├── AzSentinelCMDLets.xlsx
├── Azure Sentinel Analytics Rules with Data Sources.xlsx
├── Azure Sentinel incident management using PowerShell.pdf
├── Azure Sentinel management using PowerShell.pdf
├── EBook Examples
├── Analytics Rule Management
│ ├── Add a new automated response for the Analytics rule.ps1
│ ├── Count Analytics rules template types.ps1
│ ├── Count all the Analytics rule templates.ps1
│ ├── Create a new custom Analytics Rule.ps1
│ ├── Create new Analytics Rules based on a Template.ps1
│ ├── Disable enabled Analytics rule.ps1
│ ├── Export All Analytics Rule Templates to a CSV File.ps1
│ ├── Export All Analytics Rules to JSON.ps1
│ ├── Export-AllSentinelAnalyticsRulesWithDataConnectors.ps1
│ ├── Filter Analytics rules based on the CreatedDateUtc property.ps1
│ ├── Get Analytics rule action detailed information.ps1
│ ├── Get Analytics rule action.ps1
│ ├── List all Analytics rule templates.ps1
│ ├── List all Analytics rules and group by Severity.ps1
│ ├── List all Analytics rules and sort rules based on the severity.ps1
│ ├── List all Analytics rules where Data Sources contains SecurityEvents.ps1
│ ├── List all Low Severity based Analytics rules.ps1
│ ├── List all enabled Analytics Rules.ps1
│ └── Remove automated response from the Analytics rule.ps1
├── Bookmark Management
│ ├── Get Bookmark.ps1
│ ├── New Bookmark.ps1
│ ├── Remove Bookmark.ps1
│ └── Update Bookmark.ps1
├── Data Connectors
│ ├── Enable Azure Security Center Data Connector.ps1
│ └── Get Data Connectors.ps1
└── Incident Management
│ ├── Add a comment to an incident.ps1
│ ├── Create an incident.ps1
│ ├── Get a specific incident.ps1
│ ├── Get all incidents and convert CreatedTimeUTC property to local DateTime.ps1
│ ├── Get all incidents and order by CreatedTimeUTC property.ps1
│ ├── Getting started.ps1
│ ├── List all incidents.ps1
│ ├── Read incident comments.ps1
│ ├── Remove incident.ps1
│ └── Update incident details.ps1
├── MS Examples
├── Get-AzSentinelAlertRule.txt
├── Get-AzSentinelAlertRuleAction.txt
├── Get-AzSentinelAlertRuleTemplate.txt
├── Get-AzSentinelBookmark.txt
├── Get-AzSentinelDataConnector.txt
├── Get-AzSentinelIncident.txt
├── Get-AzSentinelIncidentComment.txt
├── New-AzSentinelAlertRule.txt
├── New-AzSentinelAlertRuleAction.txt
├── New-AzSentinelBookmark.txt
├── New-AzSentinelDataConnector.txt
├── New-AzSentinelIncident.txt
├── New-AzSentinelIncidentComment.txt
├── New-AzSentinelIncidentOwner.txt
├── Remove-AzSentinelAlertRule.txt
├── Remove-AzSentinelAlertRuleAction.txt
├── Remove-AzSentinelBookmark.txt
├── Remove-AzSentinelDataConnector.txt
├── Remove-AzSentinelIncident.txt
├── Update-AzSentinelAlertRule.txt
├── Update-AzSentinelAlertRuleAction.txt
├── Update-AzSentinelBookmark.txt
├── Update-AzSentinelDataConnector.txt
└── Update-AzSentinelIncident.txt
└── README.md
/AzSentinelCMDLets.xlsx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/AzSentinelCMDLets.xlsx
--------------------------------------------------------------------------------
/Azure Sentinel Analytics Rules with Data Sources.xlsx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/Azure Sentinel Analytics Rules with Data Sources.xlsx
--------------------------------------------------------------------------------
/Azure Sentinel incident management using PowerShell.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/Azure Sentinel incident management using PowerShell.pdf
--------------------------------------------------------------------------------
/Azure Sentinel management using PowerShell.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/Azure Sentinel management using PowerShell.pdf
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Add a new automated response for the Analytics rule.ps1:
--------------------------------------------------------------------------------
1 | #Add a new automated response for the Analytics rule
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | $LogicAppsInfo = @{
8 | ResourceGroupName = "RG-PROD-IT-LOGIC-APPS-WE"
9 | Name = "Post-Message-Teams"
10 | }
11 |
12 | $LogicAppResourceID = Get-AzLogicApp @LogicAppsInfo
13 | $LogicAppTriggerURI = Get-AzLogicAppTriggerCallbackUrl @LogicAppsInfo -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered"
14 |
15 | $AnalyticsRule = Get-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo |
16 | Where-Object {$PSItem.DisplayName -eq "Log Analytics Agent Health"}
17 |
18 | New-AzSentinelAlertRuleAction @AzureSentinelWorkSpaceInfo -AlertRuleId $AnalyticsRule.Name -LogicAppResourceId ($LogicAppResourceID.Id) -TriggerUri ($LogicAppTriggerURI.Value)
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Count Analytics rules template types.ps1:
--------------------------------------------------------------------------------
1 | #Count Analytics Rule template types
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
8 | Group-Object -Property Kind |
9 | Select-Object -Property Count,Name
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Count all the Analytics rule templates.ps1:
--------------------------------------------------------------------------------
1 | #Count all the Analytics rule templates
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 | Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo | Measure-Object
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Create a new custom Analytics Rule.ps1:
--------------------------------------------------------------------------------
1 | $AzureSentinelWorkSpaceInfo = @{
2 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
3 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
4 | }
5 |
6 | $NewAnalyticsRuleData = @{
7 | Scheduled = $True
8 | Enabled = $True
9 | Query = "Heartbeat
10 | | summarize LastHeartbeat=max(TimeGenerated) by Computer
11 | | where LastHeartbeat < ago(5m)
12 | | extend HostCustomEntity = Computer"
13 |
14 | DisplayName = "Log Analytics Agent Health"
15 | Description = "Get disconnected Log Analytics nodes"
16 | QueryPeriod = (New-TimeSpan -Hours 1)
17 | QueryFrequency = (New-TimeSpan -Hours 1)
18 | TriggerThreshold = 0
19 | TriggerOperator = "GreaterThan" #Equal, GreaterThan, LessThan, NotEqual
20 | Severity = "Medium" # Low, Medium, High
21 | }
22 |
23 | New-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @NewAnalyticsRuleData
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Create new Analytics Rules based on a Template.ps1:
--------------------------------------------------------------------------------
1 | $AzureSentinelWorkSpaceInfo = @{
2 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
3 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
4 | }
5 |
6 | $AnalyticsRule = Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
7 | Where-Object {$PSItem.DisplayName -eq "Rare application consent"}
8 |
9 | #Scheduled based Template info
10 |
11 | $ScheduledBasedTemplateInfo = @{
12 | AlertRuleTemplateName = $AnalyticsRule.Name
13 | Enabled = $True
14 | DisplayName = $AnalyticsRule.DisplayName
15 | Scheduled = $True
16 | Query = $AnalyticsRule.Query
17 | QueryFrequency = $AnalyticsRule.QueryFrequency
18 | QueryPeriod = $AnalyticsRule.QueryPeriod
19 | Severity = $AnalyticsRule.Severity
20 | TriggerThreshold = $AnalyticsRule.TriggerThreshold
21 | TriggerOperator = $AnalyticsRule.TriggerOperator
22 |
23 | }
24 |
25 | New-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @ScheduledBasedTemplateInfo
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Disable enabled Analytics rule.ps1:
--------------------------------------------------------------------------------
1 | $AzureSentinelWorkSpaceInfo = @{
2 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
3 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
4 | }
5 |
6 | $AnalyticsRule = Get-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo |
7 | Where-Object {$PSItem.DisplayName -eq "Log Analytics Agent Health"}
8 |
9 | Update-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo -AlertRuleId $AnalyticsRule.Name -Disabled
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Export All Analytics Rule Templates to a CSV File.ps1:
