12
New Year - New Official Azure Sentinel PowerShell Module! - Microsoft Tech Commu...
source link: https://techcommunity.microsoft.com/t5/azure-sentinel/new-year-new-official-azure-sentinel-powershell-module/ba-p/2025041?WT_mc_id=DOP-MVP-4025064
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
New Official Azure Sentinel PowerShell Module!%3CLINGO-SUB%20id%3D%22lingo-sub-2025433%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Year%20-%20New%20Official%20Azure%20Sentinel%20PowerShell%20Module!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2025433%22%20slang%3D%22en-US%22%3E%3CP%3EHappy%20New%20Year%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F214230%22%20target%3D%22_blank%22%3E%40Tiander%20Turpijn%3C%2FA%3E%26nbsp%3BThanks%20for%20Sharing%20with%20the%20Community%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%0A%3CP%3ECheers%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2025041%22%20slang%3D%22en-US%22%3ENew%20Year%20-%20New%20Official%20Azure%20Sentinel%20PowerShell%20Module!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2025041%22%20slang%3D%22en-US%22%3E%3CP%3EHappy%20New%20Year%20everyone!%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWith%20the%20new%20year%20comes%20a%20new%20Azure%20Sentinel%20PowerShell%20module!%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBased%20on%20the%20Azure%20SDK%20for%20.NET%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eand%20part%20of%20the%20Azure%20(Az)%20module%2C%20we%20are%20announcing%20the%20public%20preview%20release%20of%20the%20%3CSTRONG%3ESecurityInsights%20%3C%2FSTRONG%3EPowerShell%20module.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBecause%20this%20is%20an%20official%20supported%20PowerShell%20module%20when%20we%20release%20it%2C%20the%20cmdlets%20are%20based%20on%20the%20Generally%20Available%20(GA)%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Ftree%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%2Fstable%2F2020-01-01%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E2020-01-01%20SecurityInsights%20API%3C%2FA%3E.%20As%20soon%20as%20features%20hit%20GA%2C%20we%20will%20update%20the%20SecurityInsights%20module%20to%20reflect%20that%3C%2FSPAN%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--555595670%22%20id%3D%22toc-hId--555595725%22%20id%3D%22toc-hId--555595725%22%20id%3D%22toc-hId--555595725%22%20id%3D%22toc-hId--555595725%22%3E%3CSPAN%3EHow%20to%20download%20and%20test%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CEM%3E%3CSPAN%3EPrerequisites%3A%20the%20SecurityInsights%20module%20requires%20at%20a%20minimum%20PowerShell%20version%205.1%20and%20relies%20on%20%3C%2FSPAN%3E%3C%2FEM%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.powershellgallery.com%2Fpackages%2FAz.Accounts%2F2.2.3%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CEM%3EAz.Accounts%3C%2FEM%3E%3C%2FA%3E%3CEM%3E%26nbsp%3Bfor%20Azure%20authentication.%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20download%20the%20SecurityInsights%20PowerShell%20module%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.powershellgallery.com%2Fpackages%2FAz.SecurityInsights%2F0.1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPowerShellGallery%3C%2FA%3E%20and%20install%20it%20by%20using%20the%20PowerShell%20command%20%3CSTRONG%3EInstall-Module%20-Name%20Az%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20available%20cmdlets%20can%20be%20explored%20by%20using%20%3CSTRONG%3EGet-Command%20-Module%20%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Get-SecurityInsights-cmdlets.png%22%20style%3D%22width%3A%20694px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F243689i4DF040C04D6CC697%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Get-SecurityInsights-cmdlets.png%22%20alt%3D%22Get-SecurityInsights-cmdlets.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20SecurityInsights%20module%20supports%20the%20most%20common%20use%20cases%2C%20like%20interacting%20with%20incidents%20to%20change%20status%2C%20severity%2C%20owner%2C%20etc.%20But%20also%2C%20to%20add%20comments%20and%20labels%20to%20incidents%20and%20creating%20bookmarks.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAlthough%20using%20ARM%20templates%20is%20the%20preferred%20way%20for%20your%20CI%2FCD%20pipeline%2C%20the%20SecurityInsights%20module%20can%20be%20very%20useful%20for%20post%20deployment%20tasks%20and%20is%20specifically%20targeted%20to%20Security%20Operations%20Center%20(SOC)%20automation%20tasks.%20These%20tasks%20can%20vary%20from%20configuring%20data%20connectors%2C%20creating%20analytics%20rules%2C%20adding%20automation%20actions%20to%20analytics%20rules%2C%20etc.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1931917163%22%20id%3D%22toc-hId-1931917108%22%20id%3D%22toc-hId-1931917108%22%20id%3D%22toc-hId-1931917108%22%20id%3D%22toc-hId-1931917108%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-124462700%22%20id%3D%22toc-hId-124462645%22%20id%3D%22toc-hId-124462645%22%20id%3D%22toc-hId-124462645%22%20id%3D%22toc-hId-124462645%22%3E%3CSPAN%3EManaging%20Incidents%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3EUsing%20the%20SecurityInsights%20module%20is%20straightforward%20and%20is%20parameter%20driven%20as%20most%20of%20the%20PowerShell%20modules.%20The%20common%20parameters%20are%20your%20Azure%20Sentinel%20workspace%20and%20resource%20group%20name.%20You%20can%20retrieve%20all%20your%20incidents%20using%20%3CSTRONG%3EGet-AzSentinelIncident%20-ResourceGroupName%20%24resourceGroupName%20-WorkspaceName%20%24workspaceName%3C%2FSTRONG%3E%20or%20retrieve%20a%20specific%20incident%20by%20adding%20the%20parameter%20%3CSTRONG%3E-IncidentId%20%3CYOURINCIDENTID%3E%3C%2FYOURINCIDENTID%3E%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%3ENote%3A%20the%20%3CSTRONG%3EIncidentId%3C%2FSTRONG%3E%20is%20derived%20from%20the%20%3CSTRONG%3EName%3C%2FSTRONG%3E%20field%20as%20depicted%20below%3A%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Incident.png%22%20style%3D%22width%3A%20732px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F243601i5A134B484835CA9D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Incident.png%22%20alt%3D%22Incident.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-815024174%22%20id%3D%22toc-hId-815024119%22%20id%3D%22toc-hId-815024119%22%20id%3D%22toc-hId-815024119%22%20id%3D%22toc-hId-815024119%22%3E%3CSPAN%3EAssign%20an%20Incident%20Owner%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EMost%20of%20the%20cmdlets%20accept%20a%20string%20as%20a%20parameter%2C%20but%20some%20cmdlets%20require%20an%20input%20object.%20For%20example%2C%20to%20assign%20an%20owner%20to%20an%20incident%20you%20would%20first%20need%20to%20create%20the%20owner%20object.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20owner%20object%20requires%20the%20following%20mandatory%20object%20parameters%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3E%3CSPAN%3EAssignedTo%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3E%20-%20the%20owner%20full%20name%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3E%3CSPAN%3EEmail%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3E%20-%20the%20email%20address%20of%20the%20owner%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3E%3CSPAN%3EObjectId%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3E%20-%20the%20Azure%20Active%20Directory%20objectId%20of%20the%20owner%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3E%3CSPAN%3EUserPrincipalName%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3E%20-%20the%20user%20principal%20name%20of%20the%20owner%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3EThere%20are%20a%20couple%20of%20ways%20to%20create%20an%20owner%20object%2C%20for%20example%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24ownerObject%20%3D%20%40%7B%22AssignedTo%22%20%3D%20%22Jeff%20Leatherman%22%3B%20%22Email%22%20%3D%20%22JeffL%40contoso.com%22%3B%20%22ObjectId%22%20%3D%20%22f4e959b4-feda-4345-a1e7-16b4af2fc226%22%3B%22UserPrincipalName%22%20%3D%20%22JeffL%40contoso.com%22%7D%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAfter%20you%20have%20created%20the%20owner%20object%2C%20you%20can%20then%20pass%20it%20as%20a%20parameter%20to%20the%20cmdlet%20%3CSTRONG%3EUpdate-AzSentinelIncident%3C%2FSTRONG%3E%20like%20this%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EUpdate-AzSentinelIncident%20-ResourceGroupName%20%3CYOURRESOURCEGROUPNAME%3E%20-WorkspaceName%20%3CYOURWORKSPACENAME%3E%20-IncidentId%20a4b586c8-97d8-4cc5-9154-b723c62d26d8%20-Owner%20%24ownerObject%20%3C%2FYOURWORKSPACENAME%3E%3C%2FYOURRESOURCEGROUPNAME%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--992430289%22%20id%3D%22toc-hId--992430344%22%20id%3D%22toc-hId--992430344%22%20id%3D%22toc-hId--992430344%22%20id%3D%22toc-hId--992430344%22%3E%3CSTRONG%3E%3CSPAN%3EClosing%20an%20incident%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EIn%20case%20you%20need%20to%20close%20an%20incident%2C%20you%20need%20to%20make%20sure%20that%20you%20are%20passing%20the%20valid%20closing%20classifications%20and%20classification%20reasons.