functions/Get-AgentConfigString.ps1

function Get-AgentConfigString {

<#
    .SYNOPSIS
    Gets all the event ids that you need to monitor the selected MITRE Techniques & areas.
 
    .DESCRIPTION
    Gets all the event ids that you need to monitor the selected MITRE Techniques & areas and matches it to the selected event forwarder syntax.
     
    .PARAMETER Identity
    Prompts you for the Identity that should be used to generate an Agent Configuration from. You can either use a baseline name or one or multiple Mitre Technique IDs.
 
    .PARAMETER ForwarderName
    Specifies the name of the Agent Forwarder for which the config should be queried:
    - splunk
    - xpath
    - mdatp
 
    .EXAMPLE
    Get-AgentConfigString -ForwarderName splunk
 
    Gets all the event ids for the Splunk Universal Forwarder that you need to monitor the selected MITRE Techniques & areas.
 
#>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', '')]
    [CmdletBinding()]
    param (
        [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [Alias('BaselineName', 'TechniqueId')]
        [string]$Identity,
        [Parameter(Mandatory=$True)]
        [string]$ForwarderName
    )

    process {

        if ($Script:openFromGui) {
            $MitreTechniques = $(Get-CheckedMitreTechniques)
        }
        else {
            if ($identity) {
                if (Get-BaselineNameFromDB -BaselineName $Identity){
                    $MitreTechniques = Get-MitreTechniquesFromBaseline -BaselineName $Identity
                }
                elseif ($Identity -match "^T\d{4}$") {
                    $MitreTechniques = $("'" + $Identity + "'")
                }
                elseif ( ($Identity -match "^['T\d{4}$]") -or ($Identity -match "^T\d{4}$") ) {
                    $MitreTechniques = $Identity
                }
            }
        }

        if ($MitreTechniques) {
            if ($Script:openFromGui) {
                $query = "select * from agent_forwarder_syntax where name = '" + (ConvertTo-PSSQLString($ForwarderName)) + "';"
            }
            else {
                $query = "select * from agent_forwarder_syntax where short_name = '" + (ConvertTo-PSSQLString($ForwarderName)) + "';"
            }
            
            $results = Invoke-SqliteQuery -Query $query -DataSource $database
        
            foreach ($result in $results) {
                $eventStr = Get-MitreEvents -MitreTechniques $MitreTechniques -EventIds | Select-Object -ExpandProperty event_id -Unique | foreach-Object { $result.single_event_syntax -replace ("{{SINGLE_EVENTID}}", $_) }
                
                $eventStr = [string]$eventStr -replace(" ", ($result.event_separator + " "))
                $eventStr = [string]$eventStr -replace(($result.event_separator + " -1"), "")
        
                if ($result.single_event_syntax -eq "{{SINGLE_EVENTID}}") {
                    $eventStr = [string]$eventStr -replace("-1", "")
                }
                else {
                    $SingleEventSyntaxReplaced = $result.single_event_syntax -replace ("{{SINGLE_EVENTID}}", "")
                    $eventStr = [string]$eventStr -replace(($SingleEventSyntaxReplaced + "-1" + $result.event_separator), "")
                }
        
                $syntaxStr = $result.syntax -replace ("{{EVENTIDS}}", $eventStr) -replace "`n", "`r`n"
        
                $syntaxStr = $syntaxStr -replace(("= " + $result.event_separator), "=")

                if ($Script:openFromGui) {
                    $agentSnippetBox.Text = $syntaxStr
                }
                else {
                    write-host $syntaxStr
                }
                
            }
        }
        else {
            write-host "No MITRE ATT&CK techniques were selected."
        }
    }

}