Yes Virginia, it is now possible to use PowerShell with Azure Sentinel. Microsoft has made available the Az.Security insights module that allows you to work with Azure Sentinel. You’ll find the module here:
https://www.powershellgallery.com/packages/Az.SecurityInsights/0.1.0
and you install it in your elevated PowerShell environment via the command:
Install-Module -Name Az.SecurityInsights –AllowClobber
To use the module commands you’ll also need to login to Azure. You can do that by using my connection scripts which are here:
An easier way to connect using PowerShell
However, what I’ve done to make it even easier for you by creating a complete script here:
https://github.com/directorcia/Office365/blob/master/az-sentinel-ruleget.ps1
You run the script in your environment like so:
You’ll then be prompted to login to your Azure tenant like so:
You’ll then be prompted to select your Azure subscription where Sentinel is configured:
You should see a list of all the subscriptions in your tenant as shown above. Select the one where Azure Sentinel is configured and select OK to continue.
You’ll then be prompted to select which workspace Azure Sentinel is configured with. Again, just select the appropriate workspace and then OK to continue.
The script will now display a list of all the available Rule Templates in Sentinel as shown above, sorted by most recently added (handy to see what’s new!).
This list is what you see in the Azure Sentinel portal when you select Analytics, then Rule templates as shown above. In effect, this is every analytics rule Sentinel makes available to you.
The next part of the script output will show you every rule in use.
This corresponds with the Active rules area in the web portal as shown above.
The next section of the script output will show you all the available rules and whether they are in use or Active as shown above.
You’ll see something similar if you return to the Rule templates, and note the rules “IN USE”, as shown above.
If you have a close look here, you’ll see rules that have no display name. I’ll cover that a bit further on, as it is still a bit of a mystery to me at this stage.
The last listing in script will show you all the rules that are NOT in use in date order. This is handy as I don’t see anything like this in the web portal.
Finally, the script will give you a summary as shown above.
It is interesting to note that 11 scripts report errors? These seem to be the ones with no names? Still haven’t quite worked that one out yet. You might also see this mismatch in the rules in use as I have above. I need to dig into this a little more. Also a bit strange is the fact that I have 191 scripts reporting in total but if I add the 104 templates in use with the 112 not in use I come to a total of 216! If I then look in the web interface I see:
only 182 templates in total??
This new Azure Sentinel module is only a month old as of writing this article, so early days. Hopefully, these items are minor bugs that will get fixed soon. You can also double check my code to ensure I haven’t something silly. If I have, let me know so I can fix it and share.
However, that considered, I can see this new Azure Sentinel PowerShell module being pretty handy if I’m honest. This script allows me to see when Microsoft adds new rules that I need to go and configure for one. I’ll be spending more time with this PowerShell module to automate how I deploy Azure Sentinel, which I reckon will save me a bucket-load of time.
Looking forward to future updates to this module, but there is no reason you can’t start automating Azure Sentinel yourself today!
CIAOPS 
Thanks for sharing this! Do you know if we could enable multiple Azure Sentinel analytics rule using Powershell?
LikeLike
Should be able to but I have had issues recently with Sentinel PowerShell working correctly. Something seems to be broken.
LikeLike