Scribd
Upload
269 views

Azure Sentinel MGMT Using PowerShell

This document provides PowerShell code samples for managing incidents and alert rules in Azure Sentinel. For incidents, it includes samples for getting, listing, updating, adding comments to, and removing incidents. For alert rules, it includes samples for getting enabled rules, rule actions, listing and counting rule templates. The goal is to help automate common Azure Sentinel management tasks using PowerShell.

Uploaded by

LakshmipathiMurugan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
269 views

Azure Sentinel MGMT Using PowerShell

This document provides PowerShell code samples for managing incidents and alert rules in Azure Sentinel. For incidents, it includes samples for getting, listing, updating, adding comments to, and removing incidents. For alert rules, it includes samples for getting enabled rules, rule actions, listing and counting rule templates. The goal is to help automate common Azure Sentinel management tasks using PowerShell.

Uploaded by

LakshmipathiMurugan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

Azure Sentinel management

using PowerShell
Kaido Järvemets

Microsoft MVP: Enterprise Mobility, MCT, Security+

Updated: 21.09.2021

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Contents

Azure Sentinel management using PowerShell ...................................................................................... 1


Contents .................................................................................................................................................. 2
Script samples ......................................................................................................................................... 7
Introduction ............................................................................................................................................ 8
Part 1 – Incident Management using PowerShell ................................................................................... 8
Get a specific incident ......................................................................................................................... 8
Summary ......................................................................................................................................... 8
Code example ................................................................................................................................. 9
Output ............................................................................................................................................. 9
List all incidents ................................................................................................................................. 10
Summary ....................................................................................................................................... 10
Code example ............................................................................................................................... 10
Output ........................................................................................................................................... 10
Get all incidents and order by CreatedTimeUTC property ............................................................... 11
Summary ....................................................................................................................................... 11
Code example ............................................................................................................................... 11
Output ........................................................................................................................................... 11
Get all incidents and convert CreatedTimeUTC property to local DateTime ................................... 12
Summary ....................................................................................................................................... 12
Code example ............................................................................................................................... 12
Output ........................................................................................................................................... 13
Update incident details ..................................................................................................................... 14
Summary ....................................................................................................................................... 14
Code example ............................................................................................................................... 14
Output ........................................................................................................................................... 14
Add a comment to an incident ......................................................................................................... 15
Summary ....................................................................................................................................... 15
Code example 1............................................................................................................................. 15
Code example 2............................................................................................................................. 15

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Output ........................................................................................................................................... 16
Read incident comments .................................................................................................................. 17
Summary ....................................................................................................................................... 17
Code example ............................................................................................................................... 17
Output ........................................................................................................................................... 17
Create an incident ............................................................................................................................. 18
Summary ....................................................................................................................................... 18
Code example ............................................................................................................................... 18
Output ........................................................................................................................................... 18
Remove incident ............................................................................................................................... 19
Summary ....................................................................................................................................... 19
Code example ............................................................................................................................... 19
Output ........................................................................................................................................... 19
Part 2 – Alert Rule Management using PowerShell .............................................................................. 20
Get all enabled Analytics rules .......................................................................................................... 20
Summary ....................................................................................................................................... 20
Code Example................................................................................................................................ 20
Output ........................................................................................................................................... 20
Get Analytics rule action ................................................................................................................... 21
Summary ....................................................................................................................................... 21
Code Example................................................................................................................................ 21
Output ........................................................................................................................................... 21
Get Analytics rule action detailed information................................................................................. 22
Summary ....................................................................................................................................... 22
Code Example................................................................................................................................ 22
Output ........................................................................................................................................... 22
List all Analytics rule templates ........................................................................................................ 23
Summary ....................................................................................................................................... 23
Code Example................................................................................................................................ 23
Output ........................................................................................................................................... 23
Count all the Analytics rule templates .............................................................................................. 24

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Summary ....................................................................................................................................... 24
Code Example................................................................................................................................ 24
Output ........................................................................................................................................... 24
List all Analytics rules and sort rules based on the Severity ............................................................. 25
Summary ....................................................................................................................................... 25
Code Example................................................................................................................................ 25
Output ........................................................................................................................................... 25
List all Analytics rules and group by Severity .................................................................................... 26
Summary ....................................................................................................................................... 26
Code Example................................................................................................................................ 26
Output ........................................................................................................................................... 26
List all Analytics rules where Data Sources contains "SecurityEvents" ............................................ 27
Summary ....................................................................................................................................... 27
Code Example................................................................................................................................ 27
Output ........................................................................................................................................... 27
Filter Analytics rules based on the CreatedDateUtc property .......................................................... 28
Summary ....................................................................................................................................... 28
Code Example................................................................................................................................ 28
Output ........................................................................................................................................... 28
List all Low Severity based Analytics rules ........................................................................................ 29
Summary ....................................................................................................................................... 29
Code Example................................................................................................................................ 29
Output ........................................................................................................................................... 29
Count Analytics rule template types ................................................................................................. 30
Summary ....................................................................................................................................... 30
Code Example................................................................................................................................ 30
Output ........................................................................................................................................... 30
Create a new custom Analytics rule ................................................................................................. 31
Summary ....................................................................................................................................... 31
Code Example................................................................................................................................ 31
Output ........................................................................................................................................... 31

