Recently, I decided to try Azure Sentinel out on my home lab network to get a better understanding of how it’s deployed and used. Once I get some spare cycles, I plan to write up my experience deploying sensors and adding data connectors for my network [now available here], but for now I thought I should start with a script I wrote that others might find useful.
After configuring dozens of analytics rules to generate alerts, I decided I wanted to use an Azure Logic App to send me notifications when a rule fires. After a bit of research, I found this forum post, which indicates there is no current way to bulk add an automation playbook to all of the existing rules you’ve already configured: https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-mass-apply-a-playbook-to-all-analytic-rules-at-once/m-p/2070715. The answer in this post goes on to state that that feature is currently in private preview.
Not wanting to wait for a beta feature to go public, I decided to create a PowerShell script to apply my notification automation app to all of my active rules at once. The code for the script is below (and also shared on my GitHub page). Just fill out the top variables with the details of your subscription, automation Logic App, and Sentinel instance and run it. This worked for me and my rules, though be sure to do a test on your non-prod environment to confirm it works for you before you use it in production. The script requires the Az and Az.SecurityInsights PowerShell modules.
# READ LICENSE TERMS AT BOTTOM OF SCRIPT BEFORE USE!
# Change these values:
$tenantId = "Your-subscription-AAD-tenant-ID"
$subscriptionID = "Your-Azure-subscription-ID"
$logicAppName = "Your-logic-app-name"
$logicAppRG = "Your-logic-app-resource-group-name"
$triggerName = "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" # This is the default name
$workspaceName = "Your-Sentinel-Workspace-Name"
$sentinelRG = "Your-Sentinel-Resouce-Group-name"
#---- No need to edit any of the below ----
Import-Module Az
Import-Module Az.SecurityInsights
# Connect to the Azure subscription
Connect-AzAccount -TenantId $tenantId
Select-AzSubscription -SubscriptionId $subscriptionID -TenantId $tenantId
# Get the details of the Logic App to be used, and its trigger URL
$logicapp = Get-AzLogicApp -ResourceGroupName $logicAppRG -Name $logicAppName
$trigger = Get-AzLogicAppTrigger -ResourceGroupName $logicAppRG -Name $logicAppName -TriggerName $triggerName
$triggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName $logicAppRG -Name $logicAppName -TriggerName $triggerName
# Get all the existing active Sentinel alert rules
$rules = Get-AzSentinelAlertRule -ResourceGroupName $sentinelRG -WorkspaceName $workspaceName
foreach($rule in $rules)
{
if($rule.Kind -eq "Error")
{
write-host "Skipping rule $($rule.Name), because Kind==Error"
}
else
{
write-host "Adding action to $($rule.Name)"
New-AzSentinelAlertRuleAction -ResourceGroupName $sentinelRG -WorkspaceName $workspaceName -AlertRuleId $($rule.Name) -LogicAppResourceId $($logicapp.Id) -TriggerUri $($triggerUri.Value)
}
}
# -----------------------------------
# Copyright 2021 Matt Burrough
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
# associated documentation files (the "Software"), to deal in the Software without restriction,
# including without limitation the rights to use, copy, modify, merge, publish, distribute,
# sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or
# substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
# BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.