--------------------------------------------------------------------------------
1 | $AzureSentinelWorkSpaceInfo = @{
2 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
3 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
4 | }
5 |
6 | Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo | Select-Object -Property DisplayName,Name,CreatedDateUtc,Severity |
7 | Export-Csv -Path "$($ENv:USERPROFILE)\Desktop\AzureSentinelAnalyticsRules.csv" -NoTypeInformation -UseCulture
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Export All Analytics Rules to JSON.ps1:
--------------------------------------------------------------------------------
1 | #Connect to Azure
2 | Connect-AzAccount
3 |
4 | #Run the Set-AzContext only, if you have multiple subscriptions
5 | #Set-AzContext -Subscription "YOUR SUBSCRIPTION ID"
6 |
7 | #Define the Azure Sentinel workspace information
8 | $AzureSentinelWorkSpaceInfo = @{
9 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
10 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
11 | }
12 |
13 | $Rules = Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo
14 |
15 | foreach($Rule in $Rules){
16 |
17 | #Properties to export
18 | $TemplateInfo = @{
19 | AlertRuleTemplateName = $Rule.Name
20 | DisplayName = $Rule.DisplayName
21 | Query = $Rule.Query
22 | QueryFrequency = $Rule.QueryFrequency
23 | QueryPeriod = $Rule.QueryPeriod
24 | Severity = $Rule.Severity
25 | TriggerThreshold = $Rule.TriggerThreshold
26 | TriggerOperator = $Rule.TriggerOperator
27 | Kind = $Rule.Kind
28 | }
29 |
30 | $JSON = $TemplateInfo | ConvertTo-Json
31 | $JSON | Out-File -FilePath "($env:USERPROFILE)\Desktop\$($TemplateInfo.DisplayName).json"
32 |
33 | }
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Export-AllSentinelAnalyticsRulesWithDataConnectors.ps1:
--------------------------------------------------------------------------------
1 | $AzureSentinelWorkSpaceInfo = @{
2 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
3 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
4 | }
5 |
6 | $Rules = Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo
7 |
8 | foreach($Rule in $Rules){
9 |
10 | $RuleProperties = [ORDERED]@{
11 | DisplayName = $Rule.DisplayName
12 | Name = $Rule.Name
13 | CreatedDateUtc = $Rule.CreatedDateUtc
14 | Severity = $Rule.Severity
15 | Kind = $Rule.Kind
16 | }
17 |
18 | $i = 0
19 | foreach($DataType in $Rule.RequiredDataConnectors){
20 |
21 | $RuleProperties += @{"Datasource$i" = "$($DataType.DataTypes) ($($DataType.ConnectorId))"}
22 |
23 | $i++
24 | }
25 |
26 | $RuleObject = New-Object -TypeName PSObject -Property $RuleProperties
27 | $RuleObject | ConvertTo-Csv -OutVariable RuleObjectCSV -NoTypeInformation -Delimiter ";" |Out-Null
28 |
29 | $RuleObjectCSV[1..($RuleObjectCSV.count - 1)] |
30 | ForEach-Object {Add-Content -Value $_ -Path "C:\AzureSentinelAnalyticsRulesBasicDetails2.csv"}
31 |
32 | }
33 |
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Filter Analytics rules based on the CreatedDateUtc property.ps1:
--------------------------------------------------------------------------------
1 | #Filter Analytics rules based on the CreatedDateUtc property
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | $TimeRange = (Get-Date).AddDays(-60)
8 | Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
9 | Where-Object {$PSItem.CreatedDateUtc -ge $TimeRange} |
10 | Select-Object -Property DisplayName,CreatedDateUtc,Severity |
11 | Sort-Object -Property CreatedDateUtc
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Get Analytics rule action detailed information.ps1:
--------------------------------------------------------------------------------
1 | #Get Analytics rule action detailed information
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | $LogicAppsInfo = @{
8 | ResourceGroupName = "RG-PROD-IT-LOGIC-APPS-WE"
9 | }
10 |
11 | $AlertRuleId = "84d3a26d-1a32-4992-8c35-769cb2a98032"
12 | $AlertRuleAction = Get-AzSentinelAlertRuleAction @AzureSentinelWorkSpaceInfo -AlertRuleId $AlertRuleId
13 | $AlertRuleActionName = $AlertRuleAction.LogicAppResourceId | Split-Path -Leaf
