diff --git a/Powershell/Lists/Azure/AlertRules.ps1 b/Powershell/Lists/Azure/AlertRules.ps1 new file mode 100644 index 0000000..14afcd2 --- /dev/null +++ b/Powershell/Lists/Azure/AlertRules.ps1 @@ -0,0 +1,347 @@ +#Connect-AzAccount + +$access_token = (Get-AzAccessToken).Token +$ofs = ', ' + +function GetSmartDetectorActionGroupIds { + + param ( + [string] $alertRuleName, + [string] $resourceGroupName, + [string] $subscriptionId + ) + + ## example : GetSmartDetectorActionGroupIds -alertRuleName "Failure Anomalies - authorization-functions-v2" -resourceGroupName "authorization" -subscriptionId "3190b0fd-4a66-4636-a204-5b9f18be78a6" + + $escapedAlertRuleName = [uri]::EscapeDataString($alertRuleName) + $url = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/microsoft.alertsManagement/smartDetectorAlertRules/$escapedAlertRuleName`?api-version=2019-06-01" + $head = @{ Authorization =" Bearer $access_token" } + $response = Invoke-RestMethod -Uri $url -Method GET -Headers $head + $response | ForEach-Object { + $alert = $_ + $alert.properties.actionGroups + | ForEach-Object { + $actionGroup = $_ + $_.groupIds | ForEach-Object { + [pscustomobject]@{ + Id = $alert.id + Name = $alert.name + Description = $alert.properties.description + State = $alert.properties.state + Alert = $alert.properties + ActionGroups = $alert.actionGroups + ActionGroup = $actionGroup + ActionGroupId = $_ + } + } + } + } +} + +function GetDecentDescription { + param ( + [string] $description + ) + + if ($null -eq $description) { + "" + } + else { + $description.Replace("`n"," - ").Replace("`r"," - ").Replace(" - - "," - ") + } +} + +[string] $date = Get-Date -Format "yyyy-MM-dd HHmm" +$fileName = ".\$date alert rules.csv" + +$subscriptions = Get-AzSubscription | Where-Object State -eq "Enabled" + +class AlertRule { + [string] $SubscriptionId = "" + [string] $SubscriptionName = "" + [string] $Id = "" + [string] $ResourceGroupName = "" + [string] $Type = "" + [string] $Name = "" + [string] $Description = "" + [string] $State = "" + [string] $ActionGroupId = "" + [string] $ActionGroupName = "" + [string] $ActionGroupResourceGroupName = "" + [string] $ActionGroupEnabled = "" + [string] $ActionGroupArmRoleReceivers = "" + [string] $ActionGroupEmailReceivers = "" + [string] $AzureFunctionReceivers = "" + [string] $Tag_Team = "" + [string] $Tag_Product = "" + [string] $Tag_Environment = "" + [string] $Tag_Data = "" + [string] $Tag_CreatedOnDate = "" + [string] $Tag_Deployment = "" + +} + +[Microsoft.Azure.Commands.Insights.OutputClasses.PSActionGroupResource[]]$actionGroups = @() +foreach ($subscription in $subscriptions) +{ + Set-AzContext -SubscriptionId $subscription.Id | out-null + $actionGroups += Get-AzActionGroup +} + +[AlertRule[]]$Result = @() + +foreach ($subscription in $subscriptions) +{ + Set-AzContext -SubscriptionId $subscription.Id + ##Set-AzContext -SubscriptionId "a134faf1-7a89-4f2c-8389-06d00bd5e2a7" + + # microsoft.alertsmanagement/smartdetectoralertrules + $smartDetectorRules = Get-AzResource -ResourceType "microsoft.alertsmanagement/smartdetectoralertrules" + foreach ($smartDetectorRule in $smartDetectorRules) + { + $actions = GetSmartDetectorActionGroupIds -alertRuleName $smartDetectorRule.Name -resourceGroupName $smartDetectorRule.ResourceGroupName -subscriptionId $subscription.Id + + if (($null -eq $actions) -or ($actions.Length -eq 0)) { + [AlertRule] $AlertRule = [AlertRule]::new() + + $AlertRule.SubscriptionId = $subscription.Id + $AlertRule.SubscriptionName = $subscription.Name + $AlertRule.Id = $smartDetectorRule.Id + $AlertRule.Name = $smartDetectorRule.Name + $AlertRule.Type = $smartDetectorRule.ResourceType + $AlertRule.ResourceGroupName = $smartDetectorRule.ResourceGroupName + $AlertRule.Tag_Team = $smartDetectorRule.Tags.team + $AlertRule.Tag_Product = $smartDetectorRule.Tags.product + $AlertRule.Tag_Environment = $smartDetectorRule.Tags.environment + $AlertRule.Tag_Data = $smartDetectorRule.Tags.data + $AlertRule.Tag_CreatedOnDate = $smartDetectorRule.Tags.CreatedOnDate + $AlertRule.Tag_Deployment = $smartDetectorRule.Tags.drp_deployment + + $Result += $AlertRule + } + else { + foreach($action in $actions) { + [AlertRule] $AlertRule = [AlertRule]::new() + + $actionGroup = $actionGroups | where { $_.id -eq [uri]::UnescapeDataString($action.ActionGroupId) } + + $AlertRule.SubscriptionId = $subscription.Id + $AlertRule.SubscriptionName = $subscription.Name + $AlertRule.Id = $smartDetectorRule.Id + $AlertRule.Name = $smartDetectorRule.Name + $AlertRule.Type = $smartDetectorRule.ResourceType + $AlertRule.ResourceGroupName = $smartDetectorRule.ResourceGroupName + $AlertRule.Description = GetDecentDescription $action.Description + $AlertRule.State = $action.State + $AlertRule.ActionGroupId = $action.ActionGroupId + + if ($null -ne $actionGroup) { + $AlertRule.ActionGroupName = $actionGroup.Name + $AlertRule.ActionGroupResourceGroupName = $actionGroup.ResourceGroupName + $AlertRule.ActionGroupEnabled = $actionGroup.Enabled + $AlertRule.ActionGroupArmRoleReceivers = [string] ( $actionGroup.ArmRoleReceivers | ForEach-Object { $_.Name } ) + $AlertRule.ActionGroupEmailReceivers = [string] ( $actionGroup.EmailReceivers | ForEach-Object { $_.EmailAddress } ) + $AlertRule.AzureFunctionReceivers = [string] ($actionGroup.AzureFunctionReceivers | ForEach-Object { $_.FunctionName } ) + } + + $AlertRule.Tag_Team = $smartDetectorRule.Tags.team + $AlertRule.Tag_Product = $smartDetectorRule.Tags.product + $AlertRule.Tag_Environment = $smartDetectorRule.Tags.environment + $AlertRule.Tag_Data = $smartDetectorRule.Tags.data + $AlertRule.Tag_CreatedOnDate = $smartDetectorRule.Tags.CreatedOnDate + $AlertRule.Tag_Deployment = $smartDetectorRule.Tags.drp_deployment + + $Result += $AlertRule + } + } + } + + # microsoft.insights/scheduledqueryrules + $scheduledQueryRules = Get-AzScheduledQueryRule + $scheduledQueryRulesResources = Get-AzResource -ResourceType "microsoft.insights/scheduledqueryrules" + foreach($scheduledQueryRule in $scheduledQueryRules) { + $resource = $scheduledQueryRulesResources | where { $_.id -eq $scheduledQueryRule.Id } + + if (($null -eq $scheduledQueryRule.ActionGroup) -or ($scheduledQueryRule.ActionGroup.Length -eq 0)) + { + [AlertRule] $AlertRule = [AlertRule]::new() + $AlertRule.SubscriptionId = $subscription.Id + $AlertRule.SubscriptionName = $subscription.Name + $AlertRule.Id = $scheduledQueryRule.Id + $AlertRule.Name = $scheduledQueryRule.Name + $AlertRule.Type = $scheduledQueryRule.Type + $AlertRule.ResourceGroupName = $resource.ResourceGroupName + $AlertRule.Description = GetDecentDescription $scheduledQueryRule.Description + $AlertRule.State = $scheduledQueryRule.Enabled -eq $true ? "Enabled" : "Disabled" + $AlertRule.Tag_Team = $smartDetectorRule.Tags.team + $AlertRule.Tag_Product = $smartDetectorRule.Tags.product + $AlertRule.Tag_Environment = $smartDetectorRule.Tags.environment + $AlertRule.Tag_Data = $smartDetectorRule.Tags.data + $AlertRule.Tag_CreatedOnDate = $smartDetectorRule.Tags.CreatedOnDate + $AlertRule.Tag_Deployment = $smartDetectorRule.Tags.drp_deployment + + $Result += $AlertRule + } + else { + foreach($action in $scheduledQueryRule.ActionGroup) { + [AlertRule] $AlertRule = [AlertRule]::new() + + $actionGroup = $actionGroups | where { $_.id -eq [uri]::UnescapeDataString($action) } + + $AlertRule.SubscriptionId = $subscription.Id + $AlertRule.SubscriptionName = $subscription.Name + $AlertRule.Id = $scheduledQueryRule.Id + $AlertRule.Name = $scheduledQueryRule.Name + $AlertRule.Type = $scheduledQueryRule.Type + $AlertRule.ResourceGroupName = $resource.ResourceGroupName + $AlertRule.Description = GetDecentDescription $scheduledQueryRule.Description + $AlertRule.State = $scheduledQueryRule.Enabled -eq $true ? "Enabled" : "Disabled" + $AlertRule.ActionGroupId = $action + + if ($null -ne $actionGroup) { + $AlertRule.ActionGroupName = $actionGroup.Name + $AlertRule.ActionGroupResourceGroupName = $actionGroup.ResourceGroupName + $AlertRule.ActionGroupEnabled = $actionGroup.Enabled + $AlertRule.ActionGroupArmRoleReceivers = [string] ( $actionGroup.ArmRoleReceivers | ForEach-Object { $_.Name } ) + $AlertRule.ActionGroupEmailReceivers = [string] ( $actionGroup.EmailReceivers | ForEach-Object { $_.EmailAddress } ) + $AlertRule.AzureFunctionReceivers = [string] ($actionGroup.AzureFunctionReceivers | ForEach-Object { $_.FunctionName } ) + } + + $AlertRule.Tag_Team = $smartDetectorRule.Tags.team + $AlertRule.Tag_Product = $smartDetectorRule.Tags.product + $AlertRule.Tag_Environment = $smartDetectorRule.Tags.environment + $AlertRule.Tag_Data = $smartDetectorRule.Tags.data + $AlertRule.Tag_CreatedOnDate = $smartDetectorRule.Tags.CreatedOnDate + $AlertRule.Tag_Deployment = $smartDetectorRule.Tags.drp_deployment + + $Result += $AlertRule + } + } + } + + # Microsoft.Insights/metricAlerts + $metricAlerts = Get-AzMetricAlertRuleV2 + foreach($metricAlert in $metricAlerts) { + if (($null -eq $metricAlert.Actions) -or ($metricAlert.Actions.Length -eq 0)) + { + [AlertRule] $AlertRule = [AlertRule]::new() + $AlertRule.SubscriptionId = $subscription.Id + $AlertRule.SubscriptionName = $subscription.Name + $AlertRule.Id = $metricAlert.Id + $AlertRule.Name = $metricAlert.Name + $AlertRule.Type = $metricAlert.Type + $AlertRule.ResourceGroupName = $metricAlert.ResourceGroup + $AlertRule.Description = GetDecentDescription $metricAlert.Description + $AlertRule.State = $metricAlert.Enabled -eq $true ? "Enabled" : "Disabled" + $AlertRule.Tag_Team = $metricAlert.Tags.team + $AlertRule.Tag_Product = $metricAlert.Tags.product + $AlertRule.Tag_Environment = $metricAlert.Tags.environment + $AlertRule.Tag_Data = $metricAlert.Tags.data + $AlertRule.Tag_CreatedOnDate = $metricAlert.Tags.CreatedOnDate + $AlertRule.Tag_Deployment = $metricAlert.Tags.drp_deployment + + $Result += $AlertRule + } + else { + foreach($action in $metricAlert.Actions) { + [AlertRule] $AlertRule = [AlertRule]::new() + + $actionGroup = $actionGroups | where { $_.id -eq [uri]::UnescapeDataString($action.ActionGroupId) } + + $AlertRule.SubscriptionId = $subscription.Id + $AlertRule.SubscriptionName = $subscription.Name + $AlertRule.Id = $metricAlert.Id + $AlertRule.Name = $metricAlert.Name + $AlertRule.Type = $metricAlert.Type + $AlertRule.ResourceGroupName = $metricAlert.ResourceGroup + $AlertRule.Description = GetDecentDescription $metricAlert.Description + $AlertRule.State = $metricAlert.Enabled -eq $true ? "Enabled" : "Disabled" + $AlertRule.ActionGroupId = $action.ActionGroupId + + if ($null -ne $actionGroup) { + $AlertRule.ActionGroupName = $actionGroup.Name + $AlertRule.ActionGroupResourceGroupName = $actionGroup.ResourceGroupName + $AlertRule.ActionGroupEnabled = $actionGroup.Enabled + $AlertRule.ActionGroupArmRoleReceivers = [string] ( $actionGroup.ArmRoleReceivers | ForEach-Object { $_.Name } ) + $AlertRule.ActionGroupEmailReceivers = [string] ( $actionGroup.EmailReceivers | ForEach-Object { $_.EmailAddress } ) + $AlertRule.AzureFunctionReceivers = [string] ($actionGroup.AzureFunctionReceivers | ForEach-Object { $_.FunctionName } ) + } + + $AlertRule.Tag_Team = $metricAlert.Tags.team + $AlertRule.Tag_Product = $metricAlert.Tags.product + $AlertRule.Tag_Environment = $metricAlert.Tags.environment + $AlertRule.Tag_Data = $metricAlert.Tags.data + $AlertRule.Tag_CreatedOnDate = $metricAlert.Tags.CreatedOnDate + $AlertRule.Tag_Deployment = $metricAlert.Tags.drp_deployment + + $Result += $AlertRule + } + } + } + + + # Microsoft.Insights/ActivityLogAlerts + $activityLogAlerts = Get-AzActivityLogAlert + foreach($activityLogAlert in $activityLogAlerts) { + + if (($null -eq $activityLogAlert.ActionGroup) -or ($activityLogAlert.ActionGroup.Length -eq 0)) + { + [AlertRule] $AlertRule = [AlertRule]::new() + $AlertRule.SubscriptionId = $subscription.Id + $AlertRule.SubscriptionName = $subscription.Name + $AlertRule.Id = $activityLogAlert.Id + $AlertRule.Name = $activityLogAlert.Name + $AlertRule.Type = $activityLogAlert.Type + $AlertRule.ResourceGroupName = $activityLogAlert.ResourceGroupName + $AlertRule.Description = GetDecentDescription $activityLogAlert.Description + $AlertRule.State = $activityLogAlert.Enabled -eq $true ? "Enabled" : "Disabled" + $AlertRule.Tag_Team = $activityLogAlert.Tags.team + $AlertRule.Tag_Product = $activityLogAlert.Tags.product + $AlertRule.Tag_Environment = $activityLogAlert.Tags.environment + $AlertRule.Tag_Data = $activityLogAlert.Tags.data + $AlertRule.Tag_CreatedOnDate = $activityLogAlert.Tags.CreatedOnDate + $AlertRule.Tag_Deployment = $activityLogAlert.Tags.drp_deployment + + $Result += $AlertRule + } + else { + foreach($action in $activityLogAlert.ActionGroup) { + [AlertRule] $AlertRule = [AlertRule]::new() + + $actionGroup = $actionGroups | where { $_.id -eq [uri]::UnescapeDataString($action.Id) } + + $AlertRule.SubscriptionId = $subscription.Id + $AlertRule.SubscriptionName = $subscription.Name + $AlertRule.Id = $activityLogAlert.Id + $AlertRule.Name = $activityLogAlert.Name + $AlertRule.Type = $activityLogAlert.Type + $AlertRule.ResourceGroupName = $activityLogAlert.ResourceGroupName + $AlertRule.Description = GetDecentDescription $activityLogAlert.Description + $AlertRule.State = $activityLogAlert.Enabled -eq $true ? "Enabled" : "Disabled" + $AlertRule.ActionGroupId = $action.Id + + if ($null -ne $actionGroup) { + $AlertRule.ActionGroupName = $actionGroup.Name + $AlertRule.ActionGroupResourceGroupName = $actionGroup.ResourceGroupName + $AlertRule.ActionGroupEnabled = $actionGroup.Enabled + $AlertRule.ActionGroupArmRoleReceivers = [string] ( $actionGroup.ArmRoleReceivers | ForEach-Object { $_.Name } ) + $AlertRule.ActionGroupEmailReceivers = [string] ( $actionGroup.EmailReceivers | ForEach-Object { $_.EmailAddress } ) + $AlertRule.AzureFunctionReceivers = [string] ($actionGroup.AzureFunctionReceivers | ForEach-Object { $_.FunctionName } ) + } + + $AlertRule.Tag_Team = $activityLogAlert.Tags.team + $AlertRule.Tag_Product = $activityLogAlert.Tags.product + $AlertRule.Tag_Environment = $activityLogAlert.Tags.environment + $AlertRule.Tag_Data = $activityLogAlert.Tags.data + $AlertRule.Tag_CreatedOnDate = $activityLogAlert.Tags.CreatedOnDate + $AlertRule.Tag_Deployment = $activityLogAlert.Tags.drp_deployment + + $Result += $AlertRule + } + } + } +} + +$Result | Export-Csv -Path $fileName -NoTypeInformation -Force + +$Result | ft \ No newline at end of file diff --git a/format.json b/format.json index e69de29..46b134b 100644 --- a/format.json +++ b/format.json @@ -0,0 +1 @@ +ÿþ \ No newline at end of file