
+        }
+        catch {
+            throw "Unable to get date from last entry."
+        }
+
+        if ($Lastentry -ge $storedTime) { out-file -FilePath $Tracker -NoNewline -InputObject $Lastentry } 
+
+    } 
+
+    Clear-Variable pagearray
+    Clear-Variable rawref -ErrorAction Ignore
+    Clear-Variable page -ErrorAction Ignore
+
+}

Sentinel_Deployment/functionPackage/StoreDLPEvents/function.json

@@ -0,0 +1,12 @@
+{
+  "bindings": [
+    {
+      "name": "QueueItem",
+      "type": "queueTrigger",
+      "direction": "in",
+      "queueName": "dlpqueue",
+      "connection": "AzureWebJobsStorage"
+    }
+  ],
+  "disabled": false
+}