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Add a new automated response for the Analytics rule .................................................................... 32
Summary ....................................................................................................................................... 32
Code Example................................................................................................................................ 32
Output ........................................................................................................................................... 32
Disable enabled Analytics rule .......................................................................................................... 33
Summary ....................................................................................................................................... 33
Code Example................................................................................................................................ 33
Output ........................................................................................................................................... 33
Remove automated response from the Analytics rule ..................................................................... 34
Summary ....................................................................................................................................... 34
Code Example................................................................................................................................ 34
Output ........................................................................................................................................... 34
Part 3 – Bookmark Management using PowerShell ............................................................................. 35
Add new Bookmark ........................................................................................................................... 35
Summary ....................................................................................................................................... 35
Code Example................................................................................................................................ 35
Output ........................................................................................................................................... 35
Get Bookmarks.................................................................................................................................. 36
Summary ....................................................................................................................................... 36
Code Example................................................................................................................................ 36
Output ........................................................................................................................................... 36
Update Bookmark information ......................................................................................................... 37
Summary ....................................................................................................................................... 37
Code Example................................................................................................................................ 37
Output ........................................................................................................................................... 37
Remove Bookmark ............................................................................................................................ 38
Summary ....................................................................................................................................... 38
Code Example................................................................................................................................ 38
Output ........................................................................................................................................... 38
Part 4 – Data Connector Management using PowerShell .................................................................... 39
Get Data Connectors ......................................................................................................................... 39

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Summary ....................................................................................................................................... 39
Code Example................................................................................................................................ 39
Output ........................................................................................................................................... 39
Configure Data Connectors ............................................................................................................... 40
Summary ....................................................................................................................................... 40
Code Example – Enable Azure Security Center ............................................................................. 40
Output ........................................................................................................................................... 40

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Script samples
You can download all the examples from here - https://github.com/Kaidja/AzSentinelPowerShell

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Introduction

Part 1 – Incident Management using PowerShell


Get a specific incident

Summary

Most of the code examples include the $AzureSentinelWorkSpaceInfo variable. That's our hash table
where we have stored our resource group name and Log Analytics workspace name. In the below
code example, we are querying only one specific incident. As you see from the code block that we
need to specify the IncidentID parameter. By default, the Azure Sentinel portal doesn't show that
information, and you need to query that from the SecurityIncident table.

Azure Sentinel portal

SecurityIncident table

Copy the value from the IncidentName column, and you should see the incident details with
PowerShell.

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Code example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$IncidentID = "499d8110-790e-43d9-a9d9-a15f0539fcf0"
Get-AzSentinelIncident @AzureSentinelWorkSpaceInfo -IncidentId $IncidentID

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


List all incidents

Summary

Get-AzSentinelIncident cmdlet allows you to query all the incidents. Just run the cmdlet with your
environment information, and it should list all the incidents. If it is needed, you can do the filtering
based on the CreatedTimeUTC property.

Code example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

Get-AzSentinelIncident @AzureSentinelWorkSpaceInfo

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Get all incidents and order by CreatedTimeUTC property

Summary

In this example, we have selected only two different properties using the Select-Object cmdlet – Title
and CreatedTimeUTC and then sorting the results based on the CreatedTimeUTC property.

Code example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}
Get-AzSentinelIncident @AzureSentinelWorkSpaceInfo |
Select-Object -Property Title,CreatedTimeUTC |
Sort-Object -Property CreatedTimeUTC -Descending

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Get all incidents and convert CreatedTimeUTC property to local DateTime

Summary

As you saw from the previous example, incident creation dates are in the UTC time zone. To convert
the dates into the local time zone, we need to add one additional function. I'm not the author of that
function, and it is taken from the ScriptingGuy blog.

