Reputation: 265
Is it possible to manipulate Azure Sentinel Watchlists through Powershell/API
is it possible to administrate Azure Sentinel Watchlists through Powershell, like Rules with Az.SecurityInsights?
Aim is to keep Watchlist references in outer VCS for simpler manipulation, and sync it with Powershell to remote.
Thanks,
Upvotes: 0
Views: 670
Answers (2)
Reputation: 3553
Work on this seems to be coming, recently announced Microsoft Sentinel Repositories allows your VCS (GitHub or Azure DevOps) to sync to Sentinel:
With some small modifications, (edit the files in the .sentinel/ folder you can deploy watchlist as well. at this moment only additions are processed through this trick, but real support might be coming.
Some more info: https://www.oppedijk.com/2021/11/18/Sentinel-CD-Repository.html
Upvotes: 1
Reputation: 265
Got the answer: No. In a nutshell, I understand it's not implemented yet. Only API endpoint.
It would be a waste of time if I coded the REST Powershell wrapper in parallel, assuming that target code for this would be Az.SecurityInsights.
I filed an feature request for this : https://github.com/Azure/azure-powershell/issues/15718 .
Upvotes: 0
Related Questions
- Is it possible to access the severity of a Security Center recommendation in Azure via Powershell?
- Update Action Group with Multiple Email Receivers / Set-AzActionGroup
- Azure Sentinel Heartbeat Monitor
- How to forward custom logs to Azure Sentinel
- Can Azure Monitor call an external API such that alerts can be broadcasted to external API's?
- How to get Windows Security Events in Azure Log Analytics Workspace?
- Run an Azure Pipeline through API
- Azure Remote Monitoring - How to add parameters to CloudToDeviceMethods?
- Is it possible to create Azure alerts for multiple subscriptions at once?
- How to update smart detection settings alerts through powershell scripts