Azure Sentinel: Add Automation to All Alert Rules

Recently, I decided to try Azure Sentinel out on my home lab network to get a better understanding of how it’s deployed and used. Once I get some spare cycles, I plan to write up my experience deploying sensors adding data connectors for my network, but for now I thought I should start with a script I wrote that others might find useful.

After configuring dozens of analytics rules to generate alerts, I decided I wanted to use an Azure Logic App to send me notifications when a rule fires. After a bit of research, I found this forum post, which indicates there is no current way to bulk add an automation playbook to all of the existing rules you’ve already configured: https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-mass-apply-a-playbook-to-all-analytic-rules-at-once/m-p/2070715. The answer in this post goes on to state that that feature is currently in private preview.

Not wanting to wait for a beta feature to go public, I decided to create a PowerShell script to apply my notification automation app to all of my active rules at once. The code for the script is below (and also shared on my GitHub page). Just fill out the top variables with the details of your subscription, automation Logic App, and Sentinel instance and run it. This worked for me and my rules, though be sure to do a test on your non-prod environment to confirm it works for you before you use it in production. The script requires the Az and Az.SecurityInsights PowerShell modules.

# READ LICENSE TERMS AT BOTTOM OF SCRIPT BEFORE USE!

# Change these values:

$tenantId = "Your-subscription-AAD-tenant-ID"
$subscriptionID = "Your-Azure-subscription-ID"

$logicAppName = "Your-logic-app-name"
$logicAppRG = "Your-logic-app-resource-group-name"
$triggerName = "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" # This is the default name

$workspaceName = "Your-Sentinel-Workspace-Name" 
$sentinelRG = "Your-Sentinel-Resouce-Group-name"

#---- No need to edit any of the below ----

Import-Module Az
Import-Module Az.SecurityInsights

# Connect to the Azure subscription
Connect-AzAccount -TenantId $tenantId
Select-AzSubscription -SubscriptionId $subscriptionID -TenantId  $tenantId

# Get the details of the Logic App to be used, and its trigger URL
$logicapp = Get-AzLogicApp -ResourceGroupName $logicAppRG -Name $logicAppName
$trigger = Get-AzLogicAppTrigger -ResourceGroupName $logicAppRG -Name $logicAppName -TriggerName $triggerName
$triggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName $logicAppRG -Name $logicAppName -TriggerName $triggerName

# Get all the existing active Sentinel alert rules
$rules = Get-AzSentinelAlertRule -ResourceGroupName $sentinelRG -WorkspaceName $workspaceName
foreach($rule in $rules)
{
    if($rule.Kind -eq "Error")
    {
        write-host "Skipping rule $($rule.Name), because Kind==Error"
    }
    else
    {
        write-host "Adding action to $($rule.Name)"
        New-AzSentinelAlertRuleAction -ResourceGroupName $sentinelRG -WorkspaceName $workspaceName -AlertRuleId $($rule.Name) -LogicAppResourceId $($logicapp.Id) -TriggerUri $($triggerUri.Value)
    }
}

# -----------------------------------

# Copyright 2021 Matt Burrough
# 
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
# associated documentation files (the "Software"), to deal in the Software without restriction, 
# including without limitation the rights to use, copy, modify, merge, publish, distribute, 
# sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is 
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or 
# substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING 
# BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Repinning an American 1305

For the past six months, I’ve been focused on a project I hope to share with everyone very soon. In the meantime I took a break a couple of days ago to work on building a progressive set of American 1305 locks – removing 1, 2, and 3 pins from these 5-pin locks. This set makes a great practice set for locksport folks – especially those who aren’t comfortable picking American locks and overcoming the strong spring tension needed to release the shackle. I decided to document this process on video – my first locksport-related YouTube video. Enjoy! Hopefully we’ll start having in-person meetups again soon and people can try picking these.

SANS Cloud Summit Keynote

If you are interested in cloud security, take a look at the 2020 SANS Cloud Summit coming up at the end of May. In addition to some greats SANS courses, like 545, they are also hosting a virtual CTF and have a series of speakers to kick off the event. I’ll be giving a keynote on red team assessments in the cloud. I hope you can join us!

New Impressioning Meetup

Join us Sunday, March 8 at 1:00 PM at Black Lodge Research in Redmond, WA for Seattle Locksport‘s first lock impressioning meetup. All experience levels welcome! We’ll have all the gear, locks, and key blanks you need. We’ll be meeting every 2nd Sunday of the month to practice, teach, learn, and socialize.

Curious about impressioning? Check out this overview from DEFCON, or see world champ Jos Weyers open a lock in under 2 minutes!

DEF CON 27 Talk: Master Key Insider Attacks

Earlier this month, I spoke at DEF CON 27’s Lock Pick Village on insider attacks that can be executed on master-keyed systems. (Note: Not Master brand locks. 😊) A copy of my slides can be downloaded from: https://burrough.org/papers/Burrough-DC27_Master_Key_Talk.pdf.

Abstract
As a lock enthusiast and professional pentester, I think a lot about ways to quickly or reliably gain access to restricted areas without relying on my picks. This talk will cover several ways to perform escalation of privilege in the physical world.