wortell / azsentinel Goto Github PK
View Code? Open in Web Editor NEWPowerShell module for Azure Sentinel
License: MIT License
PowerShell module for Azure Sentinel
License: MIT License
Hi, it would be convenient to have a -Force update flag in case a rule setting was changed. Current behavior asks for confirmation to the end user. However this limits the automation of using this module in CI pipelines.
Same comment for the other type of settings (e.g. hunting queries), a Force flag would be useful
Although I very much appreciate the creation/deletion of rules in Sentinel, Im also looking for ways to programmatically do the deployment of Sentinel. You have one such function, Set-AzSentinel, which is awesome. But Im missing functions for:
I understand if this is not on the top of you list. These steps in most cases are not done that often. But Im finding myself in a corner case where I need to deploy and completely rebuild entire resource groups for labs, including Sentinel, lots of times :)
Hi, Thanks for implementing this functionality.
I notice one issue though: when I specify -SubscriptionId, it does not seem to be taken into account correctly. The AlertRuleAction fails, but points to a different subscriptionId then specified with -SubscriptionId.
Unable to find LogicApp under Subscription Id:
This failure is not pointing to the Subscription Id I specified with -SubscriptionId
Enhancement / Question
Is there ETA for setting Alert Aggregation using New-AZSentinelAlertRule or Import-AzSentinelAlertRule?
How can we set the following parameters for a Sentinel alert rule ( type scheduled) using AZSentinel module ?
incidentConfiguration (i.e CreateIncident = True)
queryResultsAggregationSettings
Update documentation and provide example code
I've used the command Get-AzSentinelAlertRule
to export all alert rules to a JSON.
Now I want to import these Rule in another workspace and I experience the below issue.
An exported rule should be imported flawlessly
There is an error while Creating a new AlertProp object, causing an empty body to be sent.
Exception setting "TriggerOperator": "Cannot convert value "" to type "TriggerOperator". Error: "The identifier name cannot be processed because it is either too similar or identical to the following enumerator names: GreaterThan, LessThan, Equal, NotEqual, gt, lt, eq, ne. Use a more specific identifier name.""`
Add new, get, remove and import functions for hunting rules
We need a cmdlet to allow us to deploy query Parsers. At the moment we save these parsers under query explorer and we save it as a function. It will be ideal if we can automate the deployments.
Add support to automatically upload workbooks
feedback from: Edoardo Gerosa
It would be nice if the object(s) that returned from
New-AzOperationalInsightsWorkspace (speaking of long functionnames ;-) )
or
Get-AzOperationalInsightsWorkspace
could be used to provision Sentinel on it using Set-AzSentinel.
This bug tracker is monitored by contributors and the community.
Please use this form and describe your issue, concisely but precisely, with as much detail as possible.
installed ps6 and azsentinel powershell from wotell github. set subscription id and workspace id
Environment
prod
PowerShell version (if applicable):
6
Steps to reproduce
Expected behavior
the rules should be imported to sentinel workspace
i have used the set-Azsentinel to ensure im in the correct azcontext
Actual behavior
input
PS C:\Users\XXXXX\Downloads\sentinel-attack\detections> Import-AzSentinelAlertRule -WorkspaceName "XXXXXXX" -SettingsFile "sentinel_attack_rules.json"
result
`Import-AzSentinelAlertRule : Unable to connect to APi to get Analytic rules with message: The gateway did not receive a response from 'Microsoft.SecurityInsights' within the specified time period.
At line:1 char:1
+ Import-AzSentinelAlertRule -WorkspaceName "XXXXXXXX" -SettingsFile ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Import-AzSentinelAlertRule
`
i know this reeks of a permission issue but im stumped
When enabling Azure Sentinel test to see if the required resource providers are installed. if not try to activate the required resource providers
After we create some AlertRules from Powershell using New-AzSentinelAlertRule
I would like to get all of them too without going to the portal.
