From df7e9568ba776224d48c2449ca73f6b1618697ab Mon Sep 17 00:00:00 2001 From: Fabian Bader Date: Thu, 19 Dec 2024 09:28:05 +0100 Subject: [PATCH 1/6] Add new test cases --- tests/Convert-SentinelARArmToYaml.tests.ps1 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/Convert-SentinelARArmToYaml.tests.ps1 b/tests/Convert-SentinelARArmToYaml.tests.ps1 index 4fcde45..169db12 100644 --- a/tests/Convert-SentinelARArmToYaml.tests.ps1 +++ b/tests/Convert-SentinelARArmToYaml.tests.ps1 @@ -590,6 +590,14 @@ Describe "Simple example tests" { $converted.subTechniques | Should -Be $null $converted.relevantTechniques -join ", " | Should -Be "T1078.003, T1078.004" } + It "Converts eventGroupingSettings correctly" { + $converted = Convert-SentinelARArmToYaml -Filename "TestDrive:/Content/Scheduled.json" | ConvertFrom-Yaml + $converted.eventGroupingSettings.aggregationKind | Should -Be "SingleAlert" + } + It "Converts incidentConfiguration correctly" { + $converted = Convert-SentinelARArmToYaml -Filename "TestDrive:/Content/Scheduled.json" | ConvertFrom-Yaml + $converted.incidentConfiguration.createIncident | Should -Be $true + } } } From 51f3d825bfd85ae5e34227f9fcebaad0494cb7e3 Mon Sep 17 00:00:00 2001 From: Fabian Bader Date: Thu, 19 Dec 2024 09:28:33 +0100 Subject: [PATCH 2/6] Add bugfix for type conversion --- src/public/Convert-SentinelARArmToYaml.ps1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/public/Convert-SentinelARArmToYaml.ps1 b/src/public/Convert-SentinelARArmToYaml.ps1 index 88213c4..db72462 100644 --- a/src/public/Convert-SentinelARArmToYaml.ps1 +++ b/src/public/Convert-SentinelARArmToYaml.ps1 @@ -368,6 +368,8 @@ function Convert-SentinelARArmToYaml { } } + # Bugfix for broken powershell-yaml - https://github.com/cloudbase/powershell-yaml/issues/177 + $AnalyticsRuleCleaned = $AnalyticsRuleCleaned | ConvertTo-Json -Depth 99 | ConvertFrom-Json # Convert the PowerShell object to YAML $AnalyticsRuleYAML = $AnalyticsRuleCleaned | ConvertTo-Yaml From 8ebb0b9a7cf619ae6b0f8aa4a3c7a5d5da2ce053 Mon Sep 17 00:00:00 2001 From: Fabian Bader Date: Thu, 19 Dec 2024 09:28:49 +0100 Subject: [PATCH 3/6] Add warning note to README --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index a08b040..fa89430 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,11 @@ [![PSGallery Version](https://img.shields.io/powershellgallery/v/SentinelARConverter.svg?style=flat&logo=powershell&label=PSGallery%20Version)](https://www.powershellgallery.com/packages/SentinelARConverter) [![PSGallery Downloads](https://img.shields.io/powershellgallery/dt/SentinelARConverter.svg?style=flat&logo=powershell&label=PSGallery%20Downloads)](https://www.powershellgallery.com/packages/SentinelARConverter) +> [!WARNING] +> The [powershell-yaml](https://github.com/cloudbase/powershell-yaml) module which is used by the Sentinel Analytics Rule converter had some breaking changes starting in version 0.4.8. +> For the time being it is recommended to use 0.4.7 of powershell-yaml or update to the latest SentinelARConverter (>=2.4.3) which contains workarounds for known bugs. +> Definitely avoid using powershell-yaml in the version 0.4.8 and 0.4.9. + ## Installation ```PowerShell From 734343f2f8b1e62bb2f7a36a81cd9f712e927fe0 Mon Sep 17 00:00:00 2001 From: Fabian Bader Date: Thu, 19 Dec 2024 09:31:30 +0100 Subject: [PATCH 4/6] Update version to 2.4.3 --- src/SentinelARConverter.psd1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/SentinelARConverter.psd1 b/src/SentinelARConverter.psd1 index c96ce9d..1ccbf7f 100644 --- a/src/SentinelARConverter.psd1 +++ b/src/SentinelARConverter.psd1 @@ -12,7 +12,7 @@ RootModule = 'SentinelARConverter.psm1' # Version number of this module. - ModuleVersion = '2.4.2' + ModuleVersion = '2.4.3' # Supported PSEditions # CompatiblePSEditions = @() From 5b90cb4b93d6f4d8ad79227f446cbadd06d9fa17 Mon Sep 17 00:00:00 2001 From: Fabian Bader Date: Thu, 19 Dec 2024 09:45:51 +0100 Subject: [PATCH 5/6] Only use workaround in affected versions --- README.md | 4 ++-- src/public/Convert-SentinelARArmToYaml.ps1 | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index fa89430..4d2940b 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,8 @@ > [!WARNING] > The [powershell-yaml](https://github.com/cloudbase/powershell-yaml) module which is used by the Sentinel Analytics Rule converter had some breaking changes starting in version 0.4.8. -> For the time being it is recommended to use 0.4.7 of powershell-yaml or update to the latest SentinelARConverter (>=2.4.3) which contains workarounds for known bugs. -> Definitely avoid using powershell-yaml in the version 0.4.8 and 0.4.9. +> It is recommended to update to at least v0.4.11 of powershell-yaml or to update to the latest SentinelARConverter (>=2.4.3) which contains workarounds for known bugs. +> Avoid using powershell-yaml in the version 0.4.8 and 0.4.9 as there are other bugs. ## Installation diff --git a/src/public/Convert-SentinelARArmToYaml.ps1 b/src/public/Convert-SentinelARArmToYaml.ps1 index db72462..3ea9b63 100644 --- a/src/public/Convert-SentinelARArmToYaml.ps1 +++ b/src/public/Convert-SentinelARArmToYaml.ps1 @@ -369,7 +369,10 @@ function Convert-SentinelARArmToYaml { } # Bugfix for broken powershell-yaml - https://github.com/cloudbase/powershell-yaml/issues/177 - $AnalyticsRuleCleaned = $AnalyticsRuleCleaned | ConvertTo-Json -Depth 99 | ConvertFrom-Json + $PowerShellYAMLModuleVersion = Get-Module -Name powershell-yaml | Select-Object -ExpandProperty Version + if ( $PowerShellYAMLModuleVersion -ge [version]"0.4.8" -and $PowerShellYAMLModuleVersion -le [version]"0.4.10" ) { + $AnalyticsRuleCleaned = $AnalyticsRuleCleaned | ConvertTo-Json -Depth 99 | ConvertFrom-Json + } # Convert the PowerShell object to YAML $AnalyticsRuleYAML = $AnalyticsRuleCleaned | ConvertTo-Yaml From 19bfefa1430bdc249b3c02bc53684525417c7870 Mon Sep 17 00:00:00 2001 From: Fabian Bader Date: Thu, 19 Dec 2024 09:48:45 +0100 Subject: [PATCH 6/6] Add warning message in module --- src/public/Convert-SentinelARArmToYaml.ps1 | 6 +++++- src/public/Convert-SentinelARYamlToArm.ps1 | 5 +++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/public/Convert-SentinelARArmToYaml.ps1 b/src/public/Convert-SentinelARArmToYaml.ps1 index 3ea9b63..7930362 100644 --- a/src/public/Convert-SentinelARArmToYaml.ps1 +++ b/src/public/Convert-SentinelARArmToYaml.ps1 @@ -136,6 +136,11 @@ function Convert-SentinelARArmToYaml { #region common + $PowerShellYAMLModuleVersion = Get-Module -Name powershell-yaml | Select-Object -ExpandProperty Version + if ( $PowerShellYAMLModuleVersion -ge [version]"0.4.8" -and $PowerShellYAMLModuleVersion -le [version]"0.4.9" ) { + Write-Warning "The powershell-yaml module version $($PowerShellYAMLModuleVersion) has known issues. Please update to the latest version of the module." + } + if ($PsCmdlet.ParameterSetName -ne "Pipeline" ) { try { if (-not (Test-Path $Filename)) { @@ -369,7 +374,6 @@ function Convert-SentinelARArmToYaml { } # Bugfix for broken powershell-yaml - https://github.com/cloudbase/powershell-yaml/issues/177 - $PowerShellYAMLModuleVersion = Get-Module -Name powershell-yaml | Select-Object -ExpandProperty Version if ( $PowerShellYAMLModuleVersion -ge [version]"0.4.8" -and $PowerShellYAMLModuleVersion -le [version]"0.4.10" ) { $AnalyticsRuleCleaned = $AnalyticsRuleCleaned | ConvertTo-Json -Depth 99 | ConvertFrom-Json } diff --git a/src/public/Convert-SentinelARYamlToArm.ps1 b/src/public/Convert-SentinelARYamlToArm.ps1 index e63725e..39218f3 100644 --- a/src/public/Convert-SentinelARYamlToArm.ps1 +++ b/src/public/Convert-SentinelARYamlToArm.ps1 @@ -144,6 +144,11 @@ function Convert-SentinelARYamlToArm { end { + $PowerShellYAMLModuleVersion = Get-Module -Name powershell-yaml | Select-Object -ExpandProperty Version + if ( $PowerShellYAMLModuleVersion -ge [version]"0.4.8" -and $PowerShellYAMLModuleVersion -le [version]"0.4.9" ) { + Write-Warning "The powershell-yaml module version $($PowerShellYAMLModuleVersion) has known issues. Please update to the latest version of the module." + } + try { # Use parsed pipeline data if no file was specified (default) if ($PsCmdlet.ParameterSetName -eq "Pipeline") {