
#requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
#requires -version 6.2

enum CloseReason {

enum Severity {

enum Status {

enum Tactics {

enum TriggerOperator {

class AlertProp {

    [guid] $Name

    [string] $DisplayName

    [string] $Description

    [Severity] $Severity

    [bool] $Enabled

    [string] $Query

    [string] $QueryFrequency

    [string] $QueryPeriod


    [Int] $TriggerThreshold

    [string] $SuppressionDuration

    [bool] $SuppressionEnabled

    [Tactics[]] $Tactics

    [string] $PlaybookName

    static [string] TriggerOperatorSwitch([string]$value) {
        switch ($value) {
            "gt" { $value = "GreaterThan" }
            "lt" { $value = "LessThan" }
            "eq" { $value = "Equal" }
            "ne" { $value = "NotEqual" }
            default { $value }
        return $value

    AlertProp ($Name, $DisplayName, $Description, $Severity, $Enabled, $Query, $QueryFrequency, $QueryPeriod, $TriggerOperator, $TriggerThreshold, $suppressionDuration, $suppressionEnabled, $Tactics, $PlaybookName) {
        $ = $Name
        $this.DisplayName = $DisplayName
        $this.Description = $Description
        $this.Severity = $Severity
        $this.Enabled = $Enabled
        $this.Query = $Query
        $this.QueryFrequency = if ($QueryFrequency -like "PT*") { $QueryFrequency.ToUpper() } else { ("PT" + $QueryFrequency).ToUpper() }
        $this.QueryPeriod = if ($QueryPeriod -like "PT*") { $QueryPeriod.ToUpper() } else { ("PT" + $QueryPeriod).ToUpper() }
        $this.TriggerOperator = [AlertProp]::TriggerOperatorSwitch($TriggerOperator)
        $this.TriggerThreshold = $TriggerThreshold
        $this.SuppressionDuration = if ((! $null -eq $suppressionDuration) -or ( $false -eq $suppressionEnabled)) { if ($suppressionDuration -like "PT*") { $suppressionDuration.ToUpper() } else { ("PT" + $suppressionDuration).ToUpper() } } else { "PT1H" }
        $this.SuppressionEnabled = if ($suppressionEnabled) { $suppressionEnabled } else { $false }
        $this.Tactics = $Tactics
        $this.PlaybookName = $PlaybookName

class AlertRule {
    [guid] $Name

    [string] $Etag




    AlertRule ([guid]$Name, [string]$Etag, [AlertProp]$Properties, $Id) {

        $ = $Id
        $this.type = 'Microsoft.SecurityInsights/alertRules'
        $this.Name = $Name
        $this.Etag = $Etag
        $this.Properties = $Properties

function Compare-Policy {
    Compare PS Objects
    This function is used for comparison to see if a rule needs to be updated
    .PARAMETER ReferenceTemplate
    Reference template is the data of the AlertRule as active on Azure
    .PARAMETER DifferenceTemplate
    Difference template is data that is generated and will be uploaded to Azure
    Compare-Policy -ReferenceTemplate -DifferenceTemplate
    NAME: Compare-Policy

    param (
        # Reference value is the Online available

        # Difference template is the template that will be uploaded

    process {
        $objprops = $ReferenceTemplate | Get-Member -MemberType Property, NoteProperty | ForEach-Object Name
        $objprops += $DifferenceTemplate | Get-Member -MemberType Property, NoteProperty | ForEach-Object Name
        $objprops = $objprops | Sort-Object -Unique | Select-Object

        $diffs = @()

        foreach ($objprop in $objprops) {
            $diff = Compare-Object $ReferenceTemplate $DifferenceTemplate -Property $objprop
            if ($diff) {
                $diffprops = @{
                    PropertyName = $objprop
                    RefValue     = ($diff | Where-Object { $_.SideIndicator -eq '<=' } | ForEach-Object $($objprop))
                    DiffValue    = ($diff | Where-Object { $_.SideIndicator -eq '=>' } | ForEach-Object $($objprop))
                $diffs += New-Object PSObject -Property $diffprops
        if ($diffs) {
            return ($diffs | Select-Object PropertyName, RefValue, DiffValue)

function Get-AuthToken {
    Get Authorization Token
    This function is used to generate the Authtoken for API Calls

    param (


    try {
        $azContext = Get-AzContext

        if ($null -ne $azContext) {
            Write-Verbose -Message "Using Subscription: $($azContext.Subscription.Name) from tenant $($azContext.Tenant.Id)"

            $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
            $profileClient = [Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient]::new($azProfile)
            $script:accessToken = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId)
            $script:subscriptionId = $azContext.Subscription.Id
            $script:tenantId = $azContext.Tenant.Id
        } else {
            throw 'No subscription available, Please use Connect-AzAccount to login and select the right subscription'
    } catch {

function Get-AzSentinelPlayBook {
      Get Logic App Playbook
      This function is used for resolving the Logic App and testing the compability with Azure Sentinel
      .PARAMETER SubscriptionId
      Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
      .PARAMETER Name
      Enter the Logic App name
      Get-AzSentinelPlayBook -Name ""
      This example will get search for the Logic app within the current subscripbtio and test to see if it's compatible for Sentinel
      NAME: Get-AzSentinelPlayBook

    param (
        [Parameter(Mandatory = $false)]
        [string] $SubscriptionId,


    begin {

    process {

        $triggerName = 'When_a_response_to_an_Azure_Sentinel_alert_is_triggered'

        if ($SubscriptionId) {
            Write-Verbose "Getting LogicApp from Subscription $($subscriptionId)"
            $uri = "$($subscriptionId)/providers/Microsoft.Logic/workflows?api-version=2016-06-01"
        elseif ($script:subscriptionId) {
            Write-Verbose "Getting LogicApp from Subscription $($script:subscriptionId)"
            $uri = "$($script:subscriptionId)/providers/Microsoft.Logic/workflows?api-version=2016-06-01"
        else {
            $return = "No SubscriptionID provided"
            return $return