And why not implenting Remove-AzSentinelAlertRule?
I think most of the code is already there.
An example of all functions combined:
Get-AzOperationalInsightsWorkspace | Get-AzSentinelAlertRule | Remove-AzSentinelAlertRule
This would clear out all alert rules from all workspaces! 😈
> $PSVersionTable
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Darwin 18.7.0 Darwin Kernel Version 18.7.0: Tue Aug 20 16:57:14 PDT 2019; root:xnu-4903.271.2~2/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Attempt to disable a scheduled rule that is currently enabled.
Disable-AzSentinelAlertRule -Verbose -Debug -SubscriptionId XXX -WorkspaceName XXX -RuleName "(Preview) TI map Email entity to OfficeActivity"
The rule gets disabled.
The command produces errors when, I'm guessing, it tries to build the Scheduled Alert rule object:
<snip>
InvalidOperation: /x/powershell/Modules/AzSentinel/0.6.5/AzSentinel.psm1:644
Line |
644 | $bodyAlertProp = [AlertProp]::new(
| ~~~~~~~~~~~
| Unable to find type [AlertProp].
MethodException: /x/powershell/Modules/AzSentinel/0.6.5/AzSentinel.psm1:648
Line |
648 | $body = [AlertRule]::new(
| ~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot find an overload for "new" and the argument count: "2".
<snip>
Disable-AzSentinelAlertRule: Response status code does not indicate success: 400 (Bad Request).
Trying to run a script>
Get-AzSentinelHuntingRule -SubscriptionId $Subscription -WorkspaceName $Workspace
But getting the error everytime : Unable to get hunting rules with error code: Cannot validate argument on parameter "Property". The argument is null or empty.
If WorkspaceName is the only required parameter why is it showing this error?
I have tested new parameters for -createincident -groupingconfigurationenabled -entitiesmappingmethod .... under the New-AzsentinelAlertRule
They all work when creating a new rule however they dont appear to work when updating the rules. Example after I created the rule and set the -createincident to True, and then I update it to False. This doesnt update the alert rule in Sentinel.
Remove-AzSentinelAlertRule not working
Powershell 7.0, Az 3.8.0, Yaml 0.4.2
Get-AzSentinelHuntingRule -WorkspaceName <workspace name>
Based on the material, the expected behavior is to return the hunting rules configured
It is returning me the list of queries under query explorer
New-AzSentinelAlertRule at the moment only supports Scheduled rules, update New-AzSentinelAlertRule to include all the rule types available :
Currently it does not seem possible to use day notation in the timing fields.
As a result I have to use 24H, which Sentinel always converts to 1D. This is seen as a change whenever I synchronize rules.
Currently there is no way (or at least I cannot find how) to add "Automated Response" to an alerting rule.
It would be nice if we could also specify a logic app in the analytics settingsfiles.
Windows build number: Microsoft Windows [Version 10.0.18363.778]
PowerShell version (if applicable): PowerShell 7 x64
install-module -Name AzSentinel
Connect-AzAccount
Set-AzContext -Subscription -Tenant
get-AzSentinelAlertRule -WorkspaceName ""
Would expect the playbookName field would be populated for rules that have playbooks assigned.
playbookName :
InvalidOperation: C:\Users<username>\Documents\PowerShell\Modules\AzSentinel\0.6.4\AzSentinel.psm1:506
Line |
506 | … $playbookName = ($playbook.properties.logicAppResourceId) …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| You cannot call a method on a null-valued expression.
Very impressed so far and having great success with Import-AzSentinelAlertRule (JSON) except for
"severity": "Informational"
which imports without error but has a "High" severity on the portal that needs a manual change.
