Another blog to help expand Security Knowledge
Introduction I was recently asked how an Azure Sentinel Playbook could update the owner of an Incident automatically. Well, there are two issues with that: Only Scheduled rules can trigger Playbooks (at least right now. <hint>, <hint> Microsoft!). You can however run the Playbook from the Incident’s Full Details page using the Alert tab. The […]
Introduction Microsoft is making great strides and making Azure Sentinel one of the best SIEM products out there. One way they do this is to allow other Azure security products to forward their alerts into Azure Sentinel to make a one-stop-shop kind of experience. While this is great, one feature that, IMHO, is lacking is […]
Introduction When I was writing my blog post about downloading the Azure Sentinel Incidents, I got to thinking about what else could you do with them? As I had been working with PowerBI I thought, why not give that a shot? I would rather have these show up in an Azure Sentinel Workbook but, so […]
Introduction In this last post of the series, we will look at creating a Microsoft Security Analytics rule. These are the ones that will raise an alert that has been generated from a different Azure security product. As of right now, those products are: Azure Active Directory Identity Protection Microsoft Defender Advanced Threat Protection Azure […]
Introduction In the previous posts I spoke about the Azure Sentinel Analytics rule templates. You may be wondering why I did that. The reason is that in this post, I will be discussing creating new Fusion and ML rules and in order to do that you need to have a rule template’s ID. You will […]
Introduction We are going to take a short break in our exploration of Azure Sentinel REST calls to talk about PowerShell Objects. In all the previous examples, we converted the output of the REST call to JSON. While it is easy to read JSON, and that is the main reason I usually convert to JSON […]
Introduction So far in this series, we have looked at the Rule templates. Now we will look at the Analytics rules that we are currently using. Listing all the Analytic Rules Much like looking at the Analytic rule templates, we can make a REST call to look at all the rules we are using. The […]
Introduction In the previous post I showed you how to get a listing of all your Incidents (AKA cases) from Azure Sentinel. I will come back to those in just a little bit. But for now I want to talk about how those Incidents get generated. As I am sure you know, Incidents are usually […]
Introduction In this post, we will get ready to use the Azure Sentinel REST APIs. We will discuss getting PowerShell setup, what needs to be done before you can call the REST APIs and then we will make a sample call. First and foremost, we will be using the new PowerShell core. It is the […]
Microsoft has stated that they will be releasing the official version of the AzureSentinel APIs “soon”. While they may not be official, the APIsare publishing on GitHub and, as far as I can tell, seem to be workingperfectly well. This post will introduce you to the APIs and how to usethem using PowerShell. Why […]