December 2020 - Dr. Ware Technology Services

New Year – New Official Azure Sentinel PowerShell Module!

by Contributed | Dec 31, 2020 | Technology

This article is contributed. See the original author and article here.

Happy New Year everyone!

With the new year comes a new Azure Sentinel PowerShell module!

Based on the Azure SDK for .NET and part of the Azure (Az) module, we are announcing the public preview release of the SecurityInsights PowerShell module.

Because this is an official supported PowerShell module when we release it, the cmdlets are based on the Generally Available (GA) 2020-01-01 SecurityInsights API. As soon as features hit GA, we will update the SecurityInsights module to reflect that.

How to download and test

Prerequisites: the SecurityInsights module requires at a minimum PowerShell version 5.1 and relies on Az.Accounts for Azure authentication.

You can download the SecurityInsights PowerShell module from the PowerShellGallery and install it by using the PowerShell command Install-Module -Name Az

The available cmdlets can be explored by using Get-Command -Module

The SecurityInsights module supports the most common use cases, like interacting with incidents to change status, severity, owner, etc. But also, to add comments and labels to incidents and creating bookmarks.

Although using ARM templates is the preferred way for your CI/CD pipeline, the SecurityInsights module can be very useful for post deployment tasks and is specifically targeted to Security Operations Center (SOC) automation tasks. These tasks can vary from configuring data connectors, creating analytics rules, adding automation actions to analytics rules, etc.

Managing Incidents

Using the SecurityInsights module is straightforward and is parameter driven as most of the PowerShell modules. The common parameters are your Azure Sentinel workspace and resource group name. You can retrieve all your incidents using Get-AzSentinelIncident -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName or retrieve a specific incident by adding the parameter -IncidentId <yourIncidentId>

Note: the IncidentId is derived from the Name field as depicted below:

Assign an Incident Owner

Most of the cmdlets accept a string as a parameter, but some cmdlets require an input object. For example, to assign an owner to an incident you would first need to create the owner object.

The owner object requires the following mandatory object parameters:

AssignedTo – the owner full name

Email – the email address of the owner

ObjectId – the Azure Active Directory objectId of the owner

UserPrincipalName – the user principal name of the owner

There are a couple of ways to create an owner object, for example:

$ownerObject = @{"AssignedTo" = "Jeff Leatherman"; "Email" = "JeffL@contoso.com"; "ObjectId" = "f4e959b4-feda-4345-a1e7-16b4af2fc226";"UserPrincipalName" = "JeffL@contoso.com"}

After you have created the owner object, you can then pass it as a parameter to the cmdlet Update-AzSentinelIncident like this:

Update-AzSentinelIncident -ResourceGroupName <yourResourceGroupName> -WorkspaceName <yourWorkspaceName> -IncidentId a4b586c8-97d8-4cc5-9154-b723c62d26d8 -Owner $ownerObject

Closing an incident

In case you need to close an incident, you need to make sure that you are passing the valid closing classifications and classification reasons.

Valid closing incident classifications are:

Undetermined

TruePositive

BenignPositive

FalsePositive

Valid closing classification reasons are:

SuspiciousActivity

SuspiciousButExpected

IncorrectAlertLogic

InaccurateData

Example closing an incident:

Update-AzSentinelIncident -ResourceGroupName <yourResourceGroupName> -WorkspaceName <yourWorkspaceName> -IncidentID "a5977bae-2775-44d1-8381-a28f6f061954" -Classification FalsePositive  -ClassificationComment "my comment" -ClassificationReason InaccurateData -Status Closed

Configuring data connectors

The cmdlet New-AzSentinelDataConnector supports configuring and enabling Azure Sentinel data connectors. The current supported GA data connectors are:

Name	Description
AADDataConnector	Represents AAD (Azure Active Directory Identity Protection)
AATPDataConnector	Represents AATP (Azure Advanced Threat Protection)
ASCDataConnector	Represents ASC (Azure Security Center)
AwsCloudTrailDataConnector	Represents Amazon Web Services CloudTrail
MCASDataConnector	Represents MCAS (Microsoft Cloud App Security)
MDATPDataConnector	Represents MDATP (Microsoft Defender Advanced Threat Protection)
OfficeDataConnector	Represents Office 365
TIDataConnector	Represents threat intelligence data

