You may now know Azure Sentinel, the cloud native SIEM (Security Information and Event Management) solution from Microsoft.
Well, if you are using and managing Azure Sentinel you will be happy to know that a PowerShell module is now available to manage Azure Sentinel, in addition of the Azure portal.
Before you deploy this module, you need to ensure:
- you are using PowerShell 5.1 (or later)
- have the Az.Accounts module installed
If you don’t have Az.Accounts or Azure PowerShell module you can install it using the below command
Install-Module –Name Az.Accounts
Then you can install the Az.SecurityInsights module using the command
Install-Module -Name Az.SecurityInsights –AllowClobber
Then after authenticating against Azure using Connect-AzAccount you can manage your Azure Sentinel by investigating/assigning incident, configuring connectors and so on.
If you have more than one Azure subscription you may have to set the Azure context first.
All Az.SecurityInsights commands can be listed with the command
Get-Command -Module Az.SecurityInsigths
At the time of writing the below commands are available
- Get-AzSentinelAlertRuleAction
- New-AzSentinelAlertRuleAction
- Remove-AzSentinelAlertRuleAction
- Update-AzSentinelAlertRuleAction
- Get-AzSentinelAlertRule
- New-AzSentinelAlertRule
- Remove-AzSentinelAlertRule
- Update-AzSentinelAlertRule
- Get-AzSentinelAlertRuleTemplate
- Get-AzSentinelBookmark
- New-AzSentinelBookmark
- Remove-AzSentinelBookmark
- Update-AzSentinelBookmark
- Get-AzSentinelDataConnector
- New-AzSentinelDataConnector
- Remove-AzSentinelDataConnector
- Update-AzSentinelDataConnector
- Get-AzSentinelIncidentComment
- New-AzSentinelIncidentComment
- Get-AzSentinelIncident
- New-AzSentinelIncident
- New-AzSentinelIncidentOwner
- Remove-AzSentinelIncident
- Update-AzSentinelIncident