Az.SecurityInsights

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
The Azure Sentinel PowerShell module (Az.SecurityInsights) allows you to interact with the following components: * Incidents

  • Analytics Rules (Alert Rules)
  • Analytics Rules Templates
  • Analytics Rules Actions (like attaching an Azure Logic Apps Playbooks to your rule)
  • Bookmarks
  • Data Connectors
  • Comments

All cmdlets are able to work with a connection object to provide your resourceGroupName and workspaceName like in the following example:

Security

Get-AzSentinelAlertRule

Gets a specific or all Analytic Rules (Alert Rule).

Get-AzSentinelAlertRuleAction

Gets an Automated Response (Alert Rule Action) for an Analytics Rule, like an Azure Logic Apps Playbook.
Azure Sentinel Automation Rules will be supported in the future.

Note: This requires a parameter value of "AlertRuleId"

Get-AzSentinelAlertRuleTemplate

Gets an Analytic Rule Template.

Get-AzSentinelBookmark

Gets a Bookmark.
A Bookmark is used to preserve queries, comments and tags for a specific incident.
You create the Bookmark first and then add it to an incident.

Get-AzSentinelDataConnector

Gets a Data Connector.

Please note that automation support is only available for the following data connectors:

  • AADDataConnector
  • AATPDataConnector
  • ASCDataConnector
  • AwsCloudTrailDataConnector
  • MCASDataConnector
  • MDATPDataConnector
  • OfficeDataConnector
  • TIDataConnector
Get-AzSentinelIncident

Get one or more Azure Sentinel Incidents.

Get-AzSentinelIncidentComment

Gets an Incident Comment.

New-AzSentinelAlertRule

Create an Analytics Rule (Alert Rule).

New-AzSentinelAlertRuleAction

Add an Automated Response to an Analytic Rule.

New-AzSentinelBookmark

Creates a Bookmark for a specific incident.

New-AzSentinelDataConnector

Creates a Data Connector.

New-AzSentinelIncident

Creates an Incident.

New-AzSentinelIncidentComment

Adds a Comment to an Incident.

New-AzSentinelIncidentOwner

Create Incident Owner object to update an incident owner.

Remove-AzSentinelAlertRule

Deletes an Analytics Rule (AlertRule)

Remove-AzSentinelAlertRuleAction

Removes an Automated Response from an Analytic Rule.

Remove-AzSentinelBookmark

Deletes a Bookmark.

Remove-AzSentinelDataConnector

Removes a Data Connector.

Remove-AzSentinelIncident

Deletes an Incident.

Update-AzSentinelAlertRule

Updates an Analytic Rule (Alert Rule).

Update-AzSentinelAlertRuleAction

Updates an Automated Response (Alert Rule Action).

Update-AzSentinelBookmark

Updates a Bookmark.

Update-AzSentinelDataConnector

Updates a Data Connector.

Update-AzSentinelIncident

Updates an Incident