The following example configures the Office 365 data connector:

New-AzSentinelDataConnector -ResourceGroupName "yourResourceGroupName" -WorkspaceName "yourWorkspaceName" -Office365 -Exchange "Enabled" -SharePoint “Enabled"

Some data connectors require more information, like the Azure Security Center data connector:

New-AzSentinelDataConnector -ResourceGroupName "yourResourceGroupName" -WorkspaceName "yourWorkspaceName" -AzureSecurityCenter -SubscriptionId <yourSubscriptionId> -Alerts Enabled

Exporting and importing analytics rules

The most common asked question that we get is how to export analytics rules and import those in another Azure Sentinel environment. This use case is specifically valid in a Dev-Test scenario where you want to have automation support to import your created analytics rules into production. To export your analytics rules you can leverage the Get-AzSentinelAlertRule cmdlet like in the following example:

$myRules = Get-AzSentinelAlertRule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName
$myExportPath = "C:SentinelRulesExport"
$myExtension = ".json"
foreach($rule in $myRules){
    $ruleName = $rule.DisplayName
    $rule = $rule | ConvertTo-Json
    $rule | Out-File "$($myExportPath)$($ruleName)$($myExtension)"
}

This will export your analytics rules into a folder as JSON formatted files.

You can then edit the analytics rules or just import those into another Azure Sentinel environment using the following example:

$myImportPath = "C:SentinelRulesImport"
$myNewRules = Get-ChildItem $myImportPath -Filter *.json
foreach ($myNewRule in $myNewRules) {
    $myRuleObject = Get-Content -Path $myNewRule | ConvertFrom-Json
    New-AzSentinelAlertRule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName `
        -Scheduled -DisplayName $myRuleObject.DisplayName -Description $myRuleObject.Description -Query $myRuleObject.Query `
        -QueryFrequency $myRuleObject.QueryFrequency.Ticks -QueryPeriod $myRuleObject.QueryPeriod.Ticks -Severity $myRuleObject.Severity -TriggerThreshold $myRuleObject.TriggerThreshold

Happy automating!

Azure Stack Hub operators: Prove you can bring cloud agility on-premises

by Contributed | Dec 31, 2020 | Technology

This article is contributed. See the original author and article here.

Azure Stack Hub, part of the Azure Stack portfolio, is an extension of Azure that enables you to bring the agility and fast-paced innovation of cloud computing to your on-premises environment. It extends the power of Azure so your organization can consistently build, deploy, and operate hybrid applications across cloud, datacenter, and edge locations. As an Azure Stack Hub operator, you can run your own autonomous cloud—partially or completely disconnected from the internet and public cloud—and you control access to your own data.

If this is your skill set, we have a new certification for you. The Microsoft Certified: Azure Stack Hub Operator Associate certification validates your expertise in this area and offers you the opportunity to prove your skills. To earn this certification, pass Exam AZ-600: Configuring and Operating a Hybrid Cloud with Microsoft Azure Stack Hub, currently in beta.

Is this the right certification for you?

If you’re an Azure administrator or Azure Stack Hub operator who provides cloud services to your end users or customers from within their own datacenter using Azure Stack Hub, you’re on the right path, especially if you plan, deploy, package, update, and maintain the Azure Stack Hub infrastructure. Your responsibilities also include offering hybrid cloud resources and requested services and managing infrastructure as a service (IaaS) and platform as a service (PaaS).

This certification could be a great fit if you have significant experience managing and operating Azure Stack Hub environments. You should also have a strong understanding of Azure, in addition to some knowledge of virtualization, networking, and identity management. And you need to understand how Azure Stack Hub enables DevOps processes and the hybrid development model.

Ready to prove your skills?

Take advantage of the discounted beta exam offer. The first 300 people who take Exam AZ-600 (beta) on or before February 2, 2021, can get 80% off market price!

To receive the discount, when you register for the exam and are prompted for payment, use code AZ600CASCADE. This is not a private access code. The seats are offered on a first-come, first-served basis. As noted, you must take the exam on or before February 2, 2021. Please note that this beta exam is not available in Turkey, Pakistan, India, or China.

Get ready to take Exam AZ-600 (beta):

Review the Exam AZ-600 (beta) exam page for details. The skills outline document alerts you to key topics covered on the exam.

