This example brings together various examples I've used on this site to show how Incidents from Microsoft Sentinel can be queried using PowerShell. References to pages that demonstrate the utilised code are at the bottom of this article.
A core example of the code is below
When writing data to Log Analytics, data needs to be signed.
In a previous post (PowerShell Function - Write Data to Log Analytics | Laurie Rhodes' Info ) I showed how submit data to a workspace using Powershell and APIs. This function is used to get the signature for the data being posted.
This code snippet retreieves a set period of Incidents from Microsoft Sentinel.
It's useful for trying to automate enrichment activities related to that particular alert / incident.
This example uses PowerShell to write a JSON data file into Log Analytics (and Microsoft Sentinel).
Note this uses a second function "Get-Signature" for signing the data being written to the workspace. That function can be viewed here:
PowerShell Function - Create Signature for writing Log Analytics data | Laurie Rhodes' Info
This code snippet demonstrates how to run a Kusto query against Azure Data Explorer (ADX) using PowerShell.
The code snippet below shows how to run Resource Graph queries with PowerShell. The example uses a custom PowerShell class that may be used for streaming objects back to a Log Analytics workspace.
Azure’s ARM templates have been a rite of passage for all Azure engineers. No one who has been working with the cloud at any depth will be without late-night stories of frustration. The Azure Resource Manager is a service that accepts specially constructed JSON templates and uses those templates to provision each object represented within.
Every object in Azure is identified by a unique, hierarchy-based Resource ID.
Every object type has an associated range of different API versions that act as different schemas for that object type.
This example uses PowerShell and REST for connecting to the Azure Management API for managing the cloud platform.
This example uses the Password grant type (Username and Password) for connecting to Azure.
Azure allows Virtual Machine extension objects to be attached to provisioned virtual machines. As they are objects, they may be declared directly with Resource Manager templates.