14 | Get-AzLogicApp @LogicAppsInfo -Name $AlertRuleActionName
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Get Analytics rule action.ps1:
--------------------------------------------------------------------------------
1 | #Get Analytics rule action
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | $AlertRuleId = "84d3a26d-1a32-4992-8c35-769cb2a98032"
8 | Get-AzSentinelAlertRuleAction @AzureSentinelWorkSpaceInfo -AlertRuleId $AlertRuleId
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/List all Analytics rule templates.ps1:
--------------------------------------------------------------------------------
1 | #List all Analytics rule templates
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo
8 |
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/List all Analytics rules and group by Severity.ps1:
--------------------------------------------------------------------------------
1 | #List all Analytics rules and group by Severity
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 | Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
7 | Group-Object -Property Severity
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/List all Analytics rules and sort rules based on the severity.ps1:
--------------------------------------------------------------------------------
1 | #List all Analytics rules and sort rules based on the severity
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 | Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
7 | Select-Object -Property DisplayName,Status,CreatedDateUtc,Severity |
8 | Sort-Object -Property Severity -Descending
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/List all Analytics rules where Data Sources contains SecurityEvents.ps1:
--------------------------------------------------------------------------------
1 | #List all Analytics rules where Data Sources contains "SecurityEvents"
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 | Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
7 | Where-Object {$PSItem.RequiredDataConnectors.ConnectorId -contains "SecurityEvents"} |
8 | Select-Object -Property DisplayName,Status,CreatedDateUtc,Severity,Name,RequiredDataConnectors |
9 | Sort-Object -Property Severity
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/List all Low Severity based Analytics rules.ps1:
--------------------------------------------------------------------------------
1 | #List all Low Severity based Analytics rules
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | Get-AzSentinelAlertRuleTemplate @AzureSentinelWorkSpaceInfo |
8 | Where-Object {$PSItem.Severity -eq "Low"} |
9 | Select-Object -Property DisplayName,Severity
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/List all enabled Analytics Rules.ps1:
--------------------------------------------------------------------------------
1 | #List all enabled Analytics Rules
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | Get-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo
--------------------------------------------------------------------------------
/EBook Examples/Analytics Rule Management/Remove automated response from the Analytics rule.ps1:
--------------------------------------------------------------------------------
1 | #Remove automated response from the Analytics rule
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | $AnalyticsRule = Get-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo |
8 | Where-Object {$PSItem.DisplayName -eq "Log Analytics Agent Health"}
9 |
10 | $AlertRuleAction = Get-AzSentinelAlertRuleAction @AzureSentinelWorkSpaceInfo -AlertRuleId $AnalyticsRule.Name
11 |
12 | Remove-AzSentinelAlertRuleAction @AzureSentinelWorkSpaceInfo -AlertRuleId $AnalyticsRule.Name -ActionId $AlertRuleAction.Name
--------------------------------------------------------------------------------
/EBook Examples/Bookmark Management/Get Bookmark.ps1:
--------------------------------------------------------------------------------
1 | $AzureSentinelWorkSpaceInfo = @{
