MCAS.psm1

<#

GENERAL CODING STANDARDS TO BE FOLLOWED IN THIS MODULE:

    https://github.com/PoshCode/PowerShellPracticeAndStyle

    and

    https://msdn.microsoft.com/en-us/library/dd878270%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

#>
#----------------------------Constants-----------------------------
$MCAS_TOKEN_VALIDATION_PATTERN = '^[0-9a-zA-Z=]{64,192}$'


#----------------------------Enum Types----------------------------
enum mcas_app {
    Amazon_Web_Services = 11599
    Box = 10489
    Dropbox = 11627
    Google_Apps = 11770
    Microsoft_Azure = 12260
    Microsoft_OneDrive_for_Business = 15600
    Microsoft_Cloud_App_Security = 20595
    Microsoft_Sharepoint_Online = 20892
    Microsoft_Skype_for_Business = 25275
    Microsoft_Exchange_Online = 20893
    Microsoft_Teams = 28375
    Microsoft_Yammer = 11522
    Microsoft_Power_BI = 26324
    Office_365 = 11161
    Okta = 10980
    Salesforce = 11114
    ServiceNow = 14509
}

enum device_type {
    BARRACUDA = 101                     # Barracuda - Web App Firewall (W3C)
    BARRACUDA_NEXT_GEN_FW = 191         # Barracude - F-Series Firewall
    BARRACUDA_NEXT_GEN_FW_WEBLOG = 193  # Barracude - F-Series Firewall Web Log Streaming
    BLUECOAT = 102                      # Blue Coat ProxySG - Access log (W3C)
    CHECKPOINT = 103                    # Check Point (CSV)
    CHECKPOINT_SMART_VIEW_TRACKER = 189 # Check Point - SmartView Tracker
    CHECKPOINT_XML = 187                # Check Point (XML)
    CISCO_ASA = 104                     # Cisco ASA Firewall
    CISCO_ASA_FIREPOWER = 177           # Cisco ASA FirePOWER
    CISCO_FWSM = 157                    # Cisco FWSM
    CISCO_IRONPORT_PROXY = 106          # CiscoIronPort WSA
    CISCO_SCAN_SAFE = 124               # Cisco ScanSafe
    CLAVISTER = 164                     # Clavister NGFW (Syslog)
    CUSTOM_PARSER = 167                 # Custom Parser
    FORCEPOINT = 202                    # Forcepoint Web Security Cloud
    FORTIGATE = 108                     # Fortinet Fortigate
    GENERIC_CEF = 179                   # Generic CEF log
    GENERIC_LEEF = 181                  # Generic LEEF log
    GENERIC_W3C = 183                   # Generic W3C log
    IBOSS = 200                         # Iboss Secure Cloud Gateway
    I_FILTER = 185                      # Digital Arts i-FILTER
    JUNIPER_SRX = 129                   # Juniper SRX
    JUNIPER_SRX_SD = 172                # Juniper SRX SD
    JUNIPER_SRX_WELF = 174              # Juniper SRX Welf
    JUNIPER_SSG = 168                   # Juniper SSG
    MACHINE_ZONE_MERAKI = 153           # Meraki - URLs log
    MCAFEE_SWG = 121                    # McAfee Web Gateway
    MICROSOFT_ISA_W3C = 159             # Microsoft Forefront Threat Management Gateway (W3C)
    PALO_ALTO = 112                     # PA Series Firewall
    # PALO_ALTO_SYSLOG not available here
    SONICWALL_SYSLOG = 160              # (Dell) SonicWALL
    SOPHOS_CYBEROAM = 162               # Sophos Cyberoam Web Filter and Firewall log
    SOPHOS_SG = 130                     # Sophos SG
    SOPHOS_XG = 198                     # Sophos XG
    SQUID = 114                         # Squid (Common)
    SQUID_NATIVE = 155                  # Squid (Native)
    WEBSENSE_SIEM_CEF = 138             # (WebSense) Web Security solutions - Internet Activity log (CEF)
    WEBSENSE_V7_5 = 135                 # (WebSense) Web Security solutions - Investigative detail report (CSV)
    ZSCALER = 120                       # Zscaler - Default CSV
    ZSCALER_QRADAR = 170                # Zscaler - QRadar LEEF
    ZSCALER_CEF = 196                   # Zscaler - CEF
}

enum ip_category {
    None = 0
    Corporate = 1
    Administrative = 2
    Risky = 3
    VPN = 4
    Cloud_Provider = 5
    Other = 6
}

enum severity_level {
    High = 2
    Medium = 1
    Low = 0
}

enum resolution_status {
    Resolved = 2
    Dismissed = 1
    Open = 0
}

enum file_type {
    Other = 0
    Document = 1
    Spreadsheet = 2
    Presentation = 3
    Text = 4
    Image = 5
    Folder = 6
}

enum file_access_level {
    Private = 0
    Internal = 1
    External = 2
    Public = 3
    PublicInternet = 4
}

enum app_category {
    ACCOUNTING_AND_FINANCE
    ADVERTISING
    BUSINESS_MANAGEMENT
    CLOUD_STORAGE
    CODE_HOSTING
    COLLABORATION
    COMMUNICATIONS
    CONTENT_MANAGEMENT
    CONTENT_SHARING
    CRM
    CUSTOMER_SUPPORT
    DATA_ANALYTICS
    DEVELOPMENT_TOOLS
    ECOMMERCE
    EDUCATION
    FORUMS
    HEALTH
    HOSTING_SERVICES
    HUMAN_RESOURCE_MANAGEMENT
    IT_SERVICES
    MARKETING
    MEDIA
    NEWS_AND_ENTERTAINMENT
    ONLINE_MEETINGS
    OPERATIONS_MANAGEMENT
    PRODUCT_DESIGN
    PRODUCTIVITY
    PROJECT_MANAGEMENT
    PROPERTY_MANAGEMENT
    SALES
    SECURITY
    SOCIAL_NETWORK
    SUPLLY_CHAIN_AND_LOGISTICS
    TRANSPORTATION_AND_TRAVEL
    VENDOR_MANAGEMENT_SYSTEM
    WEB_ANALYTICS
    WEBMAIL
    WEBSITE_MONITORING
}

enum permission_type {
    FULL_ACCESS = 0
    READ_ONLY = 1
    COMPLIANCE_READ_ONLY = 2
    #INSTANCE_ADMIN = 3
    #GROUP_ADMIN = 4
    #DISCOVERY_ADMIN = 5
}


#----------------------------Hash Tables---------------------------
$IPTagsList = [ordered]@{
    Akamai_Technologies                   = '0000002d0000000000000000'
    Amazon_Web_Services                   = '000000290000000000000000'
    Anonymous_proxy                       = '000000030000000000000000'
    Ascenty_Data_Centers                  = '0000002f0000000000000000'
    Botnet                                = '0000000c0000000000000000'
    Brute_force_attacker                  = '000000380000000000000000'
    Cisco_CWS                             = '000000270000000000000000'
    Cloud_App_Security_network            = '000000050000000000000000'
    Darknet_scanning_IP                   = '0000001f0000000000000000'
    Exchange_Online                       = '0000000e0000000000000000'
    Exchange_Online_Protection            = '000000150000000000000000'
    Google_Cloud_Platform                 = '000000280000000000000000'
    Internal_Network_IP                   = '000000310000000000000000'
    Malware_CnC_server                    = '0000000d0000000000000000'
    Masergy_Communications                = '0000002e0000000000000000'
    McAfee_Web_Gateway                    = '0000002c0000000000000000'
    Microsoft_Azure                       = '0000002a0000000000000000'
    Microsoft_Cloud                       = '0000001e0000000000000000'
    Microsoft_Hosting                     = '0000003a0000000000000000'
    Microsoft_authentication_and_identity = '000000100000000000000000'
    Office_365                            = '000000170000000000000000'
    Office_365_Planner                    = '000000190000000000000000'
    Office_365_ProPlus                    = '000000120000000000000000'
    Office_Online                         = '000000140000000000000000'
    Office_Sway                           = '0000001d0000000000000000'
    Office_Web_Access_Companion           = '0000001a0000000000000000'
    OneNote                               = '000000130000000000000000'
    Remote_Connectivity_Analyzer          = '0000001c0000000000000000'
    Salesforce_Cloud                      = '000000390000000000000000'
    Satellite_provider                    = '000000040000000000000000'
    ScanSafe                              = '000000300000000000000000'
    SharePoint_Online                     = '0000000f0000000000000000'
    Skype_for_Business_Online             = '000000180000000000000000'
    Symantec_Cloud                        = '000000330000000000000000'
    Tor                                   = '2dfa95cd7922d979d66fcff5'
    Yammer                                = '0000001b0000000000000000'
    Zscaler                               = '000000160000000000000000'
}

