Getting started with Azure Sentinel and PowerShell
Now that we have an official PowerShell module for Azure Sentinel, we can use PowerShell with Azure Sentinel. In this post, I will show you how to get started with PowerShell and Azure Sentinel.
Just to point out, that’s the first version, and in version 0.1.0, we have these cmdlets:
Incident management:
- Get-AzSentinelIncident
- New-AzSentinelIncident
- Get-AzSentinelIncidentComment
- New-AzSentinelIncidentComment
- New-AzSentinelIncidentOwner
- Remove-AzSentinelIncident
- Update-AzSentinelIncident
Alert Rule Management:
- Get-AzSentinelAlertRule
- Get-AzSentinelAlertRuleAction
- Get-AzSentinelAlertRuleTemplate
- New-AzSentinelAlertRule
- New-AzSentinelAlertRuleAction
- Remove-AzSentinelAlertRule
- Remove-AzSentinelAlertRuleAction
- Update-AzSentinelAlertRule
- Update-AzSentinelAlertRuleAction
Bookmark Management
- Get-AzSentinelBookmark
- New-AzSentinelBookmark
- Remove-AzSentinelBookmark
- Update-AzSentinelBookmark
Connector Management
- Get-AzSentinelDataConnector
- New-AzSentinelDataConnector
- Remove-AzSentinelDataConnector
- Update-AzSentinelDataConnector
Requirements
- PowerShell modules
- AzureAD
- SecurityInsights
- Az
- Azure Sentinel activated on your Log Analytics workspace
- Permissions
Every Azure Sentinel cmdlet requires us to specify ResourceGroupName and WorkspaceName parameters. To simplify that part, we can define a hash table with the needed information. Later we can reference that hash table. You can read more about that method from here – about_Splatting – PowerShell | Microsoft Docs
So let’s get started.
The first step is to install these three PowerShell modules from the PowerShell Gallery
- Install-Module -Name Az.SecurityInsights -Verbose -Force
- Install-Module -Name AzureAD -Verbose -Force
- Install-Module -Name Az -Verbose -Force
Please remember that you need administrative permissions to install these.
The next step is to make a connection to your Azure environment using the Connect-AzAccount cmdlet. You can read more about Connect-AzAccount from here – Connect-AzAccount (Az.Accounts) | Microsoft Docs
If you have access to different subscriptions, then you may need to change the subscription. To achieve that, just run the Get-AzSubscription cmdlet, copy the subscription ID where you have the Azure Sentinel workspace and then run Set-AzContext cmdlet like this:
- Set-AzContext -Subscription %MySubcriptionID%
- %MySubcriptionID% should be replaced with the actual ID
After all these steps, you should be ready to automate Azure Sentinel with PowerShell.
Download the Azure Sentinel management with PowerShell from here
Have fun!
Kaido Järvemets