Introduction
We are going to take a short break in our exploration of Azure Sentinel REST calls to talk about PowerShell Objects. In all the previous examples, we converted the output of the REST call to JSON. While it is easy to read JSON, and that is the main reason I usually convert to JSON when working with new calls, it is a lot easier to manipulate PowerShell objects.
Obtaining a PowerShell object
Using all the same variables as in Working with Analytics rules Part 1 – Templates, we are going to slightly change the call we use to obtain the results. Run the following code to get the results returned as PowerShell objects:
Invoke-RestMethod -Method "Get" -Uri $url2 -Headers $authHeader ).value
This will return a listing of values where each one will look like:
id :
/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-sentinel-beta/providers/Microsoft.OperationalInsights/workspaces/la-sentinel-beta/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15
7c0cfc-d76d-463b-8755-c781608cdc1a
name : 157c0cfc-d76d-463b-8755-c781608cdc1a
type : Microsoft.SecurityInsights/AlertRuleTemplates
kind : Scheduled
properties : @{severity=Medium; query=let PrivateIPregex = @'^127\.|^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\.';
let endtime = 1d;
CommonSecurityLog
| where TimeGenerated >= ago(endtime)
| where DeviceVendor =~ "Cisco"
| where DeviceAction =~ "denied"
| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,"private" ,"public" )
| where SourceIPType == "public"
| summarize count() by SourceIP
| join (
// Successful signins from IPs blocked by the firewall solution are suspect
// Include fully successful sign-ins, but also ones that failed only at MFA stage
// as that supposes the password was sucessfully guessed.
SigninLogs
| where ResultType in ("0", "50574", "50576")
) on $left.SourceIP == $right.IPAddress
| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName; queryFrequency=P1D; queryPeriod=P1D; triggerOperator=GreaterThan; triggerThreshold=0; displayName=Cisco -
firewall block but success logon to Azure AD; description=Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins.
Because the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect and could indicate credential compromise for the user account.; tactics=System.Object[];
createdDateUTC=7/8/2019 12:00:00 AM; status=Available;
requiredDataConnectors=System.Object[];
alertRulesCreatedByTemplateCount=0}
Notice that we surrounded the call with parenthesis, ( ), and took the value of the call. This is because the call actually returned a single value field which is just a long string so by taking the value of the call we get the object returned instead.
Now that you know how the call works, save it to a variable so that it can be manipulated by calling:
$results = (Invoke-RestMethod -Method "Get" -Uri $url2 -Headers $authHeader ).value
Now you can do things like:
$results.kind
to get the kind field returned for every object in $results or
$results[0].properties
to get the properties field returned for the first object in $results. You can also do
$results.count
to return the count of all the object in $results which, in this case, means the number of rule templates available.
Conclusion
While working with JSON may be easier to view and get an idea of what kind of information is being returned. I find it easier to work with PowerShell objects to obtain the actual information. This post explained how to do that.