Export Azure Sentinel
Export-AzSentinel [-SubscriptionId <String>] -WorkspaceName <String> -OutputFolder <FileInfo>
-Kind [-TemplatesKind ] []
pkhabazi
/ ConvertSentinelRuleFrom-Yaml.ps1
Last active
March 16, 2022 22:19
onvert Microsoft Sentinel YAML rules to JSON ARM format
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Convert Microsoft Sentinel YAML rules to JSON ARM format | |
| .DESCRIPTION | |
| This function converts the Microsoft Sentinel rules published on Microsoft Sentinel GitHub in YAML format to the right ARM JSON format | |
| .EXAMPLE | |
| ConvertSentinelRuleFrom-Yaml -Path './PathToYamlFolder' | |
| In This example all the YAML files in the folder will be converted to the right JSON format in the same folder | |
| .EXAMPLE | |
| ConvertSentinelRuleFrom-Yaml -Path './pathToYAMLFolder' -OutputFolder ./PathToJsonFolder |
pkhabazi
/ New-AzureSentinelAlertRuleDeployment.ps1
Last active
October 27, 2021 19:11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Combine JSON template file into one object before deployment | |
| .DESCRIPTION | |
| This function will combine all the Azure Sentinel Alert rule JSON file's into one template object before deploying to ARM | |
| .EXAMPLE | |
| New-AzureSentinelAlertRuleDeployment -templatePath "./rules" -resourceGroupName "RG Name" -workspaceName "WorkspaceName" | |
| .NOTES | |
| AUTHOR: Pouyan Khabazi | |
| LASTEDIT: 11-10-2021 |
pkhabazi
/ AzureDeploy.json
Created
October 4, 2021 19:36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | |
| "contentVersion": "1.0.0.0", | |
| "parameters": { | |
| "workspace": { | |
| "type": "String" | |
| } | |
| }, | |
| "resources": [ | |
| { |
pkhabazi
/ RestAPI.json
Last active
July 27, 2021 13:33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "body": { | |
| "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", | |
| "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", | |
| "type": "Microsoft.SecurityInsights/dataConnectors", | |
| "kind": "ThreatIntelligence", | |
| "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", | |
| "properties": { | |
| "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", | |
| "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", | |
| "dataTypes": { |
pkhabazi
/ Export-AzSentinel.md
Last active
October 29, 2020 10:49
pkhabazi
/ DataConnectors.json
Last active
October 8, 2020 19:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "AzureSecurityCenter": [ | |
| { | |
| "subscriptionId": "ebdab2f1-0b79-4181-a70d-82f0ff39243e", | |
| "state": "Enabled" | |
| }, | |
| { | |
| "subscriptionId": "ebdab2f1-0b79-4181-a70d-82f0ff39243e", | |
| "state": "Enabled" | |
| } |
pkhabazi
/ AlertRules.tests.ps1
Last active
October 25, 2020 05:42
Deploying and Managing Azure Sentinel – Ninja style
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Describe "Azure Sentinel AlertRules Tests" { | |
| $TestFiles = Get-ChildItem -Path .\SettingFiles\AlertRules.json -File -Recurse | ForEach-Object -Process { | |
| @{ | |
| File = $_.FullName | |
| ConvertedJson = (Get-Content -Path $_.FullName | ConvertFrom-Json) | |
| Path = $_.DirectoryName | |
| Name = $_.Name | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Scheduled: | |
| - id: 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee | |
| displayname: Suspect Application Consent | |
| description: | | |
| This will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this. | |
| This could indicate that permissions to access the listed Azure App were provided to a malicious actor. | |
| Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. | |
| This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth | |
| For further information on AuditLogs please see https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities | |
| severity: High |
pkhabazi
/ sentinel.yaml
Created
September 22, 2020 22:36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Scheduled: | |
| - id: 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee | |
| displayname: Suspect Application Consent | |
| description: | | |
| This will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this. | |
| This could indicate that permissions to access the listed Azure App were provided to a malicious actor. | |
| Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. | |
| This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth | |
| For further information on AuditLogs please see https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities | |
| severity: High |
NewerOlder