Resources/CustomDetectionRules-GET.ps1

function Get-S1CustomDetectionRules {
<#
    .SYNOPSIS
        Get a list of Custom Detection Rules for a given scope.
 
    .DESCRIPTION
        The Get-S1CustomDetectionRules cmdlet gets a list of Custom Detection Rules for a given scope.
 
        Note: You can create and see rules only for your highest available scope.
        For example, if your username has an access level of scope Account,
        you cannot see rules created for the Global scope or rules created for a specific Site.
 
    .PARAMETER accountIds
        List of Account IDs to filter by.
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER activeResponse
        Rule active response status
 
    .PARAMETER countOnly
        If true, only total number of items will be returned, without any of the actual objects.
 
    .PARAMETER creator__contains
        Free-text filter by rule creator
 
        Example: "Service Pack 1".
 
    .PARAMETER cursor
        Cursor position returned by the last request. Use to iterate over more than 1000 items.
 
        Found under pagination
 
        Example: "YWdlbnRfaWQ6NTgwMjkzODE=".
 
    .PARAMETER description__contains
        Free-text filter by rule description
 
        Example: "Service Pack 1".
 
    .PARAMETER disablePagination
        If true, all rules for requested scope will be returned
 
    .PARAMETER expirationMode
        Return rules with the filtered expiration mode.
 
        Allowed values:
        'Permanent', 'Temporary'
 
    .PARAMETER expired
        Rule expired or not
 
    .PARAMETER groupIds
        List of Group IDs to filter by.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER ids
        A list of Rules IDs.
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER limit
        Limit number of returned items (1-1000).
 
    .PARAMETER name__contains
        Free-text filter by rule name
 
        Example: "Service Pack 1".
 
    .PARAMETER query
        Free text search on fields name, description, agent_version, os_type, config
 
    .PARAMETER queryType
        Return rules with the filtered type.
 
        Allowed values:
        'events', 'processes'
 
    .PARAMETER reachedLimit
        Rule reached limit or not
 
    .PARAMETER s1ql__contains
        Free-text filter by S1 query
 
        Example: "Service Pack 1".
 
    .PARAMETER scopes
        Return rules with the filtered expiration mode.
 
        Allowed values:
        'account', 'global', 'group', 'site'
 
    .PARAMETER siteIds
        List of Site IDs to filter by
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER skip
        Skip first number of items (0-1000). To iterate over more than 1000 items, use "cursor".
 
        Example: "150".
 
    .PARAMETER skipCount
        If true, total number of items will not be calculated, which speeds up execution time.
 
    .PARAMETER sortBy
        Sorts the returned results by a defined value
 
        Allowed values:
        'activeResponse', 'createdAt', 'description', 'expiration', 'expirationMode', 'expired', 'generatedAlerts', 'id', 'lastAlertTime',
        'name', 'queryType', 'reachedLimit', 'scope', 'scopeHierarchy', 'severity', 'status', 'statusReason', 'updatedAt'
 
    .PARAMETER sortOrder
        Sort direction
 
        Allowed values:
        'asc', 'desc'
 
    .PARAMETER status
        Included engines.
 
        Allowed values:
        'Activating', 'Active', 'Deleted', 'Deleting', 'Disabled', 'Disabling', 'Draft'
 
    .EXAMPLE
        Get-S1CustomDetectionRules
 
        Returns the first 10 Custom Detection Rules for a given scope
 
    .EXAMPLE
        1234567890,0987654321 | Get-S1CustomDetectionRules
 
        Returns the first 10 Custom Detection Rules for a given scope from the defined sites
 
    .EXAMPLE
        Get-S1CustomDetectionRules -cursor 'YWdlbnRfaWQ6NTgwMjkzODE='
 
        Returns results after the defined cursor
 
        The cursor value can be found under pagination
 
    .NOTES
        As of 2022-11:
            Cannot fully validate due to permissions
 
    .LINK
        https://github.com/Celerium/S1-PowerShellWrapper
 
#>


[CmdletBinding( DefaultParameterSetName = 'index' )]
Param (
    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateRange(1, [Int64]::MaxValue)]
    [Int64[]]$accountIds,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [Switch]$activeResponse,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [Switch]$countOnly,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateNotNullOrEmpty()]
    [String[]]$creator__contains,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateNotNullOrEmpty()]
    [String]$cursor,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateNotNullOrEmpty()]
    [String[]]$description__contains,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [Switch]$disablePagination,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateSet( 'Permanent', 'Temporary' )]
    [String]$expirationMode,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [Switch]$expired,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateRange(1, [Int64]::MaxValue)]
    [Int64[]]$groupIds,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateRange(1, [Int64]::MaxValue)]
    [Int64[]]$ids,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateRange(1, 1000)]
    [Int64]$limit,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateNotNullOrEmpty()]
    [String[]]$name__contains,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateNotNullOrEmpty()]
    [String[]]$query,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateSet( 'events', 'processes' )]
    [String]$queryType,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [Switch]$reachedLimit,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateNotNullOrEmpty()]
    [String[]]$s1ql__contains,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateSet( 'account', 'global', 'group', 'site' )]
    [String[]]$scopes,

    [Parameter( Mandatory = $false, ValueFromPipeline = $true, ParameterSetName = 'index' )]
    [ValidateRange(1, [Int64]::MaxValue)]
    [Int64[]]$siteIds,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateRange(1, [Int64]::MaxValue)]
    [Int64]$skip,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [Switch]$skipCount,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateSet(   'activeResponse', 'createdAt', 'description', 'expiration', 'expirationMode', 'expired',
                    'generatedAlerts', 'id', 'lastAlertTime', 'name', 'queryType', 'reachedLimit', 'scope',
                    'scopeHierarchy', 'severity', 'status', 'statusReason', 'updatedAt'
                )]
    [String]$sortBy,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateSet( 'asc', 'desc' )]
    [String]$sortOrder,

    [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
    [ValidateSet( 'Activating', 'Active', 'Deleted', 'Deleting', 'Disabled', 'Disabling', 'Draft' )]
    [String[]]$status

)

    process{

        Write-Verbose "Running the [ $($PSCmdlet.ParameterSetName) ] parameterSet"

        Switch ($PSCmdlet.ParameterSetName){
            'index' {$resource_uri = "/cloud-detection/rules"}
        }

        $excludedParameters =   'Debug','ErrorAction','ErrorVariable','InformationAction',
                                'InformationVariable','OutBuffer','OutVariable','PipelineVariable',
                                'Verbose','WarningAction','WarningVariable'

        $body = @{}

        if ($PSCmdlet.ParameterSetName -eq 'index') {

            ForEach ( $Key in $PSBoundParameters.GetEnumerator() ){

                if( $excludedParameters -contains $Key.Key ){$null}
                elseif ( $Key.Value.GetType().IsArray ){
                    Write-Verbose "[ $($Key.Key) ] is an array parameter"
                    $body += @{ $Key.Key = $Key.Value -join (',') }
                }
                else{
                    $body += @{ $Key.Key = $Key.Value }
                }

            }

        }

        try {
            $ApiToken = Get-S1APIKey -PlainText
            $S1_Headers.Add('Authorization', "ApiToken $ApiToken")

            $rest_output = Invoke-RestMethod -Method Get -Uri ( $S1_Base_URI + $resource_uri ) -Headers $S1_Headers -Body $body -ErrorAction Stop -ErrorVariable rest_error
        } catch {
            Write-Error $_
        } finally {
            [void] ( $S1_Headers.Remove('Authorization') )
        }

        $data = @{}
        $data = $rest_output
        return $data

    }

}