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EValid%20closing%20incident%20classifications%20are%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EUndetermined%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ETruePositive%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EBenignPositive%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EFalsePositive%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3EValid%20closing%20classification%20reasons%20are%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3ESuspiciousActivity%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESuspiciousButExpected%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIncorrectAlertLogic%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EInaccurateData%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3EExample%20closing%20an%20incident%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EUpdate-AzSentinelIncident%20-ResourceGroupName%20%3CYOURRESOURCEGROUPNAME%3E%20-WorkspaceName%20%3CYOURWORKSPACENAME%3E%20-IncidentID%20%22a5977bae-2775-44d1-8381-a28f6f061954%22%20-Classification%20FalsePositive%20%20-ClassificationComment%20%22my%20comment%22%20-ClassificationReason%20InaccurateData%20-Status%20Closed%20%3C%2FYOURWORKSPACENAME%3E%3C%2FYOURRESOURCEGROUPNAME%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1002933393%22%20id%3D%22toc-hId--1002933448%22%20id%3D%22toc-hId--1002933448%22%20id%3D%22toc-hId--1002933448%22%20id%3D%22toc-hId--1002933448%22%3E%3CSPAN%3EConfiguring%20data%20connectors%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3EThe%20cmdlet%20%3CSTRONG%3ENew-AzSentinelDataConnector%3C%2FSTRONG%3E%20supports%20configuring%20and%20enabling%20Azure%20Sentinel%20data%20connectors.%20The%20current%20supported%20GA%20data%20connectors%20are%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CTABLE%20width%3D%22637px%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22216px%22%3E%3CP%3E%3CSTRONG%3EName%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22420px%22%3E%3CP%3E%3CSTRONG%3E%26nbsp%3BDescription%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22216px%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%2Fcreateorupdate%23aaddataconnector%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAADDataConnector%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22420px%22%3E%3CP%3E%26nbsp%3BRepresents%20AAD%20(Azure%20Active%20Directory%20Identity%20Protection)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22216px%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%2Fcreateorupdate%23aatpdataconnector%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAATPDataConnector%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22420px%22%3E%3CP%3E%26nbsp%3BRepresents%20AATP%20(Azure%20Advanced%20Threat%20Protection)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22216px%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%2Fcreateorupdate%23ascdataconnector%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EASCDataConnector%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22420px%22%3E%3CP%3E%26nbsp%3BRepresents%20ASC%20(Azure%20Security%20Center)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22216px%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%2Fcreateorupdate%23awscloudtraildataconnector%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAwsCloudTrailDataConnector%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22420px%22%3E%3CP%3E%26nbsp%3BRepresents%20Amazon%20Web%20Services%20CloudTrail%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22216px%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%2Fcreateorupdate%23mcasdataconnector%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMCASDataConnector%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22420px%22%3E%3CP%3E%26nbsp%3BRepresents%20MCAS%20(Microsoft%20Cloud%20App%20Security)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22216px%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%2Fcreateorupdate%23mdatpdataconnector%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMDATPDataConnector%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22420px%22%3E%3CP%3E%26nbsp%3BRepresents%20MDATP%20(Microsoft%20Defender%20Advanced%20Threat%20Protection)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22216px%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%2Fcreateorupdate%23officedataconnector%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EOfficeDataConnector%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22420px%22%3E%3CP%3E%26nbsp%3BRepresents%20Office%20365%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22216px%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%2Fcreateorupdate%23tidataconnector%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETIDataConnector%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22420px%22%3E%3CP%3E%26nbsp%3BRepresents%20threat%20intelligence%20data%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20following%20example%20configures%20the%20Office%20365%20data%20connector%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ENew-AzSentinelDataConnector%20-ResourceGroupName%20%22yourResourceGroupName%22%20-WorkspaceName%20%22yourWorkspaceName%22%20-Office365%20-Exchange%20%22Enabled%22%20-SharePoint%20%E2%80%9CEnabled%22%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ESome%20data%20connectors%20require%20more%20information%2C%20like%20the%20Azure%20Security%20Center%20data%20connector%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ENew-AzSentinelDataConnector%20-ResourceGroupName%20%22yourResourceGroupName%22%20-WorkspaceName%20%22yourWorkspaceName%22%20-AzureSecurityCenter%20-SubscriptionId%20%3CYOURSUBSCRIPTIONID%3E%20-Alerts%20Enabled%20%3C%2FYOURSUBSCRIPTIONID%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1484579440%22%20id%3D%22toc-hId-1484579385%22%20id%3D%22toc-hId-1484579385%22%20id%3D%22toc-hId-1484579385%22%20id%3D%22toc-hId-1484579385%22%3E%3CSPAN%3EExporting%20and%20importing%20analytics%20rules%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3EThe%20most%20common%20asked%20question%20that%20we%20get%20is%20how%20to%20export%20analytics%20rules%20and%20import%20those%20in%20another%20Azure%20Sentinel%20environment.%20This%20use%20case%20is%20specifically%20valid%20in%20a%20Dev-Test%20scenario%20where%20you%20want%20to%20have%20automation%20support%20to%20import%20your%20created%20analytics%20rules%20into%20production.%20To%20export%20your%20analytics%20rules%20you%20can%20leverage%20the%20%3CSTRONG%3EGet-AzSentinelAlertRule%3C%2FSTRONG%3E%20cmdlet%20like%20in%20the%20following%20example%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24myRules%20%3D%20Get-AzSentinelAlertRule%20-ResourceGroupName%20%24resourceGroupName%20-WorkspaceName%20%24workspaceName%0A%24myExportPath%20%3D%20%22C%3A%5CSentinelRules%5CExport%5C%22%0A%24myExtension%20%3D%20%22.json%22%0Aforeach(%24rule%20in%20%24myRules)%7B%0A%20%20%20%20%24ruleName%20%3D%20%24rule.DisplayName%0A%20%20%20%20%24rule%20%3D%20%24rule%20%7C%20ConvertTo-Json%0A%20%20%20%20%24rule%20%7C%20Out-File%20%22%24(%24myExportPath)%24(%24ruleName)%24(%24myExtension)%22%0A%7D%20%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThis%20will%20export%20your%20analytics%20rules%20into%20a%20folder%20as%20JSON%20formatted%20files.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20then%20edit%20the%20analytics%20rules%20or%20just%20import%20those%20into%20another%20Azure%20Sentinel%20environment%20using%20the%20following%20example%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24myImportPath%20%3D%20%22C%3A%5CSentinelRules%5CImport%5C%22%0A%24myNewRules%20%3D%20Get-ChildItem%20%24myImportPath%20-Filter%20*.json%0Aforeach%20(%24myNewRule%20in%20%24myNewRules)%20%7B%0A%20%20%20%20%24myRuleObject%20%3D%20Get-Content%20-Path%20%24myNewRule%20%7C%20ConvertFrom-Json%0A%20%20%20%20New-AzSentinelAlertRule%20-ResourceGroupName%20%24resourceGroupName%20-WorkspaceName%20%24workspaceName%20%60%0A%20%20%20%20%20%20%20%20-Scheduled%20-DisplayName%20%24myRuleObject.DisplayName%20-Description%20%24myRuleObject.Description%20-Query%20%24myRuleObject.Query%20%60%0A%20%20%20%20%20%20%20%20-QueryFrequency%20%24myRuleObject.QueryFrequency.Ticks%20-QueryPeriod%20%24myRuleObject.QueryPeriod.Ticks%20-Severity%20%24myRuleObject.Severity%20-TriggerThreshold%20%24myRuleObject.TriggerThreshold%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHappy%20automating!%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2025041%22%20slang%3D%22en-US%22%3E%3CP%3EAnnouncing%20the%20new%20official%20Azure%20Sentinel%20PowerShell%20module!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2025041%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2026691%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Year%20-%20New%20Official%20Azure%20Sentinel%20PowerShell%20Module!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2026691%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20amazing%20the%20possibilities%20that%20this%20offers!%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20it!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2032906%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Year%20-%20New%20Official%20Azure%20Sentinel%20PowerShell%20Module!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2032906%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20great.%20Keep%20up%20the%20good%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20get%20this%20when%20I%20run%20Install-Module%20-Name%20Az.SecurityInsights.%20It%20works%20if%20I%20use%20-AllowClobber%3C%2FP%3E%3CPRE%3EPackageManagement%5CInstall-Package%20%3A%20The%20following%20commands%20are%20already%20available%20on%20this%0Asystem%3A'Login-AzAccount%2CLogout-AzAccount%2CResolve-Error%2CSend-Feedback'.%20This%20module%20'Az.Accounts'%20may%20override%20the%0Aexisting%20commands.%20If%20you%20still%20want%20to%20install%20this%20module%20'Az.Accounts'%2C%20use%20-AllowClobber%20parameter.%3C%2FPRE%3E%3CP%3EP.S.%20Module%20name%20should%20be%20corrected%20in%20article%20above%20'%3CSPAN%3EThe%20available%20cmdlets%20can%20be%20explored%20by%20using%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EGet-Command%20-Module%20Az.SecurityInsigths'%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Happy New Year everyone!
