# AzSentinel Module

## Documentation
### Wortell
- <b>[Blog]</b> - [Azure Sentinel: automating your Use Cases with PowerShell and the #AzSentinel module](https://medium.com/wortell/azure-sentinel-automating-your-use-cases-with-powershell-and-the-azsentinel-module-380606e601f5)
- <b>Wortell</b> - [Azure Sentinel 'AZSentinel' Module Github](https://github.com/wortell/AZSentinel) - Wortell created an AZSentinel Module to easily work with Azure Sentinel
- <b>Wortell</b> - [Sample KQL Sigma Rules](https://github.com/wortell/KQL) - Library of already converted Sigma Rules that are ready to add to AZSentinel

## Import the Module from PSGallery

In [2]:
Install-Module AzSentinel
Import-Module AzSentinel


Get-AzSentinelAlertRule                           Get-AzSentinelAlertRuleAction
Get-AzSentinelHuntingRule                         Get-AzSentinelIncident
Import-AzSentinelAlertRule                        Import-AzSentinelHuntingRule
New-AzSentinelAlertRule                           New-AzSentinelAlertRuleAction
New-AzSentinelHuntingRule                         Remove-AzSentinelAlertRule
Remove-AzSentinelAlertRuleAction                  Remove-AzSentinelHuntingRule
Set-AzSentinel                                    Update-AzSentinelIncident



In [4]:
Get-Command -Module AzSentinel | FW


Get-AzSentinelAlertRule                           Get-AzSentinelAlertRuleAction
Get-AzSentinelHuntingRule                         Get-AzSentinelIncident
Import-AzSentinelAlertRule                        Import-AzSentinelHuntingRule
New-AzSentinelAlertRule                           New-AzSentinelAlertRuleAction
New-AzSentinelHuntingRule                         Remove-AzSentinelAlertRule
Remove-AzSentinelAlertRuleAction                  Remove-AzSentinelHuntingRule
Set-AzSentinel                                    Update-AzSentinelIncident



### Add a new Azure Sentinel Rule
Use the following template to create your rule

``` powershell
{
  "analytics": [
    {
      "displayName": "string",
      "description": "string",
      "severity": "High",
      "enabled": true,
      "query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
      "queryFrequency": "5H",
      "queryPeriod": "5H",
      "triggerOperator": "GreaterThan",
      "triggerThreshold": 5,
      "suppressionDuration": "6H",
      "suppressionEnabled": false,
      "tactics": [
        "Persistence",
        "LateralMovement",
        "Collection"
      ],
      "playbookName": "string"
    }
  ]
}
```

### Add your new JSON Rule to Azure Sentinel

'''
    $displayName = "string"
    $description = "string"
    $severity = "High"
    $enabled = $true
    $queryFrequency = "5H"
    $queryPeriod = "5H"
    $triggerOperator = "GreaterThan"
    $triggerThreshold = 5
    $suppressionDuration = "6H"
    $suppressionEnabled = $false
    $tactics = @('Persistence','LateralMovement','Collection')
    $playbookName = "string"
'''

In [30]:
$displayName = "string"
$description = "string"
$severity = "High"
$enabled = $true
$queryFrequency = "5H"
$queryPeriod = "5H"
$triggerOperator = "GreaterThan"
$triggerThreshold = 5
$suppressionDuration = "6H"
$suppressionEnabled = $false
$tactics = @('Persistence','LateralMovement','Collection')
$playbookName = "string"

In [5]:
$query = @"
SecurityEvent 
| where EventID == '4688'
| where CommandLine contains "-noni -ep bypass $"
"@

Write-Host -Foreground yellow "Hunting Query`n"
$query

Write-Host -Foreground Yellow "`nJSON Body`n"
$newRule = @{
    analytics = (
        @{
          displayName = "string"
          description = "string"
          severity = "High"
          enabled = $true
          query = $query
          queryFrequency = "5H"
          queryPeriod = "5H"
          triggerOperator = "GreaterThan"
          triggerThreshold = 5
          suppressionDuration = "6H"
          suppressionEnabled = $false
          tactics = @(
            "Persistence",
            "LateralMovement",
            "Collection"
          )
          playbookName = "string"
        }
    )
}

$newRule | ConvertTo-JSON

[93mHunting Query
[0m
SecurityEvent 
| where EventID == '4688'
| where CommandLine contains "-noni -ep bypass $"
[93m
JSON Body
[0m
{
  "analytics": {
    "description": "string",
    "suppressionEnabled": false,
    "query": "SecurityEvent \n| where EventID == '4688'\n| where CommandLine contains \"-noni -ep bypass $\"",
    "playbookName": "string",
    "triggerThreshold": 5,
    "severity": "High",
    "enabled": true,
    "queryPeriod": "5H",
    "tactics": [
      "Persistence",
      "LateralMovement",
      "Collection"
    ],
    "queryFrequency": "5H",
    "triggerOperator": "GreaterThan",
    "displayName": "string",
    "suppressionDuration": "6H"
  }
}