2 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
3 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
4 | }
5 |
6 | Get-AzSentinelBookmark @AzureSentinelWorkSpaceInfo
--------------------------------------------------------------------------------
/EBook Examples/Bookmark Management/New Bookmark.ps1:
--------------------------------------------------------------------------------
1 | $AzureSentinelWorkSpaceInfo = @{
2 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
3 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
4 | }
5 |
6 | $BookMarkQuery = @"
7 | let AllWindowsServers =
8 | Heartbeat
9 | | where OSType == 'Windows' and OSType != "Linux"
10 | | summarize arg_max(TimeGenerated, *) by SourceComputerId
11 | | summarize makeset(Computer);
12 | ProtectionStatus
13 | | where Computer in (AllWindowsServers)
14 | | sort by TimeGenerated desc
15 | | summarize arg_max(TimeGenerated, *) by SourceComputerId
16 | | summarize count() by TypeofProtection, AMProductVersion
17 | "@
18 |
19 | $DisplayName = "Get Windows Defender Status from Windows Servers"
20 | $Notes = "Please review"
21 |
22 | New-AzSentinelBookmark @AzureSentinelWorkSpaceInfo -DisplayName $DisplayName -Query $BookMarkQuery -Note $Notes
--------------------------------------------------------------------------------
/EBook Examples/Bookmark Management/Remove Bookmark.ps1:
--------------------------------------------------------------------------------
1 | $AzureSentinelWorkSpaceInfo = @{
2 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
3 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
4 | }
5 |
6 | $BookMark = Get-AzSentinelBookmark @AzureSentinelWorkSpaceInfo |
7 | Where-Object {$PSItem.DisplayName -eq "Get Windows Defender Status from Windows Servers"}
8 |
9 | Remove-AzSentinelBookmark @AzureSentinelWorkSpaceInfo -BookmarkId $BookMark.Name
--------------------------------------------------------------------------------
/EBook Examples/Bookmark Management/Update Bookmark.ps1:
--------------------------------------------------------------------------------
1 | $AzureSentinelWorkSpaceInfo = @{
2 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
3 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
4 | }
5 |
6 | $BookMark = Get-AzSentinelBookmark @AzureSentinelWorkSpaceInfo |
7 | Where-Object {$PSItem.DisplayName -eq "Get Windows Defender Status from Windows Servers"}
8 |
9 | Update-AzSentinelBookmark @AzureSentinelWorkSpaceInfo -BookmarkId $BookMark.Name -Note "Check out the Server1. Something seems wrong with that"
--------------------------------------------------------------------------------
/EBook Examples/Data Connectors/Enable Azure Security Center Data Connector.ps1:
--------------------------------------------------------------------------------
1 | $AzureSentinelWorkSpaceInfo = @{
2 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
3 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
4 | }
5 | New-AzSentinelDataConnector @AzureSentinelWorkSpaceInfo -AzureSecurityCenter -SubscriptionId "%YOURSUBSCRIPTIONID%" -Alerts Enabled
--------------------------------------------------------------------------------
/EBook Examples/Data Connectors/Get Data Connectors.ps1:
--------------------------------------------------------------------------------
1 | $AzureSentinelWorkSpaceInfo = @{
2 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
3 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
4 | }
5 | Get-AzSentinelDataConnector @AzureSentinelWorkSpaceInfo |
6 | Select-Object -Property Kind,Name
--------------------------------------------------------------------------------
/EBook Examples/Incident Management/Add a comment to an incident.ps1:
--------------------------------------------------------------------------------
1 | #Add a comment to an incident
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | $IncidentID = "499d8110-790e-43d9-a9d9-a15f0539fcf0"
8 | New-AzSentinelIncidentComment @AzureSentinelWorkSpaceInfo -IncidentId $IncidentID -Message "We can use HTML too!!!