With the new year comes a new Azure Sentinel PowerShell module!
Based on the Azure SDK for .NET and part of the Azure (Az) module, we are announcing the public preview release of the Az.SecurityInsights PowerShell module.
Because this is an official supported PowerShell module when we release it, the cmdlets are based on the Generally Available (GA) 2020-01-01 SecurityInsights API. As soon as features hit GA, we will update the Az.SecurityInsights module to reflect that.
How to download and test
Prerequisites: the Az.SecurityInsights module requires at a minimum PowerShell version 5.1 and relies on Az.Accounts for Azure authentication.
You can download the Az.SecurityInsights PowerShell module from the PowerShellGallery and install it by using the PowerShell command Install-Module -Name Az.SecurityInsights
The available cmdlets can be explored by using Get-Command -Module Az.SecurityInsigths
The Az.SecurityInsights module supports the most common use cases, like interacting with incidents to change status, severity, owner, etc. But also, to add comments and labels to incidents and creating bookmarks.
Although using ARM templates is the preferred way for your CI/CD pipeline, the Az.SecurityInsights module can be very useful for post deployment tasks and is specifically targeted to Security Operations Center (SOC) automation tasks. These tasks can vary from configuring data connectors, creating analytics rules, adding automation actions to analytics rules, etc.
Managing Incidents
Using the Az.SecurityInsights module is straightforward and is parameter driven as most of the PowerShell modules. The common parameters are your Azure Sentinel workspace and resource group name. You can retrieve all your incidents using Get-AzSentinelIncident -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName or retrieve a specific incident by adding the parameter -IncidentId <yourIncidentId>
Note: the IncidentId is derived from the Name field as depicted below:
Assign an Incident Owner
Most of the cmdlets accept a string as a parameter, but some cmdlets require an input object. For example, to assign an owner to an incident you would first need to create the owner object.
The owner object requires the following mandatory object parameters:
- AssignedTo - the owner full name
- Email - the email address of the owner
- ObjectId - the Azure Active Directory objectId of the owner
- UserPrincipalName - the user principal name of the owner
There are a couple of ways to create an owner object, for example:
$ownerObject = @{"AssignedTo" = "Jeff Leatherman"; "Email" = "[email protected]"; "ObjectId" = "f4e959b4-feda-4345-a1e7-16b4af2fc226";"UserPrincipalName" = "[email protected]"} After you have created the owner object, you can then pass it as a parameter to the cmdlet Update-AzSentinelIncident like this:
Update-AzSentinelIncident -ResourceGroupName <yourResourceGroupName> -WorkspaceName <yourWorkspaceName> -IncidentId a4b586c8-97d8-4cc5-9154-b723c62d26d8 -Owner $ownerObject Closing an incident
In case you need to close an incident, you need to make sure that you are passing the valid closing classifications and classification reasons.