Explore this Microsoft Tech community post for additional study material.

Want even more in-depth training? Connect with Microsoft Learning Partners in your area for in-person training.

Need other preparation ideas? Check out my blog post, Just How Does One Prepare for Beta Exams?

What about Exam 70-537?

If you’re preparing for Exam 70-537: Configuring and Operating a Hybrid Cloud with Microsoft Azure Stack Hub, which is an elective for Microsoft Certified Solutions Expert (MCSE): Core Infrastructure, remember that Exam 70-537 and the associated certification will be retired on January 31, 2021, so you’ll want to pass your exam by that date.

That being said, you should consider the new Azure Stack Hub Operator Associate certification—and Exam AZ-600 (beta) instead—to help you prove that your knowledge and skills in this specific job role are up to date.

Did you know that you can take any role-based exam online? Online delivered exams—taken from your home or office—can be less hassle, less stress, and even less worry than traveling to a test center—especially if you’re adequately prepared for what to expect. To find out more, check out my blog post Online proctored exams: What to expect and how to prepare.

When do you get your score?

The rescore process starts on the day an exam goes live, and final scores for beta exams are released approximately 10 days after that. For details on the timing of beta exam rescoring and results, read my post Creating high-quality exams: The path from beta to live. For more information, follow me on Twitter (@libertymunson).

Ready to get started?

Remember, the number of spots is limited to the first 300 candidates taking Exam AZ-600 (beta) on or before February 2, 2021.

Pass Exam AZ-600 (beta), earn your certification, and apply your Azure Stack Hub operator skills to working with Azure Stack Hub. Extend the reach of Azure, balance flexibility and control, and bring the fast-paced innovation of cloud computing to your on-premises environment. Plus, earn the recognition that can come with certification, as you manage modern applications in a hybrid cloud, bringing more agility to your workplace with this powerful extension of Azure.

Updating Microsoft Certifications: How we keep them relevant

Finding the right Microsoft Azure certification for you

Azure Stack Hub Operator certification – Az-600

by Contributed | Dec 31, 2020 | Technology

This article is contributed. See the original author and article here.

As we’re announcing the new Microsoft Certified: Azure Stack Hub Operator Associate certification and the Exam AZ-600: Configuring and Operating a Hybrid Cloud with Microsoft Azure Stack Hub (currently in beta – you can find more details on the announcement here, including how to access the 80% discount for the beta), we wanted to list some of the resources you can use to prepare, or refresh, you Azure Stack Hub Operator skills.

The exam page lists the skills requires and they are also outlined in the skills outline document. For the study materials, we have prepared a number of resources:

Azure-Stack-Hub-Foundation-Core/ASF-Training at master · Azure-Samples/Azure-Stack-Hub-Foundation-Core (github.com)
- This includes PowerPoint presentations covering topics from the fabric to PaaS services and ARM templates.
- Links to the videos that go with these presentations, where Azure Stack Hub subject matter experts walk you through each of the topics (approximately 20h of videos)
- And, once you completed the foundational training, there are hands-on workshops that aim to provide a starting point for building your operational knowledge.

Testing environments
- Ideally you should use an ASDK deployed in dedicated hardware.
- If this hardware isn’t available, you can also try using an Azure VM to deploy it – there is a community driven initiative (found in this repo) to help automate this process, driven by Yagmur Sahin
- Please note that because the ASDK is an evaluation environment, Microsoft Support does not provide any support. If you have any issues with the deployment please check the troubleshooting guide (https://docs.microsoft.com/azure-stack/asdk/asdk-troubleshooting).

We also recommend a good understanding of Azure Fundaments:
- Administer infrastructure resources in Azure: https://docs.microsoft.com/en-us/learn/paths/administer-infrastructure-resources-in-azure/
- Azure fundamentals: https://docs.microsoft.com/en-us/learn/paths/azure-fundamentals/
- Basic Understanding: PowerShell, ARM Templates, Desired State Configuration (DSC) – all these learning paths can be found in the https://docs.microsoft.com/en-us/learn/

Mark Grimes has published a while ago a set of links that help prepare for the 70-537 exam – while the exam is soon to be retired, these links provide good information that could also help with the new Az-600 exam. Have a look at the Azure Stack Operator Exam Links.