"
--------------------------------------------------------------------------------
/EBook Examples/Incident Management/Create an incident.ps1:
--------------------------------------------------------------------------------
1 | #Create an incident
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | New-AzSentinelIncident @AzureSentinelWorkSpaceInfo -Title "New incident from PowerShell" -Description "We must investigate this ASAP" -Severity Low -Status New
--------------------------------------------------------------------------------
/EBook Examples/Incident Management/Get a specific incident.ps1:
--------------------------------------------------------------------------------
1 | #Get a specific incident
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | $IncidentID = "499d8110-790e-43d9-a9d9-a15f0539fcf0"
8 | Get-AzSentinelIncident @AzureSentinelWorkSpaceInfo -IncidentId $IncidentID
9 |
--------------------------------------------------------------------------------
/EBook Examples/Incident Management/Get all incidents and convert CreatedTimeUTC property to local DateTime.ps1:
--------------------------------------------------------------------------------
1 | #Get all incidents and convert the CreatedTimeUTC to local date time
2 | Function Convert-UTCtoLocal
3 | {
4 |
5 | #Source - https://devblogs.microsoft.com/scripting/powertip-convert-from-utc-to-my-local-time-zone/ PowerTip: Convert from UTC to my local time zone | Scripting Blog (microsoft.com)
6 | #Author - Thomas Rayner
7 |
8 |
9 | Param(
10 | [Parameter(Mandatory=$True)]
11 | [String]$UTCTime
12 | )
13 |
14 | $CurrentTimeZone = (Get-WmiObject win32_timezone).StandardName
15 | $TimeZone = [System.TimeZoneInfo]::FindSystemTimeZoneById($CurrentTimeZone)
16 | $LocalTime = [System.TimeZoneInfo]::ConvertTimeFromUtc($UTCTime, $TimeZone)
17 |
18 | $LocalTime
19 | }
20 |
21 | $ProcessedIncidents = @()
22 |
23 | $AzureSentinelWorkSpaceInfo = @{
24 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
25 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
26 | }
27 |
28 | $Incidents = Get-AzSentinelIncident @AzureSentinelWorkSpaceInfo
29 | foreach($Incident in $Incidents){
30 |
31 | $IncidentDetails = [ORDERED]@{
32 | IncidentID = $Incident.Name
33 | CreatedTime = Convert-UTCtoLocal -UTCTime $Incident.CreatedTimeUTC
34 | Title = $Incident.Title
35 | Status = $Incident.Status
36 | }
37 |
38 | $PoshObject = New-Object -TypeName PSObject -Property $IncidentDetails
39 | $ProcessedIncidents += $PoshObject
40 | }
41 | $ProcessedIncidents
--------------------------------------------------------------------------------
/EBook Examples/Incident Management/Get all incidents and order by CreatedTimeUTC property.ps1:
--------------------------------------------------------------------------------
1 | # List all incidents and select only Title,CreatedTimeUTC properties and then sort based on the CreatedTimeUTC property
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 | Get-AzSentinelIncident @AzureSentinelWorkSpaceInfo |
7 | Select-Object -Property Title,CreatedTimeUTC |
8 | Sort-Object -Property CreatedTimeUTC -Descending
--------------------------------------------------------------------------------
/EBook Examples/Incident Management/Getting started.ps1:
--------------------------------------------------------------------------------
1 | #Install the required PowerShell modules
2 | Install-Module -Name Az.SecurityInsights -Verbose -Force
3 | Install-Module -Name AzureAD -Verbose -Force
4 | Install-Module -Name Az -Verbose -Force
--------------------------------------------------------------------------------
/EBook Examples/Incident Management/List all incidents.ps1:
--------------------------------------------------------------------------------
1 | # List all incidents
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | Get-AzSentinelIncident @AzureSentinelWorkSpaceInfo
--------------------------------------------------------------------------------
/EBook Examples/Incident Management/Read incident comments.ps1:
--------------------------------------------------------------------------------
1 | $AzureSentinelWorkSpaceInfo = @{
2 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
3 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
4 | }
5 |
6 | $IncidentID = "499d8110-790e-43d9-a9d9-a15f0539fcf0"
7 | Get-AzSentinelIncidentComment @AzureSentinelWorkSpaceInfo -IncidentId $IncidentID
--------------------------------------------------------------------------------
/EBook Examples/Incident Management/Remove incident.ps1:
--------------------------------------------------------------------------------
1 | #Remove incident
2 | $AzureSentinelWorkSpaceInfo = @{
3 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
4 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
5 | }
6 |
7 | $IncidentID = "f4637e02-993c-454b-81a9-8b81a4596708"
8 | Remove-AzSentinelIncident @AzureSentinelWorkSpaceInfo -IncidentId $IncidentID
--------------------------------------------------------------------------------
/EBook Examples/Incident Management/Update incident details.ps1:
--------------------------------------------------------------------------------