        try {
            $playBook = (Invoke-RestMethod -Uri $uri -Method get -Headers $script:authHeader).value | Where-Object { $ -eq $Name }

            if ($playBook){
                $uri1 = "$($$($triggerName)/listCallbackUrl?api-version=2016-06-01"
                try {
                    $playbookTrigger = (Invoke-RestMethod -Uri $uri1 -Method Post -Headers $script:authHeader)
                    $playbookTrigger | Add-Member -NotePropertyName ResourceId -NotePropertyValue $ -Force

                    return $playbookTrigger
                catch {
                    $return = "Playbook $($Name) doesn't start with 'When_a_response_to_an_Azure_Sentinel_alert_is_triggered' step! Error message: $($_.Exception.Message)"
                    Write-Error $return
            else {
                Write-Warning "Unable to find LogicApp $Name under Subscription Id: $($script:subscriptionId)"
        catch {
            $return = $_.Exception.Message
            Write-Error $return

function Get-LogAnalyticWorkspace {
    Get log analytic workspace
    This function is used by other function for getting the workspace infiormation and seting the right values for $script:workspace and $script:baseUri
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER FullObject
    If you want to return the full object data
    Get-LogAnalyticWorkspace -WorkspaceName ""
    This example will get the Workspace and set workspace and baseuri param on Script scope level
    Get-LogAnalyticWorkspace -WorkspaceName "" -FullObject
    This example will get the Workspace ands return the full data object
    Get-LogAnalyticWorkspace -SubscriptionId "" -WorkspaceName ""
    This example will get the workspace info from another subscrion than your "Azcontext" subscription
    NAME: Get-LogAnalyticWorkspace

  param (
    [Parameter(Mandatory = $false)]
    [string] $SubscriptionId,


    [Parameter(Mandatory = $false)]

  begin {

  process {
    if ($SubscriptionId) {
      Write-Verbose "Getting Worspace from Subscription $($subscriptionId)"
      $uri = "$($subscriptionId)/providers/Microsoft.OperationalInsights/workspaces?api-version=2015-11-01-preview"
    elseif ($script:subscriptionId) {
      Write-Verbose "Getting Worspace from Subscription $($script:subscriptionId)"
      $uri = "$($script:subscriptionId)/providers/Microsoft.OperationalInsights/workspaces?api-version=2015-11-01-preview"
    else {
      Write-Error "No SubscriptionID provided" -ErrorAction Stop

    $workspaces = Invoke-webrequest -Uri $uri -Method get -Headers $script:authHeader
    $workspaceObject = ($workspaces.Content | ConvertFrom-Json).value | Where-Object { $ -eq $WorkspaceName }

    if ($workspaceObject) {
      $Script:workspace = ($
      Write-Verbose "Workspace is: $($Script:workspace)"
      $script:baseUri = "$($Script:workspace)"
      if ($FullObject) { return $workspaceObject }
      Write-Verbose ($workspaceObject | Format-List | Format-Table | Out-String)
      Write-Verbose "Found Workspace $WorkspaceName in RG $($'/')[4])"
    else {
      Write-Error "Unable to find workspace $WorkspaceName under Subscription Id: $($script:subscriptionId)" -ErrorAction Stop

function precheck {
    This function is used as a precheck step by all the functions to test all the required authentication and properties.
    Run the test
    NAME: precheck

    if ($null -eq $script:accessToken) {
    } elseif ([datetime]::UtcNow.AddMinutes(5) -lt $script:accessToken.ExpiresOn.DateTime ) {
        # if token expires within 5 minutes, request a new one

    $script:authHeader = @{
        'Content-Type' = 'application/json'
        Authorization = 'Bearer ' + $script:accessToken.AccessToken

function Get-AzSentinelAlertRule {
      Get Azure Sentinel Alert Rules
      With this function you can get the configuration of the Azure Sentinel Alert rule from Azure Sentinel
      .PARAMETER SubscriptionId
      Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
      .PARAMETER WorkspaceName
      Enter the Workspace name
      .PARAMETER RuleName
      Enter the name of the Alert rule
      Get-AzSentinelAlertRule -WorkspaceName "" -RuleName "",""
      In this example you can get configuration of multiple alert rules in once

    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,


        [Parameter(Mandatory = $false,

    begin {

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
        Get-LogAnalyticWorkspace @arguments

        $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules?api-version=2019-01-01-preview"
        Write-Verbose -Message "Using URI: $($uri)"

        try {
            $alertRules = Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader
        catch {
            Write-Verbose $_
            Write-Error "Unable to get alert rules with error code: $($_.Exception.Message)" -ErrorAction Stop

        $return = @()

        if ($alertRules.value) {
            Write-Verbose "Found $($alertRules.value.count) Alert rules"

            if ($RuleName.Count -ge 1) {
                foreach ($rule in $RuleName) {
                    [PSCustomObject]$temp = $alertRules.value | Where-Object { $ -eq $rule }
                    if ($null -ne $temp) {

                        $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($

                        if ($playbook) {
                            $playbookName = ($'/')[-1]
                        else {
                            $playbookName = ""

                        $ | Add-Member -NotePropertyName name -NotePropertyValue $ -Force
                        $ | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force
                        $ | Add-Member -NotePropertyName id -NotePropertyValue $ -Force
                        $ | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force

                        $return += $
                    else {
                        Write-Error "Unable to find Rule: $rule"
                return $return
            else {
                $alertRules.value | ForEach-Object {
                    $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($

                    if ($playbook) {
                        $playbookName = ($'/')[-1]
                    else {
                        $playbookName = ""
                    $ | Add-Member -NotePropertyName name -NotePropertyValue $ -Force
                    $ | Add-Member -NotePropertyName playbookName -NotePropertyValue $playbookName -Force

                    return $
        else {
            Write-Warning "No rules found on $($WorkspaceName)"

function Get-AzSentinelAlertRuleAction {
      Get Azure Sentinel Alert rule Action
      This function can be used to see if an action is attached to the alert rule, if so then the configuration will be returned
      .PARAMETER SubscriptionId
      Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
      .PARAMETER WorkspaceName
      Enter the Workspace name
      .PARAMETER RuleName
      Enter the name of the Alert rule
      .PARAMETER RuleId
      Enter the Rule Id to skip Get-AzSentinelAlertRule step
      Get-AzSentinelAlertRuleAction -WorkspaceName "" -RuleName "testrule01"
      This example will get the Workspace ands return the full data object
      NAME: Get-AzSentinelAlertRuleAction

    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,

        [string] $WorkspaceName,

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

    begin {

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName

        if ($RuleName) {
            $alertId = (Get-AzSentinelAlertRule @arguments -RuleName $RuleName).name
        elseif ($RuleId) {
            $alertId = $RuleId
        else {
            Write-Error "No Alert Name or ID is provided"

        if ($alertId) {
            $uri = "$($Script:baseUri)/providers/Microsoft.SecurityInsights/alertRules/$($alertId)/actions?api-version=2019-01-01-preview"
            try {
                $return = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader).value
                return $return
            catch {
                $return = $_.Exception.Message
                return $return
        else {
            $return = "No Alert found with provided: $($alertId)"
            return $return

function Get-AzSentinelHuntingRule {
    Get Azure Sentinel Hunting rule
    With this function you can get the configuration of the Azure Sentinel Hunting rule from Azure Sentinel
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER RuleName
    Enter the name of the Hunting rule name
    .PARAMETER Filter
    Select which type of Hunting rules you want to see. Option: HuntingQueries, GeneralExploration, LogManagement
    Get-AzSentinelHuntingRule -WorkspaceName "" -RuleName "",""
    In this example you can get configuration of multiple Hunting rules
    Get-AzSentinelHuntingRule -WorkspaceName ""
    In this example you can get a list of all the Hunting rules in once

    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,


        [Parameter(Mandatory = $false,

        [Parameter(Mandatory = $false,

    begin {

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
        Get-LogAnalyticWorkspace @arguments

        $uri = "$script:baseUri/savedSearches?api-version=2017-04-26-preview"

        Write-Verbose -Message "Using URI: $($uri)"

        try {
            if ($Filter) {
                $huntingRules = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader) | Where-Object $_.Category -eq $Filter
            else {
                $huntingRules = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader)

        catch {
            Write-Verbose $_
            Write-Error "Unable to get hunting rules with error code: $($_.Exception.Message)" -ErrorAction Stop

        $return = @()

        if ($huntingRules.value) {
            Write-Verbose "Found $($huntingRules.value.count) hunting rules"
            if ($RuleName.Count -ge 1) {
                foreach ($rule in $RuleName) {
                    [PSCustomObject]$temp = $huntingRules.value | Where-Object { $_.displayName -eq $rule }
                    if ($null -ne $temp) {
                        $ | Add-Member -NotePropertyName name -NotePropertyValue $ -Force
                        $ | Add-Member -NotePropertyName id -NotePropertyValue $ -Force
                        $ | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force

                        $return += $temp.Properties
                    else {
                        Write-Warning "Unable to find hunting rule: $rule"
                return $return
            else {
                $huntingRules.value | ForEach-Object {
                    $ | Add-Member -NotePropertyName name -NotePropertyValue $ -Force
                    $ | Add-Member -NotePropertyName id -NotePropertyValue $ -Force
                    $ | Add-Member -NotePropertyName etag -NotePropertyValue $_.etag -Force
                    return $
        else {
            Write-Warning "No hunting rules found on $($WorkspaceName)"

function Get-AzSentinelIncident {
    Get Azure Sentinel Incident
    With this function you can get a list of open incidents from Azure Sentinel.
    You can can also filter to Incident with speciefiek case namber or Case name
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER IncidentName
    Enter incident name, this is the same name as the alert rule that triggered the incident
    .PARAMETER CaseNumber
    Enter the case number to get specfiek details of a open case
    Use -All switch to get a list of all the incidents
    Get-AzSentinelIncident -WorkspaceName ""
    Get a list of the last 200 Incidents
    Get-AzSentinelIncident -WorkspaceName "" -All
    Get a list of all Incidents
    Get-AzSentinelIncident -WorkspaceName "" -CaseNumber
    Get information of a specifiek incident with providing the casenumber
    Get-AzSentinelIncident -WorkspaceName "" -IncidentName "", ""
    Get information of one or more incidents with providing a incident name, this is the name of the alert rule that triggered the incident

    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,


        [Parameter(Mandatory = $false,

        [Parameter(Mandatory = $false,

        [Parameter(Mandatory = $false,

    begin {

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
        Get-LogAnalyticWorkspace @arguments

        $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/Cases?api-version=2019-01-01-preview"
        Write-Verbose -Message "Using URI: $($uri)"

        try {
            $incidentRaw = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader)
            $incident += $incidentRaw.value

            if ($All){
                while ($incidentRaw.nextLink) {
                    $incidentRaw = (Invoke-RestMethod -Uri $($incidentRaw.nextLink) -Headers $script:authHeader -Method Get)
                    $incident += $incidentRaw.value
        catch {
            Write-Verbose $_
            Write-Error "Unable to get incidents with error code: $($_.Exception.Message)" -ErrorAction Stop

        $return = @()

        if ($incident) {
            Write-Verbose "Found $($incident.count) incidents"

            if ($IncidentName.Count -ge 1) {
                foreach ($rule in $IncidentName) {
                    [PSCustomObject]$temp = $incident | Where-Object { $ -eq $rule }

                    if ($null -ne $temp) {
                        $ | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force
                        $ | Add-Member -NotePropertyName name -NotePropertyValue $ -Force
                        $return += $
                    else {
                        Write-Error "Unable to find incident: $rule"
                return $return
            elseif ($CaseNumber.Count -ge 1) {
                foreach ($rule in $CaseNumber) {
                    [PSCustomObject]$temp = $incident | Where-Object { $ -eq $rule }

                    if ($null -ne $temp) {
                        $ | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force
                        $ | Add-Member -NotePropertyName name -NotePropertyValue $ -Force
                        $return += $
                    else {
                        Write-Error "Unable to find incident: $rule"
                return $return
            else {
                $incident | ForEach-Object {
                    $ | Add-Member -NotePropertyName etag -NotePropertyValue $_.etag -Force
                    $ | Add-Member -NotePropertyName name -NotePropertyValue $ -Force
                return $
        else {
            Write-Warning "No incident found on $($WorkspaceName)"

function Import-AzSentinelAlertRule {
    Import Azure Sentinal Alert rule
    This function imports Azure Sentinal Alert rules from JSON and YAML config files.
    This way you can manage your Alert rules dynamic from JSON or multiple YAML files
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER SettingsFile
    Path to the JSON or YAML file for the AlertRules
    Import-AzSentinelAlertRule -WorkspaceName "" -SettingsFile ".\examples\AlertRules.json"
    In this example all the rules configured in the JSON file will be created or updated

    Performing the operation "Import-AzSentinelAlertRule" on target "Do you want to update profile: AlertRule01".
    [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Yes"):
    Successfully created Action for Rule: with Playbook pkmsentinel Status: Created
    Successfully updated rule: AlertRule01 with status: OK

    Name : b6103d42-xxx-4f35-xxx-c76a7f31ee4e
    DisplayName : AlertRule01
    Description :
    Severity : Medium
    Enabled : True
    Query : SecurityEvent | where EventID == "4688" | where CommandLine contains "-noni -ep bypass $"
    QueryFrequency : PT5H
    QueryPeriod : PT6H
    TriggerOperator : GreaterThan
    TriggerThreshold : 5
    SuppressionDuration : PT6H
    SuppressionEnabled : False
    Tactics : {Persistence, LateralMovement, Collection}
    PlaybookName : Playbook01

    Import-AzSentinelAlertRule -WorkspaceName "" -SettingsFile ".\examples\SuspectApplicationConsent.yaml"
    In this example all the rules configured in the YAML file will be created or updated
    Get-Item .\examples\*.json | Import-AzSentinelAlertRule -WorkspaceName ""
    In this example you can select multiple JSON files and Pipeline it to the SettingsFile parameter

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,

        [string] $WorkspaceName,

        [Parameter(Mandatory, ValueFromPipeline)]
        [ValidateScript( { (Test-Path -Path $_) -and ($_.Extension -in '.json', '.yaml', '.yml') })]
        [System.IO.FileInfo] $SettingsFile

    begin {

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
        #Get-LogAnalyticWorkspace @arguments

        if ($SettingsFile.Extension -eq '.json') {
            try {
                $analytics = (Get-Content $SettingsFile -Raw | ConvertFrom-Json -ErrorAction Stop).analytics
                Write-Verbose -Message "Found $($analytics.count) rules"
            catch {
                Write-Verbose $_
                Write-Error -Message 'Unable to convert JSON file' -ErrorAction Stop
        elseif ($SettingsFile.Extension -in '.yaml', 'yml') {
            try {
                $analytics = [pscustomobject](Get-Content $SettingsFile -Raw | ConvertFrom-Yaml -ErrorAction Stop)
                $analytics | Add-Member -MemberType NoteProperty -Name DisplayName -Value $
                Write-Verbose -Message 'Found compatibel yaml file'
            catch {
                Write-Verbose $_
                Write-Error -Message 'Unable to convert yaml file' -ErrorAction Stop

        foreach ($item in $analytics) {
            Write-Verbose -Message "Started with rule: $($item.displayName)"

            $guid = (New-Guid).Guid

            try {
                Write-Verbose -Message "Get rule $($item.description)"
                $content = Get-AzSentinelAlertRule @arguments -RuleName $($item.displayName) -ErrorAction SilentlyContinue

                if ($content) {
                    Write-Output "Rule $($item.displayName) exists in Azure Sentinel"

                    $item | Add-Member -NotePropertyName name -NotePropertyValue $ -Force
                    $item | Add-Member -NotePropertyName etag -NotePropertyValue $content.etag -Force
                    $item | Add-Member -NotePropertyName Id -NotePropertyValue $ -Force

                    $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($"
                else {
                    Write-Verbose -Message "Rule $($item.displayName) doesn't exists in Azure Sentinel"

                    $item | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force
                    $item | Add-Member -NotePropertyName etag -NotePropertyValue $null -Force
                    $item | Add-Member -NotePropertyName Id -NotePropertyValue "$script:Workspace/providers/Microsoft.SecurityInsights/alertRules/$guid" -Force
                    $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($guid)?api-version=2019-01-01-preview"
            catch {
                Write-Verbose $_
                Write-Error "Unable to connect to APi to get Analytic rules with message: $($_.Exception.Message)" -ErrorAction Stop

            try {
                $bodyAlertProp = [AlertProp]::new(
                $body = [AlertRule]::new( $, $item.etag, $bodyAlertProp, $item.Id)

            catch {
                Write-Error "Unable to initiate class with error: $($_.Exception.Message)" -ErrorAction Continue

            if ($content) {
                if ($item.playbookName) {
                    $compareResult = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name)
                else {
                    $compareResult = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, PlaybookName) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, PlaybookName)
                if ($compareResult) {
                    Write-Output "Found Differences for rule: $($item.displayName)"
                    Write-Output ($compareResult | Format-Table | Out-String)

                    if ($PSCmdlet.ShouldProcess("Do you want to update profile: $($body.Properties.DisplayName)")) {
                        try {
                            $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | Select-Object * -ExcludeProperty Properties.PlaybookName | ConvertTo-Json -EnumsAsStrings)

                            if (($compareResult | Where-Object PropertyName -eq "playbookName").DiffValue) {
                                New-AzSentinelAlertRuleAction @arguments -PlayBookName ($body.Properties.playbookName) -RuleId $($body.Name)
                            elseif (($compareResult | Where-Object PropertyName -eq "playbookName").RefValue) {
                                Remove-AzSentinelAlertRuleAction @arguments -RuleId $($body.Name) -Confirm:$false
                            else {
                            Write-Output "Successfully updated rule: $($item.displayName) with status: $($result.StatusDescription)"
                            Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                        catch {
                            Write-Verbose $_
                            Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Continue
                    else {
                        Write-Output "No change have been made for rule $($item.displayName), deployment aborted"
                else {
                    Write-Output "Rule $($item.displayName) is compliance, nothing to do"
                    Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
            else {
                Write-Verbose "Creating new rule: $($item.displayName)"

                try {
                    $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | Select-Object * -ExcludeProperty Properties.PlaybookName | ConvertTo-Json -EnumsAsStrings)
                    if ($body.Properties.playbookName) {
                        New-AzSentinelAlertRuleAction @arguments -PlayBookName $($body.Properties.playbookName) -RuleId $($body.Properties.Name) -confirm:$false

                    Write-Output "Successfully created rule: $($item.displayName) with status: $($result.StatusDescription)"
                    Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                catch {
                    Write-Verbose $_
                    Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Continue

function Import-AzSentinelHuntingRule {
    Import Azure Sentinal Hunting rule
    This function imports Azure Sentinal Hunnting rules from JSON and YAML config files.
    This way you can manage your Hunting rules dynamic from JSON or multiple YAML files
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER SettingsFile
    Path to the JSON or YAML file for the Hunting rules
    Import-AzSentinelHuntingRule -WorkspaceName "infr-weu-oms-t-7qodryzoj6agu" -SettingsFile ".\examples\HuntingRules.json"
    In this example all the rules configured in the JSON file will be created or updated
    Import-AzSentinelHuntingRule -WorkspaceName "" -SettingsFile ".\examples\HuntingRules.yaml"
    In this example all the rules configured in the YAML file will be created or updated
    Get-Item .\examples\HuntingRules*.json | Import-AzSentinelHuntingRule -WorkspaceName ""
    In this example you can select multiple JSON files and Pipeline it to the SettingsFile parameter

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,

        [string] $WorkspaceName,

        [Parameter(Mandatory, ValueFromPipeline)]
        [ValidateScript( { (Test-Path -Path $_) -and ($_.Extension -in '.json', '.yaml', '.yml') })]
        [System.IO.FileInfo] $SettingsFile

    begin {

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
        Get-LogAnalyticWorkspace @arguments

        $item = @{ }

        if ($SettingsFile.Extension -eq '.json') {
            try {
                $analytics = (Get-Content $SettingsFile -Raw | ConvertFrom-Json -ErrorAction Stop).analytics
                Write-Verbose -Message "Found $($analytics.count) rules"
            catch {
                Write-Verbose $_
                Write-Error -Message 'Unable to convert JSON file' -ErrorAction Stop
        elseif ($SettingsFile.Extension -in '.yaml', 'yml') {
            try {
                $analytics = [pscustomobject](Get-Content $SettingsFile -Raw | ConvertFrom-Yaml -ErrorAction Stop)
                $analytics | Add-Member -MemberType NoteProperty -Name DisplayName -Value $
                Write-Verbose -Message 'Found compatibel yaml file'
            catch {
                Write-Verbose $_
                Write-Error -Message 'Unable to convert yaml file' -ErrorAction Stop

        foreach ($item in $analytics) {
            Write-Output "Started with Hunting rule: $($item.displayName)"

            try {
                Write-Verbose -Message "Get rule $($item.description)"
                $content = Get-AzSentinelHuntingRule @arguments -RuleName $($item.displayName) -WarningAction SilentlyContinue

                if ($content) {
                    Write-Verbose -Message "Hunting rule $($item.displayName) exists in Azure Sentinel"

                    $item | Add-Member -NotePropertyName name -NotePropertyValue $ -Force
                    $item | Add-Member -NotePropertyName etag -NotePropertyValue $content.etag -Force
                    $item | Add-Member -NotePropertyName Id -NotePropertyValue $ -Force

                    $uri = "$script:baseUri/savedSearches/$($"
                else {
                    Write-Verbose -Message "Hunting rule $($item.displayName) doesn't exists in Azure Sentinel"

                    $guid = (New-Guid).Guid

                    $item | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force
                    $item | Add-Member -NotePropertyName etag -NotePropertyValue $null -Force
                    $item | Add-Member -NotePropertyName Id -NotePropertyValue "$script:Workspace/savedSearches/$guid" -Force

                    $uri = "$script:baseUri/savedSearches/$($guid)?api-version=2017-04-26-preview"
            catch {
                Write-Verbose $_
                Write-Error "Unable to connect to APi to get Analytic rules with message: $($_.Exception.Message)" -ErrorAction Stop

            [PSCustomObject]$body = @{
                "name"       = $
                "eTag"       = $item.etag
                "id"         = $
                "properties" = @{
                    'Category'             = 'Hunting Queries'
                    'DisplayName'          = [string]$item.displayName
                    'Query'                = [string]$item.query
                    [pscustomobject]'Tags' = @(
                            'Name'  = "description"
                            'Value' = [string]$item.description
                            "Name"  = "tactics"
                            "Value" = [Tactics[]] $item.tactics -join ','
                            "Name"  = "createdBy"
                            "Value" = ""
                            "Name"  = "createdTimeUtc"
                            "Value" = ""

            if ($content) {
                $compareResult1 = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, Tags, Version) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, Tags, Version)
                $compareResult2 = Compare-Policy -ReferenceTemplate ($content.Tags | Where-Object { $ -eq "tactics" }) -DifferenceTemplate ($body.Properties.Tags | Where-Object { $ -eq "tactics" })
                $compareResult = [PSCustomObject]$compareResult1 + [PSCustomObject]$compareResult2

                if ($compareResult) {
                    Write-Output "Found Differences for hunting rule: $($item.displayName)"
                    Write-Output ($compareResult | Format-Table | Out-String)

                    if ($PSCmdlet.ShouldProcess("Do you want to update hunting rule: $($body.Properties.DisplayName)")) {
                        try {
                            $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
                            Write-Output "Successfully updated hunting rule: $($item.displayName) with status: $($result.StatusDescription)"
                            Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                        catch {
                            Write-Verbose $_
                            Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Continue
                    else {
                        Write-Output "No change have been made for hunting rule $($item.displayName), deployment aborted"
                else {
                    Write-Output "Hunting rule $($item.displayName) is compliance, nothing to do"
                    Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
            else {
                Write-Verbose "Creating new rule: $($item.displayName)"

                try {
                    $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
                    Write-Output "Successfully created hunting rule: $($item.displayName) with status: $($result.StatusDescription)"
                    Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                catch {
                    Write-Verbose $_
                    Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Continue

function New-AzSentinelAlertRule {
    Create Azure Sentinal Alert Rules
    Use this function creates Azure Sentinal Alert rules from provided CMDLET
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER DisplayName
    Enter the Display name for the Alert rule
    .PARAMETER Description
    Enter the Description for the Alert rule
    .PARAMETER Severity
    Enter the Severity, valid values: Medium", "High", "Low", "Informational"
    .PARAMETER Enabled
    Set $true to enable the Alert Rule or $false to disable Alert Rule
    .PARAMETER Query
    Enter the Query that you want to use
    .PARAMETER QueryFrequency
    Enter the query frequency, example: 5H or 5M (H stands for Hour and M stands for Minute)
    .PARAMETER QueryPeriod
    Enter the quury period, exmaple: 5H or 5M (H stands for Hour and M stands for Minute)
    .PARAMETER TriggerOperator
    Select the triggert Operator, valid values are: "GreaterThan", "FewerThan", "EqualTo", "NotEqualTo"
    .PARAMETER TriggerThreshold
    Enter the trigger treshold
    .PARAMETER SuppressionDuration
    Enter the suppression duration, example: 5H or 5M (H stands for Hour and M stands for Minute)
    .PARAMETER SuppressionEnabled
    Set $true to enable Suppression or $false to disable Suppression
    .PARAMETER Tactics
    Enter the Tactics, valid values: "InitialAccess", "Persistence", "Execution", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "LateralMovement", "Discovery", "Collection", "Exfiltration", "CommandAndControl", "Impact"
    .PARAMETER PlaybookName
    Enter the Logic App name that you want to configure as playbook trigger
    New-AzSentinelAlertRule -WorkspaceName "" -DisplayName "" -Description "" -Severity -Enabled $true -Query '' -QueryFrequency "" -QueryPeriod "" -TriggerOperator -TriggerThreshold -SuppressionDuration "" -SuppressionEnabled $false -Tactics @("","") -PlaybookName ""
    In this example you create a new Alert rule by defining the rule properties from CMDLET

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,

        [string] $WorkspaceName,

        [string] $DisplayName,

        [string] $Description,

        [Severity] $Severity,

        [bool] $Enabled,

        [string] $Query,

        [string] $QueryFrequency,

        [string] $QueryPeriod,

        [TriggerOperator] $TriggerOperator,

        [Int] $TriggerThreshold,

        [string] $SuppressionDuration,

        [bool] $SuppressionEnabled,

        [Tactics[]] $Tactics,

        [Parameter(Mandatory = $false)]
        [string] $PlaybookName = $null

    begin {
    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
        Get-LogAnalyticWorkspace @arguments

        $item = @{ }

        Write-Verbose -Message "Creating new rule: $($DisplayName)"
        try {
            Write-Verbose -Message "Get rule $DisplayName"
            $content = Get-AzSentinelAlertRule @arguments -RuleName $DisplayName -ErrorAction SilentlyContinue

            if ($content) {
                Write-Verbose -Message "Rule $($DisplayName) exists in Azure Sentinel"

                $item | Add-Member -NotePropertyName name -NotePropertyValue $ -Force
                $item | Add-Member -NotePropertyName etag -NotePropertyValue $content.eTag -Force
                $item | Add-Member -NotePropertyName Id -NotePropertyValue $ -Force

                $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($"
            else {
                Write-Verbose -Message "Rule $($DisplayName) doesn't exists in Azure Sentinel"

                $guid = (New-Guid).Guid

                $item | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force
                $item | Add-Member -NotePropertyName etag -NotePropertyValue $null -Force
                $item | Add-Member -NotePropertyName Id -NotePropertyValue "$script:Workspace/providers/Microsoft.SecurityInsights/alertRules/$guid" -Force

                $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($guid)?api-version=2019-01-01-preview"
        catch {
            Write-Verbose $_
            Write-Error "Unable to connect to APi to get Analytic rules with message: $($_.Exception.Message)" -ErrorAction Stop

        try {
            $bodyAlertProp = [AlertProp]::new(
            $body = [AlertRule]::new( $, $item.etag, $bodyAlertProp, $item.Id)
        catch {
            Write-Error "Unable to initiate class with error: $($_.Exception.Message)" -ErrorAction Stop

        if ($content) {
            if ($PlaybookName) {
                $compareResult = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name)
            else {
                $compareResult = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, PlaybookName) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, PlaybookName)
            }            if ($compareResult) {
                Write-Output "Found Differences for rule: $($DisplayName)"
                Write-Output ($compareResult | Format-Table | Out-String)

                if ($PSCmdlet.ShouldProcess("Do you want to update profile: $($body.Properties.DisplayName)")) {
                    try {
                        $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings)

