1.4.0 Release

dist/ModuleInfo.json

@@ -1,5 +1,5 @@
 {
-  "Version": "1.3.2",
+  "Version": "1.4.0",
   "ReleaseTag": "Interested Siamese Fighting Fish",
   "Name": "LogRhythm.Tools",
   "Psm1": "LogRhythm.Tools.psm1",

dist/common/LogRhythm.Tools.json

@@ -12,11 +12,17 @@
     },
 
     "LogRhythm": {
-        "Version":"7.7.0",
+        "Version":"7.11.0",
         "BaseUrl": "https://[NOT_SET]:8501",
         "ApiKey": ""
     },
 
+    "Exabeam": {
+        "BaseUrl": "https://api.us-east.exabeam.cloud/",
+        "ApiKey": "",
+        "Token": ""
+    },
+
     "LogRhythmEcho": {
         "BaseUrl": "https://[NOT_SET]:33333/api"
     },
@@ -58,7 +64,7 @@
     },
 
     "RecordedFuture": {
-        "BaseUrl": "https://api.recordedfuture.com/v2/",
+        "BaseUrl": "https://api.recordedfuture.com/",
         "ApiKey": ""
     },
 

dist/installer/config/Lrt.Config.Input.json

@@ -76,6 +76,18 @@
         }
     },
 
+    "Exabeam": {
+        "Name": "Exabeam",
+        "Optional": true,
+        "Message": "Use of Exabeam requires an API key.",
+        "HasKey": true,
+        "HasClientId": true,
+
+        "Fields": {}
+    },
+
+
+
     "LogRhythmEcho": {
         "Name": "LogRhythm Echo",
         "Optional": true,

dist/installer/include/input/Get-InputVersion.ps1

@@ -25,7 +25,7 @@ Function Get-InputVersion {
     )
 
     # Validation Regexes
-    $ValidRegex = [regex]::new("^[1-9]\.[0-9](\.[0-9]([0-9])?)?$")
+    $ValidRegex = [regex]::new("^[1-9]\.\d+\.\d+?$")
 
