Use PowerShell with Azure Sentinel

Yes Virginia, it is now possible to use PowerShell with Azure Sentinel. Microsoft has made available the Az.Security insights module that allows you to work with Azure Sentinel. You’ll find the module here:

https://www.powershellgallery.com/packages/Az.SecurityInsights/0.1.0

and you install it in your elevated PowerShell environment via the command:

Install-Module -Name Az.SecurityInsights –AllowClobber

To use the module commands you’ll also need to login to Azure. You can do that by using my connection scripts which are  here:

An easier way to connect using PowerShell

However, what I’ve done to make it even easier for you by creating a complete script here:

https://github.com/directorcia/Office365/blob/master/az-sentinel-ruleget.ps1

You run the script in your environment like so:

image

You’ll then be prompted to login to your Azure tenant like so:

image

You’ll then be prompted to select your Azure subscription where Sentinel is configured:

image

You should see a list of all the subscriptions in your tenant as shown above. Select the one where Azure Sentinel is configured and select OK to continue.

image

You’ll then be prompted to select which workspace Azure Sentinel is configured with. Again, just select the appropriate workspace and then OK to continue.

image

The script will now display  a list of all the available Rule Templates in Sentinel as shown above, sorted by most recently added (handy to see what’s new!).

image

This list is what you see in the Azure Sentinel portal when you select Analytics, then Rule templates as shown above. In effect, this is every analytics rule Sentinel makes available to you.

image

The next part of the script output will show you every rule in use.

image

This corresponds with the Active rules area in the web portal as shown above.

image

The next section of the script output will show you all the available rules and whether they are in use or Active as shown above.

image

You’ll see something similar if you return to the Rule templates, and note the rules “IN USE”, as shown above.

image

If you have a close look here, you’ll see rules that have no display name. I’ll cover that a bit further on, as it is still a bit of a mystery to me at this stage.

image

The last listing in script will show you all the rules that are NOT in use in date order. This is handy as I don’t see anything like this in the web portal.

image

Finally, the script will give you a summary as shown above.

It is interesting to note that 11 scripts report errors? These seem to be the ones with no names? Still haven’t quite worked that one out yet. You might also see this mismatch in the rules in use as I have above. I need to dig into this a little more. Also a bit strange is the fact that I have 191 scripts reporting in total but if I add the 104 templates in use with the 112 not in use I come to a total of 216! If I then look in the web interface I see:

image

only 182 templates in total??

This new Azure Sentinel module is only a month old as of writing this article, so early days. Hopefully, these items are minor bugs that will get fixed soon. You can also double check my code to ensure I haven’t something silly. If I have, let me know so I can fix it and share.

However, that considered, I can see this new Azure Sentinel PowerShell module being pretty handy if I’m honest. This script allows me to see when Microsoft adds new rules that I need to go and configure for one. I’ll be spending more time with this PowerShell module to automate how I deploy Azure Sentinel, which I reckon will save me a bucket-load of time.

Looking forward to future updates to this module, but there is no reason you can’t start automating Azure Sentinel yourself today!


 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s