                        if (($compareResult | Where-Object PropertyName -eq "playbookName").DiffValue) {
                            New-AzSentinelAlertRuleAction @arguments -PlayBookName ($body.Properties.playbookName) -RuleId $($body.Name)
                        elseif (($compareResult | Where-Object PropertyName -eq "playbookName").RefValue) {
                            Remove-AzSentinelAlertRuleAction @arguments -RuleId $($body.Name) -Confirm:$false
                        else {

                        Write-Output "Successfully updated rule: $($DisplayName) with status: $($result.StatusDescription)"
                        Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                    catch {
                        Write-Verbose $_
                        Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Stop
                else {
                    Write-Output "No change have been made for rule $($DisplayName), deployment aborted"
            else {
                Write-Output "Rule $($DisplayName) is compliance, nothing to do"
                Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
        else {
            Write-Verbose "Creating new rule: $($DisplayName)"

            try {
                $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings)
                if (($body.Properties.PlaybookName)) {
                    New-AzSentinelAlertRuleAction @arguments -PlayBookName ($body.Properties.PlaybookName) -RuleId $($body.Properties.Name) -confirm:$false

                Write-Output "Successfully created rule: $($DisplayName) with status: $($result.StatusDescription)"
                Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
            catch {
                Write-Verbose $_
                Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Stop

function New-AzSentinelAlertRuleAction {
      Create Azure Sentinal Alert Rule Action
      Use this function to creates Azure Sentinal Alert rule action
      .PARAMETER SubscriptionId
      Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
      .PARAMETER WorkspaceName
      Enter the Workspace name
      .PARAMETER PlayBookName
      Enter the Playbook name that you want to assign to the alert rule
      .PARAMETER RuleName
      Enter the Alert Rule name that you want to configure
      .PARAMETER RuleId
      Enter the Alert Rule ID that you want to configure
      New-AzSentinelAlertRuleAction -WorkspaceName "" -PlayBookName "Playbook01" -RuleName "AlertRule01"
      New-AzSentinelAlertRuleAction -WorkspaceName "" -PlayBookName "Playbook01" -RuleId 'b6103d42-d2fb-4f35-xxx-c76a7f31ee4e'
      In this example you you assign the playbook to the Alert rule

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,

        [string] $WorkspaceName,

        [string] $PlayBookName,

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]
    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName

        if ($RuleName) {
            $alertId = (Get-AzSentinelAlertRule @arguments -RuleName $RuleName -ErrorAction SilentlyContinue).name
        elseif ($RuleId) {
            $alertId = $RuleId
        else {
            Write-Error "No Alert Name or ID is provided"

        $action = $null

        if ($SubscriptionId) {
            $playBook = Get-AzSentinelPlayBook -SubscriptionId $SubscriptionId -Name $PlayBookName
        else {
            $playBook = Get-AzSentinelPlayBook -Name $PlayBookName

        $action = Get-AzSentinelAlertRuleAction @arguments -RuleId $alertId -ErrorAction SilentlyContinue

        if ($null -eq $action) {
            $guid = New-Guid

            $body = @{
                "id"         = "$($Script:baseUri)/providers/Microsoft.SecurityInsights/alertRules/$($alertId)/actions/$guid"
                "name"       = $guid
                "type"       = "Microsoft.SecurityInsights/alertRules/actions"
                "properties" = @{
                    "ruleId"             = $alertId
                    "triggerUri"         = $playBook.value
                    "logicAppResourceId" = $playBook.ResourceId

            $uri = "$($Script:baseUri)/providers/Microsoft.SecurityInsights/alertRules/$($alertId)/actions/$($guid)?api-version=2019-01-01-preview"
            try {
                $return = Invoke-WebRequest -Method Put -Uri $uri -Headers $Script:authHeader -Body ($body | ConvertTo-Json -Depth 10)
                Write-Output "Successfully created Action for Rule: $($RuleName) with Playbook $($PlayBookName) Status: $($return.StatusDescription)"
                return $return.StatusDescription
            catch {
                Write-Error "Unable to create Action for Rule: $($RuleName) with Playbook $($PlayBookName) Error: $($_.Exception.Message)"
                return $_.Exception.Message
                Write-Verbose $_.
        elseif ((($'/')[-1]) -eq $PlayBookName) {
            Write-Output "Alert Rule: $($alertId) has already playbook assigned: $(($'/')[-1])"
        elseif ((($'/')[-1]) -ne $PlayBookName) {
            Write-Output "Alert rule $($RuleName) assigned to a different playbook with name $(($'/')[-1])"
        else {

function New-AzSentinelHuntingRule {
    Create Azure Sentinal Hunting Rule
    Use this function to creates Azure Sentinal Hunting rule
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER DisplayName
    Enter the Display name for the hunting rule
    .PARAMETER Description
    Enter the Description for the hunting rule
    .PARAMETER Tactics
    Enter the Tactics, valid values: "InitialAccess", "Persistence", "Execution", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "LateralMovement", "Discovery", "Collection", "Exfiltration", "CommandAndControl", "Impact"
    .PARAMETER Query
    Enter the querry in KQL format
    New-AzSentinelHuntingRule -WorkspaceName "" -DisplayName "" -Description "" -Tactics "","" -Query ''
    In this example you create a new hunting rule by defining the rule properties from CMDLET

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,

        [string] $WorkspaceName,

        [string] $DisplayName,

        [string] $Query,

        [string] $Description,

        [Tactics[]] $Tactics


    begin {
    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
        Get-LogAnalyticWorkspace @arguments

        $item = @{ }
        $content = $null
        $body = @{ }
        $compareResult1 = $null
        $compareResult2 = $null
        $compareResult = $null