 
     $Return = [PSCustomObject]@{

examples/LogRhythm/SIEM/Admin/LogSources/Invoke-ManageWinLocalSources.ps1

@@ -0,0 +1,176 @@
+using namespace System.Collections.Generic
+
+## Manual Config Begin
+# Array of Log Sources Names we want to Automatically Add
+$Lists = get-lrlists 
+$LogSourceAdds = [list[object]]::new()
+$LogSourceAdds.add([PSCustomObject]@{
+    Name = "MS Windows Event Logging - Firewall With Advanced Security"
+    Path = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
+}) 
+
+$LogSourceAdds.add([PSCustomObject]@{
+    Name = "MS Windows Event Logging XML - Windows Defender"
+    Path = 'Microsoft-Windows-Windows Defender/Operational'
+}) 
+
+$LogSourceAdds.add([PSCustomObject]@{
+    Name = "MS Windows Event Logging XML - Security"
+    Path = 'Security'
+})
+
+$LogSourceAdds.add([PSCustomObject]@{
+    Name = "MS Windows Event Logging XML - System"
+    Path = 'System'
+})
+
+$LogSourceAdds.add([PSCustomObject]@{
+    Name = "MS Windows Event Logging XML - Application"
+    Path = 'Application'
+})
+
+$LogSourceAdds.add([PSCustomObject]@{
+    Name = "MS Windows Event Logging XML - PowerShell"
+    Path = 'Windows PowerShell'
+})
+
+$LogSourceRemoves = @("MS Windows Event Logging - System", "MS Windows Event Logging - Security", "MS Windows Event Logging - Application")
+
+# Defines the amount of messages the LR Agent will retrieve per cycle
+$MaxMsgCount = 2000
+
+# Set log sources to LSO 2.0 policy where applicable 
+$MPEv2 = $true
+## Manual Config End
+
+# Cmdlet to get past a potential local issue with firewall/network connection
+Get-LrEntities
+
+## Automation Begin
+# Generate the Log Source IDs based on the LogSourceReqs defined
+$LogSourceAddIds = [list[object]]::new()
+ForEach ($LogSourceReq in $LogSourceAdds) {
+    $LogSourceReqDetails = Get-LrLogSourceTypes -Name $($LogSourceReq.name)
+    if (($LogSourceAddIds -notcontains $LogSourceReqDetails) -and ($null -ne $LogSourceReqDetails) -and ($null -eq $LogSourceDetails.Error)) {
+        $LogSourceReqDetails | Add-Member -MemberType NoteProperty -Name 'Path' -Value $($LogSourceReq.Path)
+        Write-Host "$(Get-TimeStamp) | Add Log Sources | Adding Request | Log Source Name: $($LogSourceReqDetails.name)"
+        $LogSourceAddIds.add($LogSourceReqDetails)
+    } else {
+        if ($null -eq $LogSourceDetails.Error) {
+            Write-Host "$(Get-TimeStamp) | Add Log Sources | Skipped Request | Log Source Name: $($LogSourceReq.name)"
+        } else {
+            Write-Host "$(Get-TimeStamp) | Add Log Sources | Request Error | Log Source Name: $($LogSourceReq.name)"
+            write-host $LogSourceReqDetails.Error
+        }
+    }
+}
+
+$LogSourceRemIds = [list[object]]::new()
+ForEach ($LogSourceReq in $LogSourceRemoves) {
+    $LogSourceReqDetails = Get-LrLogSourceTypes -Name $LogSourceReq
+    if (($LogSourceRemIds -notcontains $LogSourceReqDetails) -and ($null -ne $LogSourceReqDetails) -and ($null -eq $LogSourceDetails.Error)) {
+        Write-Host "$(Get-TimeStamp) | Remove Log Sources | Adding Request | Log Source Name: $($LogSourceReqDetails.name)"
+        $LogSourceRemIds.add($LogSourceReqDetails)
+    } else {
+        if ($null -eq $LogSourceDetails.Error) {
+            Write-Host "$(Get-TimeStamp) | Remove Log Sources | Skipped Request | Log Source Name: $($LogSourceReq)"
+        } else {
+            Write-Host "$(Get-TimeStamp) | Remove Log Sources | Request Error | Log Source Name: $($LogSourceReq)"
+            write-host $LogSourceReqDetails.Error
+        }
+    }
+}
+
+# Get Log Source IDs for the Log Source Types I want to automatically add
+Write-Host "$(Get-TimeStamp) | Retrieving Active Agents | Begin"
+$Agents = Get-LrAgentsAccepted -RecordStatus 'active' -AgentType 'Windows'
+Write-Host "$(Get-TimeStamp) | Retrieving Active Agents | End"
+$Counters = [PSCustomObject]@{
+    StartTime = Get-Date
+    EndTime = 0
+    Duration = 0
+    TotalAgents = 0
+    Add = 0
+    Remove = 0
+    AddError = 0
+    RemoveError = 0
+    AddSkip = 0
+    RemoveSkip = 0
+}
+ForEach ($Agent in $Agents) {
+    Write-Host "$(Get-TimeStamp) | Automation Runtime | Begin | Agent: $($Agent.hostName)"
+    $Counters.TotalAgents += 1
+    $LogSources = Get-LrAgentLogSources -Id $Agent.Id -RecordStatus active
+
+    # Adds
+    ForEach ($LogSourceAddId in $LogSourceAddIds) {
+        if ($LogSources.logSourceType.id -notcontains $LogSourceAddId.id) {
+            $AgentHost = Get-LrHostDetails -Id $Agent.hostId
+            $LogSourceMPEPolicies = Get-LrMpePolicies -msgSourceTypeId $LogSourceAddId.id
+
