AzSentinel – Version 0.6.2

New version of AzSentinel is available in PowerShell Gallery with bunch of bugfixes and some new features. See below a list of the changes in this version.

1. Configure Action for Alert Rules

From this version it’s possible to configure “Actions” for the Alert Rules through New-AzSentinelAlertRule by using the -playbookName switch. Or by configuring JSON “PlaybookName” property for each Alert rule. You only need to provide the logic APP name that you want to assign to your Alert rule. The function will automatically search the Logic App in your Subscription, the logic App is also tested to see if it’s compatible for Azure Sentinel!
This option is backwards compatible, if you don’t have the “PlaybookName” covered in your JSON template no changes will be applied. Thanks sbroosnokia for the feedback!
Below the new JSON layout:

To make this feature available the following new functions are added to AzSentinel:

namedescription
Get-AzSentinelAlertRuleActionUse this function to see if a Alert rule has Action configured
New-AzSentinelAlertRuleActionConfigure Action for an existing Alert rule
Remove-AzSentinelAlertRuleActionRemove configured Action

2. Update Incident

In this version there is also an Update-AzSentinelIncident function available that you can use to update existing incidents. Not all the properties are currently available in Update function, but in feature version I will extend the possibilities. See below a list of current possibilities:

Example

Close Incident with argument:

Change incident status to inProgress:

Add label to existing labels:

3. Bugfixes

Below list of hotfixes:

titleurlthanks to:
Time Format conflict #38 https://github.com/wortell/AZSentinel/issues/38
https://github.com/lunchbox-rcl
Issue using Import-AzSentinelAlertRule #27
https://github.com/wortell/AZSentinel/issues/27
https://github.com/garybushey

Azure Sentinel PowerShell Module

“Azure Sentinel is a cloud-native SIEM that provides intelligent security analytics for your entire enterprise at cloud scale. Get limitless cloud speed and scale to help focus on what really matters. Easily collect data from all your cloud or on-premises assets, Office 365, Azure resources, and other clouds. Effectively detect threats with built-in machine learning from Microsoft’s security analytics experts. Automate threat response, using built-in orchestration and automation playbooks.” read more

Rules in Azure Sentinel create the basic logic on which Incidents get created. Currently the only way to add, change or delete rules is through the Azure portal. As we’re running a cloud Security Operations Center at Wortell with many customers connected, doing this manually is no option for us.

PowerShell Module

At the moment there is no documented API, ARM or PowerShell module to configure Azure Sentinel. After doing some research we were able to find the API’s that are currently being used by the Azure Portal and based on that we’ve written a PowerShell module to manage Azure Sentinel through PowerShell. Continue reading Azure Sentinel PowerShell Module

Move Azure VM with Managed Disk to another Resource Group

At the moment of writing this blog it’s unfortunately not possible to move an Azure VM with Managed disk to another Resource Group or to another Description. However, Microsoft says on the Azure Portal that this will be possible in the near feature. For the time being, I have chosen to write a small PowerShell script that will do the move fully automated for you. At the moment the only way to move an Azure VM with Managed Disk to another resource group is redeploying the VM. To achieve this you need to perform the following steps (some from the portal and some from PowerShell) manually:

  1. Shutdown VM
  2. Collect the required information like Networking, VM size, Storage etc.
  3. Create a Snapshot
  4. Create or use an existing Azure Storage Account to copy the Snapshot to
  5. Remove the VM
  6. Create a new Azure VM in the new Resource Group with the collected information and Snapshot disk from the Azure Blob
  7. The Azure VM will start automatically, check if the VM functions as it should and remove the Snapshot and Azure Storage Account.

As you can see there are about 7 steps needed to move an Azure VM with a Managed Disk. The script that I have written will do all the steps automatically with only 3 variables that you need to define while running the script. Continue reading Move Azure VM with Managed Disk to another Resource Group

Import thumbnailphoto in AD from jpg

The script below will import Jpg file as a thumbnail photo in Active Directory

$username = "p01001"
$jpgfile = "C:\PICTURE.jpg"
 

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$root = $dom.GetDirectoryEntry()
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(&(objectclass=user)(objectcategory=person)(samAccountName=$username))"
$result = $search.FindOne()
 
if ($result -ne $null) {
 $user = $result.GetDirectoryEntry()
 [byte[]]$jpg = Get-Content $jpgfile -encoding byte
 $user.put("thumbnailPhoto",  $jpg )
 $user.setinfo()
 Write-Host $user.displayname "updated"
}celse {
  Write-Host $user "Does not exist"
}

~Pouyan

Creating and using Password Hashes and Secure Strings with Powershell

This is how you can generate a Secure String with powershell and use it in your scripts

secureString = Read-Host -AsSecureString
ConvertFrom-SecureString $secureString | out-file c:\temp\encrypted.txt
$newString = gc C:\temp\encrypted.txt | ConvertTo-SecureString

Load the Secure string from file and use it in your script:

$securePassword = Get-Content c:\temp\encrypted.txt | ConvertTo-SecureString