internal/functions/Get-AgentConfigString.ps1

function Get-AgentConfigString {

<#
    .SYNOPSIS
    Gets all the event ids that you need to monitor the selected MITRE Techniques & areas.
 
    .DESCRIPTION
    Gets all the event ids that you need to monitor the selected MITRE Techniques & areas and matches it to the selected event forwarder syntax.
 
    .PARAMETER ForwarderName
    Specifies the name of the Agent Forwarder for which the config should be queried.
 
    .EXAMPLE
    Get-AgentConfigString -ForwarderName "Splunk Universal Forwarder"
 
    Gets all the event ids for the Splunk Universal Forwarder that you need to monitor the selected MITRE Techniques & areas.
 
#>


    [CmdletBinding()]
    param (
        [string]$ForwarderName
    )

    $query = "select syntax from agent_forwarder_syntax where name = '" + (ConvertTo-PSSQLString($ForwarderName)) + "';"
    $syntaxStr = Invoke-SqliteQuery -Query $query -DataSource $database | Select-Object -ExpandProperty syntax

    $eventStr = Get-MitreEvents | Select-Object -ExpandProperty event_id -Unique

    $eventStr = [string]$eventStr -replace(" ", ", ")
    $eventStr = [string]$eventStr -replace(", -1", "")
    $eventStr = [string]$eventStr -replace("-1", "")

    $syntaxStr = $syntaxStr -replace ("{{EVENTIDS}}", $eventStr) -replace "`n", "`r`n"

    $syntaxStr = $syntaxStr -replace("= ,", "=")

    $agentSnippetBox.Text = $syntaxStr

}