+            if ($MPEv2 -eq $true -and $LogSourceMPEPolicies.name -match ".*?V2\.0") {
+                $MPEPolicy = $LogSourceMPEPolicies | Where-Object -FilterScript {$_.name -match ".*?V2\.0"}
+            } else {
+                $MPEPolicy = $LogSourceMPEPolicies | Where-Object -FilterScript {$_.name -match "LogRhythm Default"}
+            }
+
+            # Define $LogFilePath
+            $LogFilePath = "$($Agent.hostname):$($LogSourceAddId.path)"
+            $RID = $(Get-Random -Maximum 999 -Minimum 100)
+            $AddResult = Add-LrLogSource -systemMonitorId $Agent.id -name "$($Agent.hostName) | $($RID) | $($LogSourceAddId.abbreviation)" -hostId $($Agent.hostId) -entityId $($AgentHost.entity.id) -logSourceTypeId $($LogSourceAddId.id) -mpePolicyId $($MPEPolicy.id) -mpeProcessingMode 'EventForwardingEnabled' -maxMsgCount $MaxMsgCount -longDescription "$(Get-TimeStamp) | Log Source Added through automation from $($env:computername)" -filePath $LogFilePath -RecordStatus Active -Status Enabled
+            if (($null -ne $AddResult.Error) -and ($AddResult.Error -eq $true)) {
+                Write-Host "$(Get-TimeStamp) | Automation Runtime | Adding Logsource | Error | Agent: $($Agent.hostName) Log Source: $($LogSourceAddId.name)"
+                write-host $AddResult
+                $Counters.AddError += 1
+            } else {
+                $Counters.Add += 1
+                Write-Host "$(Get-TimeStamp) | Automation Runtime | Adding Logsource | Success | Agent: $($Agent.hostName) Log Source: $($LogSourceAddId.name)"
+            }
+            # Add it
+        } else {
+            $Counters.AddSkip += 1
+            Write-Host "$(Get-TimeStamp) | Automation Runtime | Adding Logsource | Skip | Agent: $($Agent.hostName) Log Source: $($LogSourceAddId.name)"
+        }
+    }
+
+    # Removes
+    ForEach ($LogSource in $LogSources) {
+        # Removals
+        if ($LogSourceRemIds.id -contains $LogSource.logSourceType.id) {
+            if ($LogSource.systemMonitorName -like $LogSource.host.name) {
+                #Update-LrLogSource -Id $LogSource.id
+                $UpdateResult = Update-LrLogSource -Id $($LogSource.id) -RecordStatus Retired
+                if (($null -ne $UpdateResult.Error) -and ($UpdateResult.Error -eq $true)) {
+                    write-host $UpdateResult
+                    $Counters.RemoveError += 1
+                } else {
+                    $Counters.Remove += 1
+                    Write-Host "$(Get-TimeStamp) | Automation Runtime | Retire Logsource | Success | Agent: $($Agent.hostName) Log Source: $($LogSource.name)"
+                }                
+                # Remove it
+            } else {
+                $Counters.RemoveSkip += 1
+                Write-Host "$(Get-TimeStamp) | Automation Runtime | Retire Logsource | Skip | Agent: $($Agent.hostName) Log Source: $($LogSource.name) | Remote Collection"
+            }
+        } else {
+            $Counters.RemoveSkip += 1
+            Write-Host "$(Get-TimeStamp) | Automation Runtime | Retire Logsource | Skip | Agent: $($Agent.hostName) Log Source: $($LogSource.name) | Criteria Miss"
+        }
+    }
+    Write-Host "$(Get-TimeStamp) | Automation Runtime | End | Agent: $($Agent.hostName)"
+}
+$Counters.EndTime = $(Get-Date)
+$Counters.Duration = New-TimeSpan -Start $Counters.StartTime -End $Counters.EndTime
+write-host "$(Get-TimeStamp) | Automation Complete | Duration | Start: $($Counters.StartTime)  End: $($Counters.EndTime)  Duration: $($Counters.Duration.Days)d $($Counters.Duration.Hours)h $($Counters.Duration.Minutes)m $($Counters.Duration.Seconds)s"
+write-host "$(Get-TimeStamp) | Automation Complete | Summary | Agent Total: $($Counters.TotalAgents)  Added Sources: $($Counters.Add)  Add Errors: $($Counters.AddError)  Removes: $($Counters.Remove)  Remove Errors: $($Counters.RemoveError)"
+
+# Set all Windows Security Event Logs to same Policy
+$WinSecLogSources = $(get-lrlogsources -RecordStatus 'active' -MessageSourceTypeId $(Get-LrLogSourceTypes -Name "MS Windows Event Logging XML - Security" | Select-Object -ExpandProperty id)) | Where-Object -FilterScript {$_.mpePolicy.name -notlike 'LogRhythm Default v2.0'}
+ForEach ($WinSecSource in $WinSecLogSources) {
+    $Results = Update-LrLogSource -Id $WinSecSource.id -MpePolicyId -1000000020 -PassThru
+    if (($null -ne $Results.Error) -and ($Results.Error -eq $true)) {
+        write-host $Results
+    }
+    write-host "$(Get-TimeStamp) | MPE Set | Log Source: $($Results.name) Policy: $($Results.mpePolicy.Name) Log Source: $($Results.logSourceType.Name)"
+}
+## Automation End