$UserAgentTagsList = [ordered]@{
    Native_client             = '000000000000000000000000'
    Outdated_browser          = '000000010000000000000000'
    Outdated_operating_system = '000000020000000000000000'
    Robot                     = '0000002b0000000000000000'
}

$ReportsList = @{
	'Activity by Location'                   = 'geolocation_summary'
    'Browser Use'                            = 'browser_usage'
    'IP Addresses'                           = 'ip_usage'
	'IP Addresses for Admins'                = 'ip_admin_usage'
	'OS Use'                                 = 'os_usage'
	'Strictly Remote Users'                  = 'standalone_users'
	'Cloud App Overview'                     = 'app_summary'
	'Inactive Accounts'                      = 'zombie_users'
	'Privileged Users'                       = 'admins'
	'Salesforce Special Privileged Accounts' = 'sf_permissions'
    'User Logon'                             = 'logins_rate'
	'Data Sharing Overview'                  = 'files_summary'
    'File Extensions'                        = 'file_extensions'
	'Orphan Files'                           = 'orphan_files'
    'Outbound Sharing by Domain'             = 'external_domains'
    'Owners of Shared Files'                 = 'shared_files_owners'
    'Personal User Accounts'                 = 'personal_users'
    'Sensitive File Names'                   = 'file_name_dlp'
}

# Create reversed copy of the reports list hash table (keys become values and values become keys)
$ReportsListReverse = @{}
$ReportsList.GetEnumerator() | ForEach-Object {
    $ReportsListReverse.Add($_.Value,$_.Key)
}

$GovernanceStatus = @{
    'Failed' = $false
    'Pending' = $null
    'Successful' = $true
}


#----------------------------Include functions---------------------------
# KUDOS to the chocolatey project for the basis of this code

# get the path of where the module is saved (if module is at c:\myscripts\module.psm1, then c:\myscripts\)
$mypath = (Split-Path -Parent -Path $MyInvocation.MyCommand.Definition)

# find and load all the ps1 files in the Functions subfolder
Resolve-Path -Path $mypath\Functions\*.ps1 | ForEach-Object -Process {
    . $_.ProviderPath
}


#----------------------------Exports---------------------------
# Cmdlets to export (must be exported as functions, not cmdlets) - This array format can be copied directly to the module manifest as the 'FunctionsToExport' value
$ExportedCommands = @(
    'Add-MCASAdminAccess',
    'ConvertFrom-MCASTimestamp',
    'Export-MCASBlockScript',
    'Export-MCASCredential',
    'Get-MCASAccount',
    'Get-MCASActivity',
    'Get-MCASActivityType',
    'Get-MCASAdminAccess',
    'Get-MCASAlert',
    'Get-MCASAppId',
    'Get-MCASAppInfo',
    'Get-MCASAppPermission',
    'Get-MCASConfiguration',
    'Get-MCASCredential',
    'Get-MCASDiscoveredApp',
    'Get-MCASDiscoveredAppTag',
    'Get-MCASDiscoveryDataSource',
    'Get-MCASDiscoverySampleLog',
    'Get-MCASFile',
    'Get-MCASGovernanceAction',
    'Get-MCASIPTag',
    'Get-MCASLogCollector',
    'Get-MCASPolicy',
    'Get-MCASPortalSettings',
    'Get-MCASSiemAgent',
    'Get-MCASStream',
    'Get-MCASSubnetCollection',
    'Get-MCASUserGroup',
    'Import-MCASCredential',
    'Install-MCASSiemAgent',
    'New-MCASDiscoveryDataSource',
    'New-MCASGroupImport',
    'New-MCASSiemAgentToken',
    'New-MCASSubnetCollection',
    'Remove-MCASAdminAccess',
    'Remove-MCASDiscoveryDataSource',
    'Remove-MCASSubnetCollection',
    'Send-MCASDiscoveryLog',
    'Set-MCASAlert'
    )

    $ExportedCommands | ForEach-Object {
    Export-ModuleMember -Function $_
}

#Export-ModuleMember -Function Invoke-MCASRestMethod2

# Vars to export (must be exported here, even if also included in the module manifest in 'VariablesToExport'
Export-ModuleMember -Variable CASCredential

# Aliases to export
Export-ModuleMember -Alias *



<#
# Implement your module commands in this script.


# Export only the functions using PowerShell standard verb-noun naming.
# Be sure to list each exported functions in the FunctionsToExport field of the module manifest file.
# This improves performance of command discovery in PowerShell.
Export-ModuleMember -Function Get-MCASUserGroup


#>