$PSVersionTable
Name Value
---- -----
PSVersion 7.0.0-rc.2
PSEdition Core
GitCommitId 7.0.0-rc.2
OS Microsoft Windows 10.0.18363
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Get-Module AzSentinel
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 0.6.1 AzSentinel {Get-AzSentinelAlertRule, Get-AzSentinelHuntingRule, Get-AzSentinelIncident, Import-AzSentinelAlertRule…}
$rule = Get-AzSentinelAlertRule -RuleName $ruleName
)New-AzSentinelAlertRule -Severity $rule.severity -Query $rule.query -QueryFrequency $rule.queryFrequency -QueryPeriod $rule.queryPeriod -TriggerOperator $rule.triggerOperator -TriggerThreshold $rule.triggerThreshold -SuppressionDuration $rule.suppressionDuration -SuppressionEnabled $rule.suppressionEnabled -DisplayName "Chris2" -Enabled $rule.enabled -Description "just copying stuff" -Tactics $rule.tactics
Expect to have a similar rule created in Sentinel
New-AzSentinelAlertRule: Unable to invoke webrequest with error message: The string 'PTPT5M' is not a valid TimeSpan value. ISO 8601 format is expected. Path 'Properties.QueryFrequency'
It would be really handy to be able to retrieve all the incidents that took place in a timeframe, and be able to pass through a date/time range.
import-alertrules and import-huntingrules function stops when one of the rules triggers a error, update the function to continue when a error is triggered.
feedback from Edoardo Gerosa
We created a SP with Contributor rigths and Azure Sentinel Contributor rights.
When we use the SP to create alter rules of type Fusion or MicrosoftSecurityIncidentCreation or MLBehaviorAnalyticswe we get the following error:
Unable to invoke webrequest with error message: The client '' with object id '' does not have authorization to perform action 'Microsoft.SecurityInsights/alertRules/write' over scope '/subscriptions//resourceGroups//providers/Microsoft.OperationalInsights/workspaces//providers/Microsoft.SecurityInsights/alertRules/*************' or the scope is invalid. If access was recently granted, please refresh your credentials.
##[error]PowerShell exited with code '1'.
Do the SP need som additional roles or?
Rename "New-AzAnalytic" to "New-AlertRule" to better align with Azure Sentinel naming.
Not sure if this is an error with this code or with the way the default queries are written in the Azure Sentinel GitHub repository.
I tried to use Import-AzureSentinelAlertRule going against the exchange_auditlogdisabled.yaml rule stored in the Detections/OfficeActivity folder in the Azure Sentinel GitHub repository (copied locally of course) and received the following error:
Import-AzSentinelAlertRule : Unable to initiate class with error: Exception setting "TriggerOperator": "Cannot convert value "gt" to type "TriggerOperator". Error: "Unable to match the identifier name gt to a valid enumerator name. Specify one of the following enumerator names and try again:
GreaterThan, FewerThan, EqualTo, NotEqualTo""
At line:1 char:1
ConvertFrom-Json : Conversion from JSON failed with error: Unexpected character encountered while parsing value: R. Path '', line 0, position 0.
At C:\Users\garyb\OneDrive\Documents\PowerShell\Modules\AzSentinel\0.6.1\AzSentinel.psm1:790 char:52
Even after fixing that issue I then get another issue with the way the Timespan is stored.
The example to show all the rules:
Get-AzSentinelAlertRule -WorkspaceName "" -RuleName "",""
Throws an error stating there needs to be a value for WorkspaceName. Even with filling in the WorkspaceName, an error is thrown stating that RuleName cannot be null, empty, or has an element of the argument collection that is null
minimize the amount of parameters, automatically resolve the workspace RG and subid
example
Get-LogAnalyticWorkspace -WorkspaceName "PKM02"
Add get function for incidents
Hi,
i tried to import the YAML files from the Sentinel Github using the Import-AzSentinel command, however this failed without any error messages.
https://github.com/Azure/Azure-Sentinel/tree/master/Detections - ideally i wanted to deploy quiet a few of these alert rules via YML files.
some idea for code optimization and cleanup :
Enhancement
Is there ETA for enabling Sentinel Connectors using PowerShell?
