Play with Azure Sentinel PowerShell (SecurityInsights)
Something as code. Today, almost every system or app can be managed via code, and Azure Sentinel can be managed via code.
You might be familiar with the Infrastructure as Code concept with Azure Resource Manager, Terraform, or AWS Cloud Formation? They are all ways to express your infrastructure as code to treat it to put it under source control.
Besides managing your infrastructure as code, you can also use DevOps tooling to organize your code and deploy that infrastructure into your environment, all in a programmatic way.
There are various components inside Azure Sentinel such as Connectors, Analytics Rules, Workbooks, Playbooks, Hunting Queries, Notebooks, and many more.
These components can be managed programmatically by API, ARM, and PowerShell.
Recently the Azure Sentinel team has released an official PowerShell module for Azure Sentinel. This module is based on the Azure SDK for .NET and part of the Azure module (Az), a public preview release of the SecurityInsights PowerShell module.
The SecurityInsights cmdlets are based on the 2020-01-01 SecurityInsights API.
Azure Sentinel cmdlets in Windows PowerShell and PowerShell Core allow you to manage and monitor your resources’ security posture.
Install SecurityInsights Module
Like every other PowerShell module, there is nothing new when installing this module, but there are few prerequisites:
- PowerShell version 5.1 and higher
- Install Az. Accounts module
- Install Az module – Recommended for working with other Azure objects.
Note: The Az module is to work with Azure objects and call to the resource group etc.
To install the SecurityInsights, follow these steps:
Make sure that you’ve got the Az. Accounts and if not install via this command
Install-Module -Name Az.Accounts -Scope CurrentUser or Install-Module -Name Az -AllowClobber -Scope CurrentUser
Once it is on your system, run the SecurityInsights install command:
Install-Module -Name Az.SecurityInsights -Scope CurrentUser
Once the modules are installed, you can start and play with the command.
TIP: You must connect to a specific subscription and set Azure context – without this, you might receive errors
Inside the BOX
Once the SecurityInsights module is installed, you can check what inside this module, including the member. The module currently provides the following command:
Get-Command -Module Az.SecurityInsights
Run SecurityInsights Commands
A moment before you start to query your incidents, rules, and other components, you need to make sure you know your Azure Resource Group and Azure Sentinel Workspace Name because you need to load these properties in every SecurityInsights command.
Once SecurityInsights is installed and connected to your Azure subscription, you can start and query your Azure Sentinel environment. The following example is a small part of the benefits you can do with SecurityInsights commands.
If we take the AzSentinelAlertRuleTemplate command, we can check the command member and get these specific objects’ properties and methods. To check members run the following command:
Get-AzSentinelAlertRuleTemplate -ResourceGroupName AzureSentinel -WorkspaceName AzureSentinelLAB1 | GM
The result provides many members, properties, and methods to work with, and for example, there are different TypeName that get specific members.
AzSentinelAlertRuleTemplate – The AzSentinelAlertRuleTemplate can provide a good view of what we’ve got, which one is installed, the data sources, and useful information.
The following command provides a bunch of information from Azure Sentinel Rules.
Check current rules (all rules)
Get-AzSentinelAlertRuleTemplate -ResourceGroupName AzureSentinel -WorkspaceName AzureSentinelLAB1 | Select-Object DisplayName, Kind,Status, Type
TIP: When checking rule status, you will get a few types of rules: Available and Installed, but some of the built-in and installed rules will appear as Available with specific Kind.
Check Microsoft Security Rules.
The Microsoft security templates automatically create Azure Sentinel incidents from the alerts generated in other Microsoft security solutions in real-time. You can use Microsoft security rules as a template to create new rules with similar logic.
When creating a Microsoft Incident Rule, the following rules type will appear.
Now, if we take the rule with MicrosoftSecurityIncidentCreation, we will receive the rules as shown below.
Get-AzSentinelAlertRuleTemplate -ResourceGroupName AzureSentinel -WorkspaceName AzureSentinelLAB1 | where Kind -EQ MicrosoftSecurityIncidentCreation | ft DisplayName, Status
Check installed Rules with the following command.
Get-AzSentinelAlertRuleTemplate -ResourceGroupName AzureSentinel -WorkspaceName AzureSentinelLAB1 | where Status -EQ “Installed”
But wait… there’s a gap because other installed rules aren’t showing in this command, and these are the rules from Microsoft Security (security product) that cannot be part of the PowerShell command. (the one above).
TIP: The AzSentinelAlertRuleTemplate cannot show all installed rule, and you might check the next command
To show the current rules, you can run the following command:
Get-AzSentinelAlertRule -ResourceGroupName AzureSentinel -WorkspaceName AzureSentinelLAB1 | ? Enabled -EQ True | ft DisplayName, ProductFilter
Now that we know what we’ve got, we can continue and update some rules.
Before updating any rule, let’s take the Alert Rule ID.
Get-AzSentinelAlertRule -ResourceGroupName AzureSentinel -WorkspaceName AzureSentinelLAB1 -AlertRuleId “5b1345b4-79f8-478a-8b96-801bc49ebb90”
Create Azure Sentinel Alert Rule with AzSentinelAlertRule – There are four types of rules, and we can create each of them, for example, a built-in rule for Azure Security Center. This can be done with the following command:
New-AzSentinelAlertRule -ResourceGroupName AzureSentinel -WorkspaceName AzureSentinelLAB1 -DisplayName “Test ASC” -MicrosoftSecurityIncidentCreation -ProductFilter “Azure Security Center”
In Conclusion, if you’re working on your Azure Sentinel with code, PowerShell can be part of the Azure Sentinel CI\CD process. Although there are no yet funded commands, and the existing ones can leverage your maintenance.