1 | #Update the incident details - add incident owner and set the status to Active
2 | Connect-AzureAD
3 |
4 | $AzureADUserDetails = Get-AzureADUser -ObjectId "John@Contoso.com"
5 | $IncidentID = "499d8110-790e-43d9-a9d9-a15f0539fcf0"
6 |
7 | $IncidentOwnerDetails = @{
8 | AssignedTo = $AzureADUserDetails.DisplayName
9 | Email = $AzureADUserDetails.Mail
10 | Objectid = $AzureADUserDetails.ObjectId
11 | UserPrincipalName = $AzureADUserDetails.UserPrincipalName
12 | }
13 |
14 | $AzureSentinelWorkSpaceInfo = @{
15 | ResourceGroupName = "RG-PROD-IT-AZ-MANAGEMENT-TIER-0-WE"
16 | WorkspaceName = "LF-TIER-0-LOG-ANALYTICS-WE"
17 | }
18 |
19 | $IncidentOwner = New-AzSentinelIncidentOwner @IncidentOwnerDetails
20 |
21 | Update-AzSentinelIncident @AzureSentinelWorkSpaceInfo -IncidentID $IncidentID -Owner $IncidentOwner -Status Active
22 |
--------------------------------------------------------------------------------
/MS Examples/Get-AzSentinelAlertRule.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/Get-AzSentinelAlertRule.txt
--------------------------------------------------------------------------------
/MS Examples/Get-AzSentinelAlertRuleAction.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/Get-AzSentinelAlertRuleAction.txt
--------------------------------------------------------------------------------
/MS Examples/Get-AzSentinelAlertRuleTemplate.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/Get-AzSentinelAlertRuleTemplate.txt
--------------------------------------------------------------------------------
/MS Examples/Get-AzSentinelBookmark.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/Get-AzSentinelBookmark.txt
--------------------------------------------------------------------------------
/MS Examples/Get-AzSentinelDataConnector.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/Get-AzSentinelDataConnector.txt
--------------------------------------------------------------------------------
/MS Examples/Get-AzSentinelIncident.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/Get-AzSentinelIncident.txt
--------------------------------------------------------------------------------
/MS Examples/Get-AzSentinelIncidentComment.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/Get-AzSentinelIncidentComment.txt
--------------------------------------------------------------------------------
/MS Examples/New-AzSentinelAlertRule.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/New-AzSentinelAlertRule.txt
--------------------------------------------------------------------------------
/MS Examples/New-AzSentinelAlertRuleAction.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/New-AzSentinelAlertRuleAction.txt
--------------------------------------------------------------------------------
/MS Examples/New-AzSentinelBookmark.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/New-AzSentinelBookmark.txt
--------------------------------------------------------------------------------
/MS Examples/New-AzSentinelDataConnector.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/New-AzSentinelDataConnector.txt
--------------------------------------------------------------------------------
/MS Examples/New-AzSentinelIncident.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/New-AzSentinelIncident.txt
--------------------------------------------------------------------------------
/MS Examples/New-AzSentinelIncidentComment.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/New-AzSentinelIncidentComment.txt
--------------------------------------------------------------------------------
/MS Examples/New-AzSentinelIncidentOwner.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/New-AzSentinelIncidentOwner.txt
--------------------------------------------------------------------------------
/MS Examples/Remove-AzSentinelAlertRule.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/Remove-AzSentinelAlertRule.txt
--------------------------------------------------------------------------------
/MS Examples/Remove-AzSentinelAlertRuleAction.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/Remove-AzSentinelAlertRuleAction.txt
--------------------------------------------------------------------------------
/MS Examples/Remove-AzSentinelBookmark.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/Remove-AzSentinelBookmark.txt
--------------------------------------------------------------------------------
/MS Examples/Remove-AzSentinelDataConnector.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/Remove-AzSentinelDataConnector.txt
--------------------------------------------------------------------------------
/MS Examples/Remove-AzSentinelIncident.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kaidja/AzSentinelPowerShell/9faeb428d80a74c3e0f70592db89d1a6a26f66cf/MS Examples/Remove-AzSentinelIncident.txt
--------------------------------------------------------------------------------
/MS Examples/Update-AzSentinelAlertRule.txt:
--------------------------------------------------------------------------------
1 | -------------------------- Example 1 --------------------------
2 | This example updates an AlertRule setting it to Disabled and renames to Disabled-AlertRuleDisplayName . All other properties will remain the same.