Active Directory Connectors
ATP Connectors
Office 365
New function which can be used to updated existing incidents, list of properties:
Please let me know which other properties need to be covered
First of all, thanks so much for this module as it is extremely useful.
Any idea when the new release is coming out?
Also, when I use the Import-AzSentinelAlertRule to import one of the Template rules, the templates are not flagged as IN USE as they would if you created a new rule based on the template directly from the Azure portal.
Thanks
Felipe
Remove-AzSentinelAlertRule
I was thinking I could do the following Example, but instead I received errors, Maybe I am using it wrong.
I did see RuleName accepts pipeline input in the helpfiles and it says (ByValue).
Perhaps I am doing this wrong, I just expected it work like in my example.
I have seen a similar way of working in other modules.
Confirm works perfect, great choice of options.
I do think it always should prompt for deletion and -Force will ovveride this behaviour.
Originally posted by @MauRiEEZZZ in #9 (comment)
I tried to rename an alert by specifying "name" (the alert id) and displayName: the alert name. But I get an error when I change displayName to something else (Add-Member : Cannot add a member with the name "DisplayName" because a member with that name already exists. To overwrite the member anyway, add the Force parameter to your command.)
It then proceeds, but just creates a new instance of the new alert. The wanted behavior would be: rename the alert.
Please upload this module to PowerShell Gallery, then this can be trivially used in Azure Functions.
It appears when running Get-AzSentinelIncident, it only returns the last 200 results, whether they are open or closed. We were not able to find a limit in the AzSentinel.psm1 code for the function.
It would be nice to increase or set a time frame in the script an increase results past 200 returned cases.
To get a list with all open incidents.
To get all Incidnets from Sentinel
ConvertFrom-Json: C:\Users\A002633\Documents\PowerShell\Modules\AzSentinel\0.6.2\AzSentinel.psm1:810
Line |
810 | ($incident.Content | ConvertFrom-Json).value | ForEac …
| ~~~~~~~~~~~~~~~~
| Cannot bind argument to parameter 'InputObject' because it is null.
When adding multiple alertrules it would be nice to use multiple files in one line.
I think it is good practise to have alertrules together in one file about one subject.
The naming of the file describes the subject of alertrules defined in the file.
One customer could need less or more subjects and so alertrules.
To implement a certain amount of rules you could filter using where or wildcard with Get-ChildItem
You could pass the result to new-azanalytic
Example
gci mdm-*.json | new-analytic -subscription -resourcegroup -workspace
I think a useful feature would be a command let to enable the a rule templates, this feature would be useful if someone is required to enable it across multiple sentinel workspaces
New-AzSentinelAlertRule throws the error that playbook property is missing if no playbook configured is for a new rule, for existing rule there is no error
I want to use this commandlet to import a couple of hundred rules from one workspace to another.
A second optimisation is to not fetch the alertruleaction (playbookname) for that rule if we simply want to know if the rule exists or not.
I see that in a later phase, that fetched playbookname of that alertruleaction is used to verify if a rule has changed playbookname. It might be useful to provide a flag 'UpdatePlaybooks' to either enable or disable this feature as we use separate AlertAction files to enable a certain playbook for a certain customer, meaning that we do not care about playbooks while importing a set of new rules.
foreach ($item in $analytics) {
try {
$content = Get-AzSentinelAlertRule @arguments -RuleName $($item.displayName) -ErrorAction SilentlyContinue
if ($content) {
Write-Output "Rule $($item.displayName) exists in Azure Sentinel"
...
else {
Write-Verbose -Message "Rule $($item.displayName) doesn't exist in Azure Sentinel"
...
}
}
Hi,
This behavior is hard to describe but it seems that logic apps that get configured via powershell do not get triggered correctly.
It is not sure to me if this is a consequence of configuring a playbook over API (and if the problem is at Microsoft side) or if this is an issue of the PS module
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.