“Azure Sentinel is a cloud-native SIEM that provides intelligent security analytics for your entire enterprise at cloud scale. Get limitless cloud speed and scale to help focus on what really matters. Easily collect data from all your cloud or on-premises assets, Office 365, Azure resources, and other clouds. Effectively detect threats with built-in machine learning from Microsoft’s security analytics experts. Automate threat response, using built-in orchestration and automation playbooks.” read more
Rules in Azure Sentinel create the basic logic on which Incidents get created. Currently the only way to add, change or delete rules is through the Azure portal. As we’re running a cloud Security Operations Center at Wortell with many customers connected, doing this manually is no option for us.
At the moment there is no documented API, ARM or PowerShell module to configure Azure Sentinel. After doing some research we were able to find the API’s that are currently being used by the Azure Portal and based on that we’ve written a PowerShell module to manage Azure Sentinel through PowerShell.
About the Module
The module currently provide the following functions, if you are missing a feature or have found a bug please create a issue
One of the most used features of the module is Import-AzSentinelAlertRule which gives you the possibility to create and maintain your Azure Sentinel Alert rules from one ore more JSON/YAML files. Therefore we have created a standard JSON and YAML Format which included all the available properties:
The table below describes the property values you need to set in the schema.
Working With the Module
Version 0.6.1 of the AzSentinel module is currently available in PowerShell Gallery
The module itself requires PowerShell Core 6 or above, the Az module to be installed, and the powershell-yaml module because of support for YAML files. Other than that you just need an Azure Log Analytics workspace 😉
The module can also be used from Azure Automation and Azure Functions v2 with support for PowerShell Core
Now the module is installed we can start using the functions, we won’t be able to discuss all the functions in this blog post but they are all very well documented included with multiple examples in docs folder
Enable Azure Sentinel
To enable Azure sentinel on your existing workspace run the following command:
Import Alert Rules
Now that Azure Sentinel is enabled we can start importing our Alert rules, please take a look at the great work done by Edoardo Gerosa for collecting and converting all existing and new alert rules into the JSON format supported by this PowerShell module.
Now if we update our JSON file and change some values and run the the import command the function automatically detects that the rule already exits and then makes a comparison to see if we want to change some values:
The same way of working also applies for hunting rules, for hunting rules you can use the following JSon layout:
In the next blog post I will explain how I found the API’s and reversed engineered this to a PowerShell module