AzSentinel – Version 0.6.5
Good news guys! A new version of AzSentinel is available in PowerShell Gallery with bunch of bugfixes and new features. Before we jump to all the good stuff, please let me thank…
AzSentinel – Version 0.6.2
New version of AzSentinel is available in PowerShell Gallery with bunch of bugfixes and some new features. See below a list of the changes in this version. 1. Configure Action…
Enable Azure Sentinel through ARM template
Today I got a question about how to enable Azure Sentinel through ARM templates and surprisingly there was no documentation or blog about this subject online. Below the ARM template…
Azure Sentinel PowerShell Module
“Azure Sentinel is a cloud-native SIEM that provides intelligent security analytics for your entire enterprise at cloud scale. Get limitless cloud speed and scale to help focus on what really matters. Easily collect data from all your cloud or on-premises assets, Office 365, Azure resources, and other clouds. Effectively detect threats with built-in machine learning from Microsoft’s security analytics experts. Automate threat response, using built-in orchestration and automation playbooks.” read more
Rules in Azure Sentinel create the basic logic on which Incidents get created. Currently the only way to add, change or delete rules is through the Azure portal. As we’re running a cloud Security Operations Center at Wortell with many customers connected, doing this manually is no option for us.
PowerShell Module
At the moment there is no documented API, ARM or PowerShell module to configure Azure Sentinel. After doing some research we were able to find the API’s that are currently being used by the Azure Portal and based on that we’ve written a PowerShell module to manage Azure Sentinel through PowerShell. (more…)
Infrastructure as Code – Deploy Azure VNet with dynamic subnets
A frequently asked question about rolling out Azure VNet with different subnets in a infrastructure as code environment is where and how to define the subnets in your Azure ARM template. In the most examples online the number of subnets is configured in the template and the name and addressPrefix is configured in the parameter file. The big disadvantage with this scenario is that when you deploy a VNet with for example two subnets and later you decide to add more subnets you have two choices both of which are uncomfortable for an Infrastructure as code release pipeline. (more…)