wortell / Azsentinel
Licence: mit
PowerShell module for Azure Sentinel
Stars: ✭ 140
Programming Languages
powershell
5483 projects
Projects that are alternatives of or similar to Azsentinel
Cloud Security Remediation Guides
Security Remediation Guides
Stars: ✭ 121 (-13.57%)
Mutual labels: azure
Hybrid multicloud overlay
MutiCloud_Overlay demonstrates a use case of overlay over one or more clouds such as AWS, Azure, GCP, OCI, Alibaba and a vSphere private infrastructure in Hub and spoke topology, point to point topology and in a Single cloud. Overlay protocols IPv6 and IPv4 are independent of underlying infrastructure. This solution can be integrated with encryption and additional security features.
Stars: ✭ 127 (-9.29%)
Mutual labels: azure
Azure Az 900 Study Guide
Study Guide for the Microsoft Azure Fundamentals Exam
Stars: ✭ 134 (-4.29%)
Mutual labels: azure
Purplecloud
An Infrastructure as Code (IaC) deployment of a small Active Directory pentest lab in the cloud. The deployment simulates a semi-realistic corporate enterprise Active Directory with a DC and endpoints. Purple team goals include blue team detection capabilities and R&D for detection engineering new approaches.
Stars: ✭ 122 (-12.86%)
Mutual labels: azure
Angular Application Insights
Angular & Azure Application Insights module - Find out performance and usage of your app by connecting Microsoft Azure Application insights with your Angular application by @TrilonIO
Stars: ✭ 125 (-10.71%)
Mutual labels: azure
Vscode Deploy Reloaded
Recoded version of Visual Studio Code extension 'vs-deploy', which provides commands to deploy files to one or more destinations.
Stars: ✭ 129 (-7.86%)
Mutual labels: azure
Blobxfer
Azure Storage transfer tool and data movement library
Stars: ✭ 120 (-14.29%)
Mutual labels: azure
Learn Devops
🚧 Learn the craft of "DevOps" (Developer Operations) to Deploy your App and Monitor it so it stays "Up"!
Stars: ✭ 139 (-0.71%)
Mutual labels: azure
Applicationinsights Dotnet Server
Microsoft Application Insights for .NET Web Applications
Stars: ✭ 130 (-7.14%)
Mutual labels: azure
Vc Storefront
VirtoCommerce Storefront for ASP.NET Core 3.1 repository
Stars: ✭ 122 (-12.86%)
Mutual labels: azure
Azure Event Hubs For Kafka
Azure Event Hubs for Apache Kafka Ecosystems
Stars: ✭ 124 (-11.43%)
Mutual labels: azure
Spark
.NET for Apache® Spark™ makes Apache Spark™ easily accessible to .NET developers.
Stars: ✭ 1,721 (+1129.29%)
Mutual labels: azure
Slimmessagebus
Lightweight message bus interface for .NET (pub/sub and request-response) with transport plugins for popular message brokers.
Stars: ✭ 120 (-14.29%)
Mutual labels: azure
Saga Orchestration Serverless
An orchestration-based saga implementation reference in a serverless architecture
Stars: ✭ 136 (-2.86%)
Mutual labels: azure
Slidehub
SlideHub is an Open Source Slide Sharing Application for Azure / AWS
Stars: ✭ 120 (-14.29%)
Mutual labels: azure
Azuredatalake
Samples and Docs for Azure Data Lake Store and Analytics
Stars: ✭ 128 (-8.57%)
Mutual labels: azure
Bucc
The fastest way to get a BUCC (BOSH, UAA Credhub and Concourse)
Stars: ✭ 130 (-7.14%)
Mutual labels: azure
Azure Sentinel
| branch | status |
|---|---|
| master |  |
| development |  |
Azure Sentinel is a cloud-native SIEM that provides intelligent security analytics for your entire enterprise at cloud scale. Get limitless cloud speed and scale to help focus on what really matters. Easily collect data from all your cloud or on-premises assets, Office 365, Azure resources, and other clouds. Effectively detect threats with built-in machine learning from Microsoft’s security analytics experts. Automate threat response, using built-in orchestration and automation playbooks. read more
Why this PowerShell Module
At the moment there is no documented API, ARM or PowerShell module to configure Azure Sentinel. After doing some research we were able to find the API's that are currently being used by the Azure Portal and based on that we've written a PowerShell module to manage Azure Sentinel through PowerShell.
Getting Started
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.
Prerequisites
- PowerShell Core
- Powershell AZ Module - tested with version 2.4.0
- PowerShell powershell-yaml Module - tested with version 0.4.0
Installing
You can install the latest version of AzSentinel module from PowerShell Gallery
Install-Module AzSentinel -Scope CurrentUser -Force
Usage
Parameters
See docs folder for documentation regarding the Functions and the available parameters
JSON format
To create a Azure Sentinel Rule, use the following JSON format.
Root schema
{
"Scheduled": [
...
],
"Fusion": [
...
],
"MLBehaviorAnalytics": [
...
],
"MicrosoftSecurityIncidentCreation": [
...
]
}
Scheduled rule
{
"displayName": "string",
"description": "string",
"AlertRuleTemplateName": "string",
"severity": "High",
"enabled": true,
"query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
"queryFrequency": "5H",
"queryPeriod": "5H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 5,
"suppressionDuration": "6H",
"suppressionEnabled": false,
"tactics": [
"Persistence",
"LateralMovement",
"Collection"
],
"playbookName": "string",
"aggregationKind": "string",
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"GroupingConfigurationEnabled": true,
"reopenClosedIncident": true,
"lookbackDuration": "PT6H",
"entitiesMatchingMethod": "string",
"groupByEntities": [
"Account",
"Ip",
"Host",
"Url",
"FileHash"
]
}
}
}
Scheduled property values
The following tables describe the values you need to set in the schema.
| Name | Type | Required | Allowed Values | Example |
|---|---|---|---|---|
| displayName | string | true | * | DisplayName |
| description | string | true | * | Description |
| severity | string | true | Medium, High, Low, Informational | Medium |
| enabled | bool | true | true, false | true |
| query | string | true | special character need to be escaped by \ | SecurityEvent | where EventID == "4688" | where CommandLine contains \"-noni -ep bypass $\" |
| queryFrequency | string | true | Value must be between 5 minutes and 24 hours | 30M |
| queryPeriod | string | true | Value must be between 5 minutes and 14 days | 6H |
| triggerOperator | string | true | GreaterThan, FewerThan, EqualTo, NotEqualTo | GreaterThan |
| triggerThreshold | int | true | The value must be between 0 and 10000 | 5 |
| suppressionDuration | string | true | Value must be greater than 5 minutes | 1D |
| suppressionEnabled | bool | true | true, false | true |
| tactics | array | true | InitialAccess, Persistence,Execution,PrivilegeEscalation,DefenseEvasion,CredentialAccess,LateralMovement,Discovery,Collection,Exfiltration,CommandAndControl,Impact | true |
| playbookName | string | false | Enter the Logic App name or Resource ID | LogicApp01 / /subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUPNAME/providers/Microsoft.Logic/workflows/playbook02 |
| aggregationKind | string | false | SingleAlert, AlertPerRow | SingleAlert |
| createIncident | bool | false | true, false | true |
| GroupingConfigurationEnabled | bool | false | true, false | true |
| reopenClosedIncident | bool | false | true, false | true |
| lookbackDuration | string | false | Value must be between 5 minutes and 24 hours. | PT6H |
| entitiesMatchingMethod | string | false | All, None, Custom | All |
| groupByEntities | string | false | Account, Ip, Host, Url, FileHash | Account |
| AlertRuleTemplateName | string | false | Name of the alert rule template | 826bb2f8-7894-4785-9a6b-a8a855d8366f |
Fusion rule
{
"displayName": "Advanced Multistage Attack Detection",
"enabled": true,
"alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8"
}
Scheduled property values
The following tables describe the values you need to set in the schema.
| Name | Type | Required | Allowed Values | Example |
|---|---|---|---|---|
| displayName | string | true | Advanced Multistage Attack Detection | |
| enabled | bool | true | true | |
| alertRuleTemplateName | string | true | f71aba3d-28fb-450b-b192-4e76a83015c8 | |
MLBehaviorAnalytics rules
{
"displayName": "(Preview) Anomalous SSH Login Detection",
"enabled": true,
"alertRuleTemplateName": "fa118b98-de46-4e94-87f9-8e6d5060b60b"
}
Scheduled property values
The following tables describe the values you need to set in the schema.
| Name | Type | Required | Allowed Values | Example |
|---|---|---|---|---|
| displayName | string | true | Advanced Multistage Attack Detection | |
| enabled | bool | true | true | |
| alertRuleTemplateName | string | true | f71aba3d-28fb-450b-b192-4e76a83015c8 | |
MicrosoftSecurityIncidentCreation rules
{
"displayName": "Create incidents based on Azure Active Directory Identity Protection alerts",
"description": "Create incidents based on all alerts generated in Azure Active Directory Identity Protection",
"enabled": true,
"productFilter": "Microsoft Cloud App Security",
"severitiesFilter": [
"High",
"Medium",
"Low"
],
"displayNamesFilter": null
}
Scheduled property values
The following tables describe the values you need to set in the schema.
| Name | Type | Required | Allowed Values | Example |
|---|---|---|---|---|
| displayName | string | true | Create incidents based on Azure Active Directory Identity Protection alerts | |
| enabled | bool | true | true | |
| description | string | true | Create incidents based on all alerts generated in Azure Active Directory Identity Protection | |
| productFilter | string | true | Microsoft Cloud App Security | |
| severitiesFilter | string | true | High, Medium, Low | High |
| displayNamesFilter | string | false | ||
Find us
Contributing
Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.
Contributors
- A big thank you goes out to all the contributors for their contributions!
Authors
Versioning
We use SemVer for versioning. For the versions available, see the tags on this repository.
License
This project is licensed under the MIT License - see the LICENSE file for details
Acknowledgments
- Hat tip to anyone whose code was used!
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].