Import-AzSentinelAlertRule -WorkspaceName "pkm02" -SettingsFile .\examples\AlertRules.json
Successfully created rule: AlertRule01 with status: OK
Name : 6da987ce-cd83-491f-a489-232e9f917816
DisplayName : AlertRule01
Description : test
Severity : High
Enabled : True
Query : SecurityEvent | where EventID == "4688" | where CommandLine contains "-noni -ep bypass $"
QueryFrequency : PT5H
QueryPeriod : PT6H
TriggerOperator : GreaterThan
TriggerThreshold : 5
SuppressionDuration : PT6H
SuppressionEnabled : False
Tactics : {Persistence, LateralMovement, Collection}
Successfully created rule: AlertRule02 with status: OK
Name : 50e9d5a4-ab08-4197-9403-ab5e884342ac
DisplayName : AlertRule02
Description : test
Severity : High
Enabled : True
Query : SecurityEvent | where EventID == "4688" | where CommandLine contains "-noni -ep bypass $"
QueryFrequency : PT5H
QueryPeriod : PT6H
TriggerOperator : GreaterThan
TriggerThreshold : 5
SuppressionDuration : PT6H
SuppressionEnabled : False
Tactics : {Persistence, LateralMovement, Collection}
Last active
February 24, 2020 19:41
-
-
Save pkhabazi/816acef0eeaa15f8adcce09a1978cd3c to your computer and use it in GitHub Desktop.
AZSentinel PowerShell Module example and blog
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"analytics": [ | |
{ | |
"displayName": "string", | |
"description": "string", | |
"severity": "High", | |
"enabled": true, | |
"query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"", | |
"queryFrequency": "5H", | |
"queryPeriod": "5H", | |
"triggerOperator": "GreaterThan", | |
"triggerThreshold": 5, | |
"suppressionDuration": "6H", | |
"suppressionEnabled": false, | |
"playbookName": "string" | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Set-AzSentinel -WorkspaceName "pkm02" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"analytics": [ | |
{ | |
"displayName": "Hunting rule name", | |
"description": "Describe the hunting Rule", | |
"query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"", | |
"tactics": [ | |
"Persistence", | |
"LateralMovement", | |
"Collection" | |
] | |
} | |
] | |
} |
Import-AzSentinelAlertRule -WorkspaceName "pkm02" -SettingsFile .\examples\AlertRules.json
Found Differences for rule: AlertRule01
PropertyName RefValue DiffValue
------------ -------- ---------
QueryPeriod PT6H PT7H
Severity Low High
Tactics {Execution, Discovery, Collection} {Persistence, LateralMovement, Collection}
Confirm
Are you sure you want to perform this action?
Performing the operation "Import-AzSentinelAlertRule" on target "Do you want to update profile: AlertRule01".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
Install-Module -Name AzSentinel -Scope CurrentUser -Force
Get-Module AzSentinel -ListAvailable | fl
Name : AzSentinel
Path : C:\#####\PowerShell\Modules\AzSentinel\0.6.0\AzSentinel.psd1
Description : PowerShell module for Azure Sentinel
ModuleType : Script
Version : 0.6.1
NestedModules : {}
ExportedFunctions : {Get-AzSentinelAlertRule, Get-AzSentinelHuntingRule, Get-AzSentinelIncident,
Import-AzSentinelAlertRule…}
ExportedCmdlets :
ExportedVariables :
ExportedAliases :
Name | Type | Required | Allowed Values | Example |
---|---|---|---|---|
displayName | string | yes | * | DisplayName |
description | string | yes | * | Description |
severity | string | yes | Medium, High, Low, Informational | Medium |
enabled | bool | yes | true, false | true |
query | string | yes | special character need to be escaped by \ | SecurityEvent | where EventID == "4688" | where CommandLine contains \"-noni -ep bypass $\" |
queryFrequency | string | yes | Value must be between 5 minutes and 24 hours | 5H |
queryPeriod | string | yes | Value must be between 5 minutes and 24 hours | 1440M |
triggerOperator | string | yes | GreaterThan, FewerThan, EqualTo, NotEqualTo | GreaterThan |
triggerThreshold | int | yes | The value must be between 0 and 10000 | 5 |
suppressionDuration | string | yes | Value must be between 5 minutes and 24 hours | 11H |
suppressionEnabled | bool | yes | true, false | true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment