New version of AzSentinel is available in PowerShell Gallery with bunch of bugfixes and some new features. See below a list of the changes in this version.
1. Configure Action for Alert Rules
From this version it’s possible to configure “Actions” for the Alert Rules through New-AzSentinelAlertRule by using the -playbookName switch. Or by configuring JSON “PlaybookName” property for each Alert rule. You only need to provide the logic APP name that you want to assign to your Alert rule. The function will automatically search the Logic App in your Subscription, the logic App is also tested to see if it’s compatible for Azure Sentinel!
This option is backwards compatible, if you don’t have the “PlaybookName” covered in your JSON template no changes will be applied. Thanks sbroosnokia for the feedback!
Below the new JSON layout:
To make this feature available the following new functions are added to AzSentinel:
|Get-AzSentinelAlertRuleAction||Use this function to see if a Alert rule has Action configured|
|New-AzSentinelAlertRuleAction||Configure Action for an existing Alert rule|
|Remove-AzSentinelAlertRuleAction||Remove configured Action|
2. Update Incident
In this version there is also an Update-AzSentinelIncident function available that you can use to update existing incidents. Not all the properties are currently available in Update function, but in feature version I will extend the possibilities. See below a list of current possibilities:
Close Incident with argument:
Change incident status to inProgress:
Add label to existing labels:
Below list of hotfixes:
|Time Format conflict #38|| https://github.com/wortell/AZSentinel/issues/38||https://github.com/lunchbox-rcl|
| Issue using Import-AzSentinelAlertRule #27|| https://github.com/wortell/AZSentinel/issues/27 ||https://github.com/garybushey|
This Post Has One Comment
Hi Pouyan, I LOVE AzSentinel! Thanks very much for this.
I’ve successfully imported 100+ rules.
Now I’m trying out Get-AzSentinelAlertRule -WorkspaceName…
Would you have an example query that would nicely format the output of this command in columns so I can document my rules?
Or if you can point me in the right direction I would greatly appreciate it.
At the very least I’m working for an output with the rulename.
And then more granular I’d be interested in picking fields like Mitre Tactics, etc.