AzSentinel – Version 0.6.2

New version of AzSentinel is available in PowerShell Gallery with bunch of bugfixes and some new features. See below a list of the changes in this version.

1. Configure Action for Alert Rules

From this version it’s possible to configure “Actions” for the Alert Rules through New-AzSentinelAlertRule by using the -playbookName switch. Or by configuring JSON “PlaybookName” property for each Alert rule. You only need to provide the logic APP name that you want to assign to your Alert rule. The function will automatically search the Logic App in your Subscription, the logic App is also tested to see if it’s compatible for Azure Sentinel!
This option is backwards compatible, if you don’t have the “PlaybookName” covered in your JSON template no changes will be applied. Thanks sbroosnokia for the feedback!
Below the new JSON layout:

To make this feature available the following new functions are added to AzSentinel:

namedescription
Get-AzSentinelAlertRuleActionUse this function to see if a Alert rule has Action configured
New-AzSentinelAlertRuleActionConfigure Action for an existing Alert rule
Remove-AzSentinelAlertRuleActionRemove configured Action

2. Update Incident

In this version there is also an Update-AzSentinelIncident function available that you can use to update existing incidents. Not all the properties are currently available in Update function, but in feature version I will extend the possibilities. See below a list of current possibilities:

Example

Close Incident with argument:

Change incident status to inProgress:

Add label to existing labels:

3. Bugfixes

Below list of hotfixes:

titleurlthanks to:
Time Format conflict #38 https://github.com/wortell/AZSentinel/issues/38
https://github.com/lunchbox-rcl
Issue using Import-AzSentinelAlertRule #27
https://github.com/wortell/AZSentinel/issues/27
https://github.com/garybushey

ARM: Deploy Logic App with connection configured for Azure Sentinel connector

Azure Sentinel team has developed a great connector for Azure Sentinel, which you can use to automate your Logic App. The Azure Sentinel Connector currently contains the following actions:

In this blog we will focus on how to deploy a logic App configured with the correct Connection credentials for the Azure Sentinel connector through ARM template.

When adding the Azure Sentinel trigger step or an action to the logic App, we need to provide a connection which will be used to authenticate the Azure Sentinel environment:

Most of the time this is automatically created  through the Azure Portal, with your current user credentials if you have the right permissions. But that’s not what we are looking for 😛 So the other option is to select “Connect with Service Principal” and provide a Client ID and secret, which will be used to access the Azure Sentinel resource:

Reader permission is enough if you only want to read data. However, if you for example want to use the “Update Accident” action from the Azure Sentinel connector suit, the SPN needs to have higher privilege’s.

Now we know that we can use a Client ID and secret to authenticate, it’s time to create the “Managed API” connection resource with the correct properties. You can achieve this with the configuration below:

So next we need to combine all the configuration and link all the resources together in the ARM template to deploy our solution. Below a simple Logic App, which contains Azure Sentinel trigger step and a “Get Incident” action:

The Logic App must always start with “When a response to an Azure Sentinel alert is triggered” step.

After deploying the above ARM template the resources below will be created:

Here you see how the Azure Sentinel actions in the Logic App are automaticity configured to use the azureSentinel connection:

Azure Sentinel PowerShell Module

“Azure Sentinel is a cloud-native SIEM that provides intelligent security analytics for your entire enterprise at cloud scale. Get limitless cloud speed and scale to help focus on what really matters. Easily collect data from all your cloud or on-premises assets, Office 365, Azure resources, and other clouds. Effectively detect threats with built-in machine learning from Microsoft’s security analytics experts. Automate threat response, using built-in orchestration and automation playbooks.” read more

Rules in Azure Sentinel create the basic logic on which Incidents get created. Currently the only way to add, change or delete rules is through the Azure portal. As we’re running a cloud Security Operations Center at Wortell with many customers connected, doing this manually is no option for us.

PowerShell Module

At the moment there is no documented API, ARM or PowerShell module to configure Azure Sentinel. After doing some research we were able to find the API’s that are currently being used by the Azure Portal and based on that we’ve written a PowerShell module to manage Azure Sentinel through PowerShell. Continue reading Azure Sentinel PowerShell Module