question

GeoffreyMontel-3143 avatar image
0 Votes"
GeoffreyMontel-3143 asked rogierdijkman commented

Is it possible to manipulate Azure Sentinel Watchlists through Powershell/API


Hi team:
Is it possible to administrate Azure Sentinel Watchlists through Powershell, like Rules with Az.SecurityInsights?

Aim is to keep Watchlist references in outer VCS for simpler manipulation, and sync it with Powershell to remote.

Thanks,

windows-server-powershellmicrosoft-sentinel
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I've posted a PowerShell script yesterday that will be part of the new Microsoft Sentinel PowerShell module that I am currently developing.
Please let me know if you run into any issues.

You can use this script in an automation job to update the watchlist content based on a CSV file

New-MsSentinelWatchlist


0 Votes 0 ·

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT commented

@GeoffreyMontel-3143
Thank you for your post!

As of right now, using the Log Analytics’ REST API to manage watchlists, you can only create, modify, and delete watchlists and their items using the REST API - Manage watchlists in Azure Sentinel using REST API. If you'd like the ability to administer Azure Sentinel Watchlists using REST APIs, I'd recommend leveraging the Azure Sentinel GitHub repo to create a feature request for our engineering team.


Additional Links:
Azure Sentinel REST APIs
Azure Sentinel Tech Community


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JamesTran-MSFT
Thanks for reply.

In a nutshell, I understand it's not implemented yet. Only API endpoint.

It would be a waste of time if I coded the REST Powershell wrapper in parallel, assuming that target code for this would be Az.SecurityInsights.

I filed an feature request for this : https://github.com/Azure/azure-powershell/issues/15718 .

Thanks;

0 Votes 0 ·

@GeoffreyMontel-3143
Thank you for the quick follow up on this and it looks like our PG team responded to your feature request, I'll post the response below.


PG Update:

This will be coming. But currently there is an issue in the various specs when using autorest due to some overlapping definitions. Once that is resolved I will add this set of cmdlets and a few others for new APIs!! Please hang tight as we work to resolve the rest api specs issue.

Source - https://github.com/Azure/azure-powershell/issues/15718#issuecomment-902739014


Thank you again for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·