src/Public/Exabeam/Agents/Get-ExaSiteAgentInstallCommand.ps1

@@ -0,0 +1,140 @@
+using namespace System
+using namespace System.IO
+using namespace System.Collections.Generic
+
+Function Get-ExaSiteAgentInstallCommand {
+    <#
+    .SYNOPSIS
+        Get a Site Collector agent installation command.
+    .DESCRIPTION
+        Install command to install the Site Collector agent. The command is encoded in base64, necessitating a decoding step. 
+        This encoding ensures the command's integrity during transmission, maintaining its format and preventing alterations. 
+
+        For example, after you receive the response, you can decode the string using the command 
+        base64 -d <<< "c3Vkb...............".
+
+        After decoding the command from base64 to its original string format, you'll have the necessary shell commands to 
+        install the Site Collector agent. The install command varies depending on the type of Site Collector agent as 
+        defined in the Site Collector template. The command sequence downloads and runs a script to configure the agent 
+        and passes in parameters (deploymentHosts, templateIds, and optionally fetchStartDate and fetchHistoricalData) that 
+        affect how the script configures the Site Collector agent.
+    .PARAMETER Type
+        Type of Site Collector agent for which the template applies.
+    .PARAMETER DeploymentHosts
+        Hostname or IP address of the Site Collector Core for which you want to install the agent.
+    .PARAMETER StartLogDate
+        (Windows collectors only) The date after which you want the Site Collector agent to receive logs (ISO-8601 format).
+    .PARAMETER FetchHistoricalData
+        (FileWindows and FileLinux only) This flag is only applicable for Core version 2.3.0 or higher. 
+        For Core versions lower than 2.3.0, this flag will always be set to true.
+    .PARAMETER TemplateIDs
+        You can assign multiple Template IDs to any collector.
+    .PARAMETER Uninstall
+        This changes the API call to the commands/uninstallation endpoint.
+
+        Provide parameters: type, deploymentHosts.
+    .PARAMETER Exact
+        Switch to force PARAMETER Name to be matched explicitly.
+    .PARAMETER Credential
+        PSCredential containing an API Token in the Password field.
+    .INPUTS
+        The Name parameter can be provided via the PowerShell pipeline.
+    .OUTPUTS
+        Base64 representing the install/uninstall command.
+    .NOTES
+        Exabeam-API        
+    .LINK
+        https://github.com/LogRhythm-Tools/LogRhythm.Tools
+    #>
+
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory = $true, Position = 0)]
+        [ValidateSet(
+            'ArchiveLinux',
+            'ArchiveWindows', 
+            'FileLinux',
+            'FileWindows',
+            'Windows',
+            ignorecase=$true
+        )]
+        [string] $Type,
+
+
+        [Parameter(Mandatory = $true, Position = 1)]
+        [string] $DeploymentHosts,
+
+
+        [Parameter(Mandatory = $false, Position = 2)]
+        [switch] $Exact,
+
+
+        [Parameter(Mandatory = $false, Position = 3)]
+        [datetime] $StartLogDate,
+
+
+        [Parameter(Mandatory = $false, Position = 4)]
+        [bool] $FetchHistoricalData = $true,
+
+        [Parameter(Mandatory = $true, Position = 5)]
+        [string] $TemplateIDs,
+
+        [Parameter(Mandatory = $false, Position = 6)]
+        [switch] $Uninstall,
+
+        [Parameter(Mandatory = $false, Position = 7)]
+        [ValidateNotNull()]
+        [pscredential] $Credential = $LrtConfig.Exabeam.ApiKey
+    )
+
+    Begin {
+        $Me = $MyInvocation.MyCommand.Name
+        Set-LrtExaToken
+        # Request Setup
+        $BaseUrl = $LrtConfig.Exabeam.BaseUrl
+        $Token = $LrtConfig.Exabeam.Token.access_token
+
+
+        # Define HTTP Headers
+        $Headers = [Dictionary[string,string]]::new()
+        $Headers.Add("Authorization", "Bearer $Token")
+        $Headers.Add("content-type", "application/json")
+        $Headers.Add("accept", "application/json")
+
+        # Define HTTP Method
+        $Method = $HttpMethod.Post
+
+        # Define HTTP URI
+        if ($Uninstall) {
+            $RequestUrl = $BaseUrl + "site-collectors/v1/collectors/commands/uninstallation"
+        } else {
+            $RequestUrl = $BaseUrl + "site-collectors/v1/collectors/commands/installation"
+        }
+
+
+        # Check preference requirements for self-signed certificates and set enforcement for Tls1.2
+        Enable-TrustAllCertsPolicy
+    }
+
+    Process {
+        Write-Verbose "[$Me]: Request URL: $RequestUrl"
+
+        $Body = [PSCustomObject]@{
+            type = $Type
+            fetchHistoricalData = $FetchHistoricalData
+            templateIds = @($TemplateIDs)
+            startLogDate = $StartLogDate
+            deploymentHosts = @($DeploymentHosts)
+        } | ConvertTo-Json
+
+        # Send Request
+        $Response = Invoke-RestAPIMethod -Uri $RequestUrl -Body $Body -Headers $Headers -Method $Method -Origin $Me
+        if (($null -ne $Response.Error) -and ($Response.Error -eq $true)) {
+            return $Response
+        }
+
+        return $Response
+    }
+
+    End { }
+}