Valid closing incident classifications are:
- Undetermined
- TruePositive
- BenignPositive
- FalsePositive
Valid closing classification reasons are:
- SuspiciousActivity
- SuspiciousButExpected
- IncorrectAlertLogic
- InaccurateData
Example closing an incident:
Update-AzSentinelIncident -ResourceGroupName <yourResourceGroupName> -WorkspaceName <yourWorkspaceName> -IncidentID "a5977bae-2775-44d1-8381-a28f6f061954" -Classification FalsePositive -ClassificationComment "my comment" -ClassificationReason InaccurateData -Status Closed Configuring data connectors
The cmdlet New-AzSentinelDataConnector supports configuring and enabling Azure Sentinel data connectors. The current supported GA data connectors are:
Name
Description
Represents AAD (Azure Active Directory Identity Protection)
Represents AATP (Azure Advanced Threat Protection)
Represents ASC (Azure Security Center)
Represents Amazon Web Services CloudTrail
Represents MCAS (Microsoft Cloud App Security)
Represents MDATP (Microsoft Defender Advanced Threat Protection)
Represents Office 365
Represents threat intelligence data
The following example configures the Office 365 data connector:
New-AzSentinelDataConnector -ResourceGroupName "yourResourceGroupName" -WorkspaceName "yourWorkspaceName" -Office365 -Exchange "Enabled" -SharePoint “Enabled"Some data connectors require more information, like the Azure Security Center data connector:
New-AzSentinelDataConnector -ResourceGroupName "yourResourceGroupName" -WorkspaceName "yourWorkspaceName" -AzureSecurityCenter -SubscriptionId <yourSubscriptionId> -Alerts Enabled Exporting and importing analytics rules
The most common asked question that we get is how to export analytics rules and import those in another Azure Sentinel environment. This use case is specifically valid in a Dev-Test scenario where you want to have automation support to import your created analytics rules into production. To export your analytics rules you can leverage the Get-AzSentinelAlertRule cmdlet like in the following example:
$myRules = Get-AzSentinelAlertRule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName
$myExportPath = "C:\SentinelRules\Export\"
$myExtension = ".json"
foreach($rule in $myRules){
$ruleName = $rule.DisplayName
$rule = $rule | ConvertTo-Json
$rule | Out-File "$($myExportPath)$($ruleName)$($myExtension)"
}
This will export your analytics rules into a folder as JSON formatted files.
You can then edit the analytics rules or just import those into another Azure Sentinel environment using the following example:
$myImportPath = "C:\SentinelRules\Import\"
$myNewRules = Get-ChildItem $myImportPath -Filter *.json
foreach ($myNewRule in $myNewRules) {
$myRuleObject = Get-Content -Path $myNewRule | ConvertFrom-Json
New-AzSentinelAlertRule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName `
-Scheduled -DisplayName $myRuleObject.DisplayName -Description $myRuleObject.Description -Query $myRuleObject.Query `
-QueryFrequency $myRuleObject.QueryFrequency.Ticks -QueryPeriod $myRuleObject.QueryPeriod.Ticks -Severity $myRuleObject.Severity -TriggerThreshold $myRuleObject.TriggerThreshold
}Happy automating!
5 Comments
This is great. Keep up the good work.
I get this when I run Install-Module -Name Az.SecurityInsights. It works if I use -AllowClobber
PackageManagement\Install-Package : The following commands are already available on this system:'Login-AzAccount,Logout-AzAccount,Resolve-Error,Send-Feedback'. This module 'Az.Accounts' may override the existing commands. If you still want to install this module 'Az.Accounts', use -AllowClobber parameter.
P.S. Module name should be corrected in article above 'The available cmdlets can be explored by using Get-Command -Module Az.SecurityInsigths'
@Tiander Turpijn , Outstanding blog and a great start to the New Year! I was having trouble with the New-AzSentinelAlertRule Command so I wanted to share a few things that were helpful in getting it working
Install-Module -Name Az.Accounts -AllowClobber -Force Install-Module -Name Az.SecurityInsights -AllowClobber -Force Update-Module -Name Az.Accounts Update-Module -Name Az.SecurityInsights
- Confirm that all alert rule fields are populated (Scheduled, DisplayName, Description, Query, QueryFrequency, QueryPeriod, Severity, TriggerThreshold) or adjust New-AzSentinelAlertRule command syntax as needed. I was having an issue importing a test rule because an optional alert rule (Description) wasn’t included. Adding a description or removing the -Description option from the command resolves the issue.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK