Skip to content

Instantly share code, notes, and snippets.

@pkhabazi
Last active February 24, 2020 19:41
Show Gist options
  • Save pkhabazi/816acef0eeaa15f8adcce09a1978cd3c to your computer and use it in GitHub Desktop.
Save pkhabazi/816acef0eeaa15f8adcce09a1978cd3c to your computer and use it in GitHub Desktop.
AZSentinel PowerShell Module example and blog
{
"analytics": [
{
"displayName": "string",
"description": "string",
"severity": "High",
"enabled": true,
"query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
"queryFrequency": "5H",
"queryPeriod": "5H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 5,
"suppressionDuration": "6H",
"suppressionEnabled": false,
"playbookName": "string"
}
]
}
Set-AzSentinel -WorkspaceName "pkm02"
{
"analytics": [
{
"displayName": "Hunting rule name",
"description": "Describe the hunting Rule",
"query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
"tactics": [
"Persistence",
"LateralMovement",
"Collection"
]
}
]
}
Import-AzSentinelAlertRule -WorkspaceName "pkm02" -SettingsFile .\examples\AlertRules.json

Successfully created rule: AlertRule01 with status: OK
Name                : 6da987ce-cd83-491f-a489-232e9f917816
DisplayName         : AlertRule01
Description         : test
Severity            : High
Enabled             : True
Query               : SecurityEvent | where EventID == "4688" | where CommandLine contains "-noni -ep bypass $"
QueryFrequency      : PT5H
QueryPeriod         : PT6H
TriggerOperator     : GreaterThan
TriggerThreshold    : 5
SuppressionDuration : PT6H
SuppressionEnabled  : False
Tactics             : {Persistence, LateralMovement, Collection}

Successfully created rule: AlertRule02 with status: OK

Name                : 50e9d5a4-ab08-4197-9403-ab5e884342ac
DisplayName         : AlertRule02
Description         : test
Severity            : High
Enabled             : True
Query               : SecurityEvent | where EventID == "4688" | where CommandLine contains "-noni -ep bypass $"
QueryFrequency      : PT5H
QueryPeriod         : PT6H
TriggerOperator     : GreaterThan
TriggerThreshold    : 5
SuppressionDuration : PT6H
SuppressionEnabled  : False
Tactics             : {Persistence, LateralMovement, Collection}
Import-AzSentinelAlertRule -WorkspaceName "pkm02" -SettingsFile .\examples\AlertRules.json
Found Differences for rule: AlertRule01

PropertyName RefValue                           DiffValue
------------ --------                           ---------
QueryPeriod  PT6H                               PT7H
Severity     Low                                High
Tactics      {Execution, Discovery, Collection} {Persistence, LateralMovement, Collection}



Confirm
Are you sure you want to perform this action?
Performing the operation "Import-AzSentinelAlertRule" on target "Do you want to update profile: AlertRule01".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
Install-Module -Name AzSentinel -Scope CurrentUser -Force
Get-Module AzSentinel -ListAvailable | fl

Name              : AzSentinel
Path              : C:\#####\PowerShell\Modules\AzSentinel\0.6.0\AzSentinel.psd1
Description       : PowerShell module for Azure Sentinel
ModuleType        : Script
Version           : 0.6.1
NestedModules     : {}
ExportedFunctions : {Get-AzSentinelAlertRule, Get-AzSentinelHuntingRule, Get-AzSentinelIncident,
                    Import-AzSentinelAlertRule…}
ExportedCmdlets   :
ExportedVariables :
ExportedAliases   :
Name Type Required Allowed Values Example
displayName string yes * DisplayName
description string yes * Description
severity string yes Medium, High, Low, Informational Medium
enabled bool yes true, false true
query string yes special character need to be escaped by \ SecurityEvent | where EventID == "4688" | where CommandLine contains \"-noni -ep bypass $\"
queryFrequency string yes Value must be between 5 minutes and 24 hours 5H
queryPeriod string yes Value must be between 5 minutes and 24 hours 1440M
triggerOperator string yes GreaterThan, FewerThan, EqualTo, NotEqualTo GreaterThan
triggerThreshold int yes The value must be between 0 and 10000 5
suppressionDuration string yes Value must be between 5 minutes and 24 hours 11H
suppressionEnabled bool yes true, false true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment