Getting started with Azure Sentinel and PowerShell

Now that we have an official PowerShell module for Azure Sentinel, we can use PowerShell with Azure Sentinel. In this post, I will show you how to get started with PowerShell and Azure Sentinel.

Just to point out, that’s the first version, and in version 0.1.0, we have these cmdlets:

Incident management:

  • Get-AzSentinelIncident
  • New-AzSentinelIncident
  • Get-AzSentinelIncidentComment
  • New-AzSentinelIncidentComment
  • New-AzSentinelIncidentOwner
  • Remove-AzSentinelIncident
  • Update-AzSentinelIncident

Alert Rule Management:

  • Get-AzSentinelAlertRule
  • Get-AzSentinelAlertRuleAction
  • Get-AzSentinelAlertRuleTemplate
  • New-AzSentinelAlertRule
  • New-AzSentinelAlertRuleAction
  • Remove-AzSentinelAlertRule
  • Remove-AzSentinelAlertRuleAction
  • Update-AzSentinelAlertRule
  • Update-AzSentinelAlertRuleAction

Bookmark Management

  • Get-AzSentinelBookmark
  • New-AzSentinelBookmark
  • Remove-AzSentinelBookmark
  • Update-AzSentinelBookmark

Connector Management

  • Get-AzSentinelDataConnector
  • New-AzSentinelDataConnector
  • Remove-AzSentinelDataConnector
  • Update-AzSentinelDataConnector

Requirements

  • PowerShell modules
    • AzureAD
    • SecurityInsights
    • Az
  • Azure Sentinel activated on your Log Analytics workspace
  • Permissions

Every Azure Sentinel cmdlet requires us to specify ResourceGroupName and WorkspaceName parameters. To simplify that part, we can define a hash table with the needed information. Later we can reference that hash table. You can read more about that method from here – about_Splatting – PowerShell | Microsoft Docs

So let’s get started.

The first step is to install these three PowerShell modules from the PowerShell Gallery

  • Install-Module -Name Az.SecurityInsights -Verbose -Force
  • Install-Module -Name AzureAD -Verbose -Force
  • Install-Module -Name Az -Verbose -Force

Please remember that you need administrative permissions to install these.

The next step is to make a connection to your Azure environment using the Connect-AzAccount cmdlet. You can read more about Connect-AzAccount from here – Connect-AzAccount (Az.Accounts) | Microsoft Docs

If you have access to different subscriptions, then you may need to change the subscription. To achieve that, just run the Get-AzSubscription cmdlet, copy the subscription ID where you have the Azure Sentinel workspace and then run Set-AzContext cmdlet like this:

  • Set-AzContext -Subscription %MySubcriptionID%
    • %MySubcriptionID% should be replaced with the actual ID

After all these steps, you should be ready to automate Azure Sentinel with PowerShell.

Download the Azure Sentinel management with PowerShell from here

Have fun!

Kaido Järvemets

Azure Sentinel Analytics Rules
Need more information?
Need more information?
  • This field is for validation purposes and should be left unchanged.