GithubHelp home page GithubHelp logo

kentuckymike / wortel-azsentinel Goto Github PK

View Code? Open in Web Editor NEW

This project forked from wortell/azsentinel

0.0 0.0 0.0 398 KB

PowerShell module for Azure Sentinel

License: MIT License

PowerShell 100.00%

wortel-azsentinel's Introduction

Azure Sentinel

branch status
master
development

Azure Sentinel is a cloud-native SIEM that provides intelligent security analytics for your entire enterprise at cloud scale. Get limitless cloud speed and scale to help focus on what really matters. Easily collect data from all your cloud or on-premises assets, Office 365, Azure resources, and other clouds. Effectively detect threats with built-in machine learning from Microsoft’s security analytics experts. Automate threat response, using built-in orchestration and automation playbooks. read more

Why this PowerShell Module

At the moment there is no documented API, ARM or PowerShell module to configure Azure Sentinel. After doing some research we were able to find the API's that are currently being used by the Azure Portal and based on that we've written a PowerShell module to manage Azure Sentinel through PowerShell.

Getting Started

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.

Prerequisites

Installing

You can install the latest version of AzSentinel module from PowerShell Gallery

Install-Module AzSentinel -Scope CurrentUser -Force

Usage

Parameters

See docs folder for documentation regarding the Functions and the available parameters

JSON format

To create a Azure Sentinel Rule, use the following JSON format.

Root schema

{
  "Scheduled": [
    ...
  ],
  "Fusion": [
    ...
  ],
  "MLBehaviorAnalytics": [
    ...
  ],
  "MicrosoftSecurityIncidentCreation": [
    ...
  ]
}

Scheduled rule

  {
    "displayName": "string",
    "description": "string",
    "AlertRuleTemplateName": "string",
    "severity": "High",
    "enabled": true,
    "query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
    "queryFrequency": "5H",
    "queryPeriod": "5H",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 5,
    "suppressionDuration": "6H",
    "suppressionEnabled": false,
    "tactics": [
      "Persistence",
      "LateralMovement",
      "Collection"
    ],
    "playbookName": "string",
    "aggregationKind": "string",
    "incidentConfiguration": {
      "createIncident": true,
      "groupingConfiguration": {
        "GroupingConfigurationEnabled": true,
        "reopenClosedIncident": true,
        "lookbackDuration": "PT6H",
        "entitiesMatchingMethod": "string",
        "groupByEntities": [
          "Account",
          "Ip",
          "Host",
          "Url",
          "FileHash"
        ]
      }
    }
  }

Scheduled property values

The following tables describe the values you need to set in the schema.

Name Type Required Allowed Values Example
displayName string true * DisplayName
description string true * Description
severity string true Medium, High, Low, Informational Medium
enabled bool true true, false true
query string true special character need to be escaped by \ SecurityEvent | where EventID == "4688" | where CommandLine contains \"-noni -ep bypass $\"
queryFrequency string true Value must be between 5 minutes and 24 hours 30M
queryPeriod string true Value must be between 5 minutes and 14 days 6H
triggerOperator string true GreaterThan, FewerThan, EqualTo, NotEqualTo GreaterThan
triggerThreshold int true The value must be between 0 and 10000 5
suppressionDuration string true Value must be greater than 5 minutes 1D
suppressionEnabled bool true true, false true
tactics array true InitialAccess, Persistence,Execution,PrivilegeEscalation,DefenseEvasion,CredentialAccess,LateralMovement,Discovery,Collection,Exfiltration,CommandAndControl,Impact true
playbookName string false Enter the Logic App name or Resource ID LogicApp01 / /subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUPNAME/providers/Microsoft.Logic/workflows/playbook02
aggregationKind string false SingleAlert, AlertPerRow SingleAlert
createIncident bool false true, false true
GroupingConfigurationEnabled bool false true, false true
reopenClosedIncident bool false true, false true
lookbackDuration string false Value must be between 5 minutes and 24 hours. PT6H
entitiesMatchingMethod string false All, None, Custom All
groupByEntities string false Account, Ip, Host, Url, FileHash Account
AlertRuleTemplateName string false Name of the alert rule template 826bb2f8-7894-4785-9a6b-a8a855d8366f

Fusion rule

  {
    "displayName": "Advanced Multistage Attack Detection",
    "enabled": true,
    "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8"
  }

Scheduled property values

The following tables describe the values you need to set in the schema.

Name Type Required Allowed Values Example
displayName string true Advanced Multistage Attack Detection
enabled bool true true
alertRuleTemplateName string true f71aba3d-28fb-450b-b192-4e76a83015c8

MLBehaviorAnalytics rules

  {
    "displayName": "(Preview) Anomalous SSH Login Detection",
    "enabled": true,
    "alertRuleTemplateName": "fa118b98-de46-4e94-87f9-8e6d5060b60b"
  }

Scheduled property values

The following tables describe the values you need to set in the schema.

Name Type Required Allowed Values Example
displayName string true Advanced Multistage Attack Detection
enabled bool true true
alertRuleTemplateName string true f71aba3d-28fb-450b-b192-4e76a83015c8

MicrosoftSecurityIncidentCreation rules

  {
    "displayName": "Create incidents based on Azure Active Directory Identity Protection alerts",
    "description": "Create incidents based on all alerts generated in Azure Active Directory Identity Protection",
    "enabled": true,
    "productFilter": "Microsoft Cloud App Security",
    "severitiesFilter": [
      "High",
      "Medium",
      "Low"
    ],
    "displayNamesFilter": null
  }

Scheduled property values

The following tables describe the values you need to set in the schema.

Name Type Required Allowed Values Example
displayName string true Create incidents based on Azure Active Directory Identity Protection alerts
enabled bool true true
description string true Create incidents based on all alerts generated in Azure Active Directory Identity Protection
productFilter string true Microsoft Cloud App Security
severitiesFilter string true High, Medium, Low High
displayNamesFilter string false

Find us

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.

Contributors

  • A big thank you goes out to all the contributors for their contributions!

Authors

  • Pouyan Khabazi - Developer and Maintainer - GitHub / Blog

Versioning

We use SemVer for versioning. For the versions available, see the tags on this repository.

License

This project is licensed under the MIT License - see the LICENSE file for details

Acknowledgments

  • Hat tip to anyone whose code was used!

wortel-azsentinel's People

Contributors

pkhabazi avatar bgelens avatar maartengoet avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.