3 |
4 | Update-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId" -Disabled -DisplayName "Disabled-AlertRuleDisplayName"
5 |
6 |
7 |
8 | -------------------------- Example 2 --------------------------
9 | This example updates an AlertRule using an InputObject setting it to Disabled . All other properties will remain the same.
10 |
11 | $AlertRule = Get-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId"
12 | Update-AzSentinelAlertRule -InputObject $AlertRule -Disabled
13 |
--------------------------------------------------------------------------------
/MS Examples/Update-AzSentinelAlertRuleAction.txt:
--------------------------------------------------------------------------------
1 | -------------------------- Example 1 --------------------------
2 | This example updates an AlertRuleAction replacing an existing Action with new properties.
3 |
4 | $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "MyResourceGroup" -Name "Reset-AADPassword"
5 | $LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "MyResourceGroup" -Name "Reset-AADPassword" -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered"
6 | Update-AzSentinelBookmark -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId" -ActionId "MyActionId" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
7 |
8 |
9 |
10 | -------------------------- Example 2 --------------------------
11 | This example updates an AlertRuleAction using an InputObject replacing an existing Action with new properties.
12 |
13 | $AlertRuleAction = Get-AzSentinelAlertRuleAction -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId" -ActionId "MyActionId"
14 | Update-AzSentinelAlertRuleAction -InputObject $AlertRuleAction -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
15 |
--------------------------------------------------------------------------------
/MS Examples/Update-AzSentinelBookmark.txt:
--------------------------------------------------------------------------------
1 | -------------------------- Example 1 --------------------------
2 | The command updates the Bookmark by setting the Notes property. All other propreties stay the same.
3 |
4 | Update-AzSentinelBookmark -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceNAme" -BookmarkId "MyBookmarkId" -Notes "Found something interesting"
5 |
6 |
7 | -------------------------- Example 2 --------------------------
8 | The first command gets the Bookmark by BookmarkId from the specified workspace, and then stores it in the $Bookmark variable. The second command updates the Notes property. All other propreti
9 | es stay the same.
10 |
11 | $Bookmark = Get-AzSentinelBookmark -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceNAme" -BookmarkId "MyBookmarkId"
12 | $Bookmark | Set-AzSentinelBookmark -Notes "Found something interesting"
13 |
--------------------------------------------------------------------------------
/MS Examples/Update-AzSentinelDataConnector.txt:
--------------------------------------------------------------------------------
1 | The command gets the Data Connector by DataConnectorId and sets the Alerts state to Disabled . All other properties remain the same.
2 | Update-AzSentinelDataConnector -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -DataConnectorId "MyDataConnectorId" -Alerts Disabled
3 |
--------------------------------------------------------------------------------
/MS Examples/Update-AzSentinelIncident.txt:
--------------------------------------------------------------------------------
1 | The command gets the Incident by IncidentId and sets the Severity property to High . All other properties remain the same.
2 |
3 | Update-AzSentinelIncident -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -IncidentId "MyIncidentId" -Severity High
4 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AzSentinelPowerShell
2 | Azure Sentinel PowerShell cmdlets
3 |
4 |
5 | AzSentinelCMDLets.xlsx lists all the cmdlets in Az.SecurityInsights PowerShell module.
6 |
7 | Azure Sentinel Analytics Rules with Data Sources.xlsx lists all the Analytics Rule Templates that can be enabled.
8 |
9 | You can download the ebook from here - https://lakeforestconsulting.com/azuresentinelmanagementpowershellebook/
10 |
--------------------------------------------------------------------------------