Code example

Function Convert-UTCtoLocal
{
#Source - https://devblogs.microsoft.com/scripting/powertip-convert-from-utc-to-
my-local-time-zone/ PowerTip: Convert from UTC to my local time zone | Scripting
Blog (microsoft.com)
#Author - Thomas Rayner

Param(
[Parameter(Mandatory=$True)]
[String]$UTCTime
)

$CurrentTimeZone = (Get-WmiObject win32_timezone).StandardName


$TimeZone = [System.TimeZoneInfo]::FindSystemTimeZoneById($CurrentTimeZone)
$LocalTime = [System.TimeZoneInfo]::ConvertTimeFromUtc($UTCTime, $TimeZone)

$LocalTime
}

$ProcessedIncidents = @()

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$Incidents = Get-AzSentinelIncident @AzureSentinelWorkSpaceInfo


foreach($Incident in $Incidents){

$IncidentDetails = [ORDERED]@{
IncidentID = $Incident.Name
CreatedTime = Convert-UTCtoLocal -UTCTime $Incident.CreatedTimeUTC
Title = $Incident.Title
Status = $Incident.Status
}

$PoshObject = New-Object -TypeName PSObject -Property $IncidentDetails


$ProcessedIncidents += $PoshObject
}
$ProcessedIncidents

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Update incident details

Summary

Changing the incident owner requires us to install the Azure AD PowerShell module. You can take the
incident owner information manually from the Azure AD portal too, but most likely, it would be easier
to use Azure AD PowerShell cmdlets for that. Run the Get-AzureADUser cmdlet and get the user
details. After that, you can use the New-AzSentinelIncidentOwner cmdlet to create the owner object.
Finally, run the Update-AzSentinelIncident command.

Code example

Connect-AzureAD

$AzureADUserDetails = Get-AzureADUser -ObjectId "[email protected]"


$IncidentID = "499d8110-790e-43d9-a9d9-a15f0539fcf0"

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$IncidentOwnerDetails = @{
AssignedTo = $AzureADUserDetails.DisplayName
Email = $AzureADUserDetails.Mail
Objectid = $AzureADUserDetails.ObjectId
UserPrincipalName = $AzureADUserDetails.UserPrincipalName
}

$IncidentOwner = New-AzSentinelIncidentOwner @IncidentOwnerDetails

Update-AzSentinelIncident @AzureSentinelWorkSpaceInfo -IncidentID $IncidentID -


Owner $IncidentOwner -Status Active

Output

Updated incident owner

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Add a comment to an incident

Summary

Azure Sentinel allows us to add HTML based comments too. You can add tables or just formatted texts.
The first example uses HTML tags, and the second one is just a regular comment without any
formatting.

Code example 1

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$IncidentID = "499d8110-790e-43d9-a9d9-a15f0539fcf0"

New-AzSentinelIncidentComment @AzureSentinelWorkSpaceInfo -IncidentId $IncidentID


-Message "<h2>We can use HTML too!!!</h2>"

Code example 2

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$IncidentID = "499d8110-790e-43d9-a9d9-a15f0539fcf0"

New-AzSentinelIncidentComment @AzureSentinelWorkSpaceInfo -IncidentId $IncidentID


-Message "We need to investigate this ASAP"

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Read incident comments

Summary

Code example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$IncidentID = "499d8110-790e-43d9-a9d9-a15f0539fcf0"
Get-AzSentinelIncidentComment @AzureSentinelWorkSpaceInfo -IncidentId $IncidentID

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Create an incident

Summary

New-AzSentinelIncident cmdlet allows you to create new incidents. The strange thing is that the data
source will be empty, and no investigation isn't available.

Code example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}
New-AzSentinelIncident @AzureSentinelWorkSpaceInfo -Title "New incident from
PowerShell" -Description "We must investigate this ASAP" -Severity Low -Status
New

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Remove incident

Summary

Remove-AzSentinelIncident removes the incident without any confirmations.

Code example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$IncidentID = "499d8110-790e-43d9-a9d9-a15f0539fcf0"
Remove-AzSentinelIncident @AzureSentinelWorkSpaceInfo -IncidentId $IncidentID

Output

The Remove-AzSentinelIncident cmdlet should return "success" if the removal was successful.

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Part 2 – Alert Rule Management using PowerShell
Get all enabled Analytics rules

Summary

Get-AzSentinelAlertRule cmdlet lists all the enabled Analytics rules.

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

Get-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Get Analytics rule action

Summary

Azure Sentinel allows you to configure automated response actions to your analytics rules. Get-
AzSentinelAlertRuleAction lists the configured playbooks. Use the Get-AzSentinelAlertRule cmdlet to
get the AlertRuleID parameter value. Check the Name property.

