Azure – A new PowerShell module is available to manage Azure Sentinel

You may now know Azure Sentinel, the cloud native SIEM (Security Information and Event Management) solution from Microsoft.

Well, if you are using and managing Azure Sentinel you will be happy to know that a PowerShell module is now available to manage Azure Sentinel, in addition of the Azure portal.

Before you deploy this module, you need to ensure:

  • you are using PowerShell 5.1 (or later)
  • have the Az.Accounts module installed

If you don’t have Az.Accounts or Azure PowerShell module you can install it using the below command

Install-Module –Name Az.Accounts

Then you can install the Az.SecurityInsights module using the command

Install-Module -Name Az.SecurityInsights –AllowClobber

image_thumb_thumb-296-4060403

Then after authenticating against Azure using Connect-AzAccount you can manage your Azure Sentinel by investigating/assigning incident, configuring connectors and so on.

If you have more than one Azure subscription you may have to set the Azure context first.

All Az.SecurityInsights commands can be listed with the command

Get-Command -Module Az.SecurityInsigths

At the time of writing the below commands are available

  • Get-AzSentinelAlertRuleAction
  • New-AzSentinelAlertRuleAction
  • Remove-AzSentinelAlertRuleAction
  • Update-AzSentinelAlertRuleAction
  • Get-AzSentinelAlertRule
  • New-AzSentinelAlertRule
  • Remove-AzSentinelAlertRule
  • Update-AzSentinelAlertRule
  • Get-AzSentinelAlertRuleTemplate
  • Get-AzSentinelBookmark
  • New-AzSentinelBookmark
  • Remove-AzSentinelBookmark
  • Update-AzSentinelBookmark
  • Get-AzSentinelDataConnector
  • New-AzSentinelDataConnector
  • Remove-AzSentinelDataConnector
  • Update-AzSentinelDataConnector
  • Get-AzSentinelIncidentComment
  • New-AzSentinelIncidentComment
  • Get-AzSentinelIncident
  • New-AzSentinelIncident
  • New-AzSentinelIncidentOwner
  • Remove-AzSentinelIncident
  • Update-AzSentinelIncident