I would like to share my collection of PowerShell based Kusto Schema Tools with the community. The tools are written to managing data interchange between Azure Data Explorer (ADX), EventHouse and Microsoft Sentinel.

Microsoft Sentinel is inherently designed as a portal application, providing Security Operations staff with the ability to swiftly create new detections using the data sets they manage.

I've been working extensively with Azure Monitor table schemas recently. In preparation for the deprecation of the legacy API data ingestion method for Log Analytics workspaces, I needed a simple method to recreate custom log tables as Data Collection Rule (DCR)-based tables while also migrating them to a new workspace.

 The following script provides an example of using PowerShell to directly query Azure Data Explorer Records using REST.

Prerequisites

You will also need to ensure that the Application you use is granted the Database Viewer role permission.   This role can be added through the portal on the database Overview -> Permissions -> Add.   Note that ADX does not support table level viewer permissions.  

This example brings together various examples I've used on this site to show how Incidents from Microsoft Sentinel can be queried using PowerShell.  References to pages that demonstrate the utilised code are at the bottom of this article.

A core example of the code is below

When writing data to Log Analytics, data needs to be signed.

In a previous post (PowerShell Function - Write Data to Log Analytics | Laurie Rhodes' Info ) I showed how submit data to a workspace using Powershell and APIs.  This function is used to get the signature for the data being posted.

 This code snippet retreieves a set period of Incidents from Microsoft Sentinel.  

It's useful for trying to automate enrichment activities related to that particular alert / incident.

This example uses PowerShell to write a JSON data file into Log Analytics (and Microsoft Sentinel).

Note this uses a second function "Get-Signature" for signing the data being written to the workspace.  That function can be viewed here:

PowerShell Function - Create Signature for writing Log Analytics data | Laurie Rhodes' Info

Azure’s ARM templates have been a rite of passage for all Azure engineers.  No one who has been working with the cloud at any depth will be without late-night stories of frustration.  The Azure Resource Manager is a service that accepts specially constructed JSON templates and uses those templates to provision each object represented within.

Every object in Azure is identified by a unique, hierarchy-based Resource ID.

Every object type has an associated range of different API versions that act as different schemas for that object type.