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$AlertRuleId = "84d3a26d-1a32-4992-8c35-769cb2a98032"
Get-AzSentinelAlertRuleAction @AzureSentinelWorkSpaceInfo -AlertRuleId
$AlertRuleId

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Get Analytics rule action detailed information

Summary

In the previous example, we queried the configured playbook. Still, if you want more information
about the configured playbook, we need to execute the Get-AzLogicApp cmdlet. In the below code
example, I'm also using the Split-Path cmdlet. That gives me the configured playbook name.

If you have multiple playbooks configured under the Analytics rule, you need to change the code
slightly. Currently, the example assumes that you have only one playbook per the Analytics rule.

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$LogicAppsInfo = @{
ResourceGroupName = "RG-PROD-IT-LOGIC-APPS-WE"
}

$AlertRuleId = "84d3a26d-1a32-4992-8c35-769cb2a98032"
$AlertRuleAction = Get-AzSentinelAlertRuleAction @AzureSentinelWorkSpaceInfo -
AlertRuleId $AlertRuleId

$AlertRuleActionName = $AlertRuleAction.LogicAppResourceId | Split-Path -Leaf


Get-AzLogicApp @LogicAppsInfo -Name $AlertRuleActionName

Output

You should see the following information:

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


List all Analytics rule templates

Summary

Get-AzSentinelAlertRuleTemplate lists all the available Analytics rule templates.

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo

Output

You should see the following information:

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Count all the Analytics rule templates

Summary

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo | Measure-Object

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


List all Analytics rules and sort rules based on the Severity

Summary

In this example, we have selected out only four properties - DisplayName, Status, CreatedDateUtc,
and Severity. Then we are sorting the results based on the Severity property.

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}
Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
Select-Object -Property DisplayName,Status,CreatedDateUtc,Severity |
Sort-Object -Property Severity -Descending

Output

The above code block should give you the following output:

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


List all Analytics rules and group by Severity

Summary

This code example counts different rule types based on the Severity property. Interestingly, we have
15 rules without any Severity.

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}
Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
Group-Object -Property Severity

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


List all Analytics rules where Data Sources contains "SecurityEvents"

Summary

The following code example lists all the Analytics rules, where the Data Source contains
"SecurityEvents". This example may be really handy when we are going to combine it with Update-
AzSentinelAlertRule or Update-AzSentinelAlertRuleAction cmdlet. It allows us to filter out specific
Analytics rules, and then we can enable all of them at once.

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
Where-Object {$PSItem.RequiredDataConnectors.ConnectorId -contains
"SecurityEvents"} |
Select-Object -Property DisplayName,Status,CreatedDateUtc,Severity,Name
,RequiredDataConnectors |
Sort-Object -Property Severity

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Filter Analytics rules based on the CreatedDateUtc property

Summary

The good thing about Azure Sentinel is that Microsoft keeps adding new Analytics rules. This query
prints out all the rules that have been added in the last 60 days.

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}
$TimeRange = (Get-Date).AddDays(-60)

$TimeRange = (Get-Date).AddDays(-60)
Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
Where-Object {$PSItem.CreatedDateUtc -ge $TimeRange} |
Select-Object -Property DisplayName,CreatedDateUtc,Severity |
Sort-Object -Property CreatedDateUtc

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


List all Low Severity based Analytics rules

Summary

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
Where-Object {$PSItem.Severity -eq "Low"} |
Select-Object -Property DisplayName,Severity

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Count Analytics rule template types

Summary

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
Group-Object -Property Kind |
Select-Object -Property Count,Name

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Create a new custom Analytics rule

Summary

The New-AzSentinelAlertRule cmdlet creates a new Analytics rule. This example creates a new
"Scheduled" based Analytics rule. If you have your own custom rules, then it would be much easier
for you to import new rules.

Please remember that this is just a sample Analytics rule, and do not use it in production!

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$NewAnalyticsRuleData = @{
Scheduled = $True
Enabled = $True
Query = "Heartbeat
| summarize LastHeartbeat=max(TimeGenerated) by Computer
| where LastHeartbeat < ago(5m)
| extend HostCustomEntity = Computer"

DisplayName = "TEST - Log Analytics Agent Health"


Description = "Get disconnected Log Analytics nodes"
QueryPeriod = (New-TimeSpan -Hours 1)
QueryFrequency = (New-TimeSpan -Hours 1)
TriggerThreshold = 0
TriggerOperator = "GreaterThan" #Equal, GreaterThan, LessThan, NotEqual
Severity = "Medium" # Low, Medium, High
}

New-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @NewAnalyticsRuleData

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Add a new automated response for the Analytics rule

Summary

The New-AzSentinelAlertRule cmdlet does not allow us to add an automated response immediately,
but we can use the New-AzSentinelAlertRuleAction cmdlet for that activity. Before that, we need to
query our playbook information using the Get-AzLogicApp and Get-AzLogicAppTriggerCallbackUrl
cmdlets. We can then pass that information to the New-AzSentinelAlertRuleAction cmdlet. Then, we
should see the attached playbook under our Analytics rule.

In my case, all my Logic Apps are under one single resource group.

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$LogicAppsInfo = @{
ResourceGroupName = "RG-PROD-IT-LOGIC-APPS-WE"
Name = "Post-Message-Teams"
}

$LogicAppResourceID = Get-AzLogicApp @LogicAppsInfo


$LogicAppTriggerURI = Get-AzLogicAppTriggerCallbackUrl @LogicAppsInfo -
TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered"

$AnalyticsRule = Get-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo |


Where-Object {$PSItem.DisplayName -eq "Log Analytics Agent Health"}

New-AzSentinelAlertRuleAction @AzureSentinelWorkSpaceInfo -AlertRuleId


$AnalyticsRule.Name -LogicAppResourceId ($LogicAppResourceID.Id) -TriggerUri
($LogicAppTriggerURI.Value)

Output

Configured playbook under the Analytics rule

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Disable enabled Analytics rule

Summary

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$AnalyticsRule = Get-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo |


Where-Object {$PSItem.DisplayName -eq "Log Analytics Agent Health"}

Update-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo -AlertRuleId


$AnalyticsRule.Name -Disabled

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Remove automated response from the Analytics rule

Summary

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$AnalyticsRule = Get-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo |


Where-Object {$PSItem.DisplayName -eq "Log Analytics Agent Health"}

$AlertRuleAction = Get-AzSentinelAlertRuleAction @AzureSentinelWorkSpaceInfo -


AlertRuleId $AnalyticsRule.Name

Remove-AzSentinelAlertRuleAction @AzureSentinelWorkSpaceInfo -AlertRuleId


$AnalyticsRule.Name -ActionId $AlertRuleAction.Name

Output

The Remove-AzSentinelAlertRuleAction cmdlet should return "success" if the removal was


successful.

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Part 3 – Bookmark Management using PowerShell
Add new Bookmark

Summary

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}
$BookMarkQuery = @"
let AllWindowsServers =
Heartbeat
| where OSType == 'Windows' and OSType != "Linux"
| summarize arg_max(TimeGenerated, *) by SourceComputerId
| summarize makeset(Computer);
ProtectionStatus
| where Computer in (AllWindowsServers)
| sort by TimeGenerated desc
| summarize arg_max(TimeGenerated, *) by SourceComputerId
| summarize count() by TypeofProtection, AMProductVersion
"@

$DisplayName = "Get Windows Defender Status from Windows Servers"


$Notes = "Please review"

New-AzSentinelBookmark @AzureSentinelWorkSpaceInfo -DisplayName $DisplayName -


Query $BookMarkQuery -Note $Notes

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Get Bookmarks

Summary

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

Get-AzSentinelBookmark @AzureSentinelWorkSpaceInfo

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Update Bookmark information

Summary

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$BookMark = Get-AzSentinelBookmark @AzureSentinelWorkSpaceInfo |


Where-Object {$PSItem.DisplayName -eq "Get Windows Defender Status from
Windows Servers"}

$Notes = "Check out the Server1. Something seems wrong with that"
Update-AzSentinelBookmark @AzureSentinelWorkSpaceInfo -BookmarkId $BookMark.Name
-Note $Notes

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Remove Bookmark

Summary

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}

$BookMark = Get-AzSentinelBookmark @AzureSentinelWorkSpaceInfo |


Where-Object {$PSItem.DisplayName -eq "Get Windows Defender Status from
Windows Servers"}

Remove-AzSentinelBookmark @AzureSentinelWorkSpaceInfo -BookmarkId $BookMark.Name

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Part 4 – Data Connector Management using PowerShell
Get Data Connectors

Summary

Code Example

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}
Get-AzSentinelDataConnector @AzureSentinelWorkSpaceInfo |
Select-Object -Property Kind,Name

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]


Configure Data Connectors

Summary

Code Example – Enable Azure Security Center

$AzureSentinelWorkSpaceInfo = @{
ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
}
New-AzSentinelDataConnector @AzureSentinelWorkSpaceInfo -AzureSecurityCenter -
SubscriptionId "%YOURSUBSCRIPTIONID%" -Alerts Enabled

Output

Smart and Secure Hybrid Cloud www.lakeforestconsulting.com [email protected]

You might also like