        Write-Verbose -Message "Creating new Hunting rule: $($DisplayName)"

        try {
            Write-Verbose -Message "Get hunting rule $DisplayName"
            $content = Get-AzSentinelHuntingRule @arguments -RuleName $DisplayName -WarningAction SilentlyContinue

            if ($content) {
                Write-Verbose -Message "Hunting rule $($DisplayName) exists in Azure Sentinel"

                $item | Add-Member -NotePropertyName name -NotePropertyValue $ -Force
                $item | Add-Member -NotePropertyName etag -NotePropertyValue $content.eTag -Force
                $item | Add-Member -NotePropertyName Id -NotePropertyValue $ -Force

                $uri = "$script:baseUri/savedSearches/$($"
            else {
                Write-Verbose -Message "Hunting rule $($DisplayName) doesn't exists in Azure Sentinel"

                $guid = (New-Guid).Guid

                $item | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force
                $item | Add-Member -NotePropertyName etag -NotePropertyValue $null -Force
                $item | Add-Member -NotePropertyName Id -NotePropertyValue "$script:Workspace/savedSearches/$guid" -Force

                $uri = "$script:baseUri/savedSearches/$($guid)?api-version=2017-04-26-preview"
        catch {
            Write-Verbose $_
            Write-Error "Unable to connect to APi to get Analytic rules with message: $($_.Exception.Message)" -ErrorAction Stop

        [PSCustomObject]$body = @{
            "name"       = $
            "eTag"       = $item.etag
            "id"         = $
            "properties" = @{
                'Category'             = 'Hunting Queries'
                'DisplayName'          = $DisplayName
                'Query'                = $Query
                [pscustomobject]'Tags' = @(
                        'Name'  = "description"
                        'Value' = $Description
                        "Name"  = "tactics"
                        "Value" = $Tactics -join ','
                        "Name"  = "createdBy"
                        "Value" = ""
                        "Name"  = "createdTimeUtc"
                        "Value" = ""

        #return $content
        if ($content) {
            $compareResult1 = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, Tags, Version) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, Tags, Version)
            $compareResult2 = Compare-Policy -ReferenceTemplate ($content.Tags | Where-Object { $ -eq "tactics" }) -DifferenceTemplate ($body.Properties.Tags | Where-Object { $ -eq "tactics" })
            $compareResult = [PSCustomObject]$compareResult1 + [PSCustomObject]$compareResult2

            if ($compareResult) {
                Write-Output "Found Differences for hunting rule: $($DisplayName)"
                Write-Output ($compareResult | Format-Table | Out-String)

                if ($PSCmdlet.ShouldProcess("Do you want to update hunting rule: $($DisplayName)")) {
                    try {
                        Write-Output ($ | Format-Table)

                        $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
                        Write-Output "Successfully updated hunting rule: $($DisplayName) with status: $($result.StatusDescription)"
                    catch {
                        Write-Verbose $_
                        Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Stop
                else {
                    Write-Output "No change have been made for rule $($DisplayName), deployment aborted"
            else {
                Write-Output "Hunting rule $($DisplayName) is compliance, nothing to do"
                Write-Output ($ | Format-Table)
        else {
            Write-Verbose "Creating new hunting rule: $($DisplayName)"

            try {

                $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
                Write-Output "Successfully created hunting rule: $($DisplayName) with status: $($result.StatusDescription)"
                Write-Output ($ | Format-Table)
            catch {
                Write-Verbose $_
                Write-Error "Unable to invoke webrequest with error message: $($_.Exception.Message)" -ErrorAction Stop

function Remove-AzSentinelAlertRule {
    Remove Azure Sentinal Alert Rules
    With this function you can remove Azure Sentinal Alert rules from Powershell, if you don't provide andy Rule name all rules will be removed
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER RuleName
    Enter the name of the rule that you wnat to remove
    Remove-AzSentinelAlertRule -WorkspaceName "" -RuleName ""
    In this example the defined rule will be removed from Azure Sentinel
    Remove-AzSentinelAlertRule -WorkspaceName "" -RuleName "","", ""
    In this example you can define multiple rules that will be removed
    Remove-AzSentinelAlertRule -WorkspaceName ""
    In this example no rule is specified, all rules will be removed one by one. For each rule you need to confirm the action

    [cmdletbinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,


        [Parameter(Mandatory = $false,

    begin {

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
        Get-LogAnalyticWorkspace @arguments

        if ($RuleName) {
            # remove defined rules
            foreach ($rule in $RuleName) {
                $item = Get-AzSentinelAlertRule @arguments -RuleName $rule -WarningAction SilentlyContinue
                if ($item) {
                    $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($"

                    if ($PSCmdlet.ShouldProcess("Do you want to remove: $rule")) {
                        Write-Output $item
                        try {
                            $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader
                            Write-Output "Successfully removed rule: $($rule) with status: $($result.StatusDescription)"
                        catch {
                            Write-Verbose $_
                            Write-Error "Unable to remove rule: $($rule) with error message: $($_.Exception.Message)" -ErrorAction Continue
                    else {
                        Write-Output "No change have been made for rule: $rule"
                else {
                    Write-Warning "$rule not found in $WorkspaceName"
        else {
            Write-Warning "No Rule selected, All rules will be removed one by one!"
            Get-AzSentinelAlertRule @arguments | ForEach-Object {
                $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($"

                if ($PSCmdlet.ShouldProcess("Do you want to remove: $($_.displayName)")) {
                    try {
                        $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader
                        Write-Output "Successfully removed rule: $($_.displayName) with status: $($result.StatusDescription)"
                    catch {
                        Write-Verbose $_
                        Write-Error "Unable to remove rule: $($_.displayName) with error message: $($_.Exception.Message)" -ErrorAction Continue
                else {
                    Write-Output "No change have been made for rule: $($_.displayName)"

function Remove-AzSentinelAlertRuleAction {
      Remove Azure Sentinel Alert rule Action
      This function can be used to see if an action is attached to the alert rule, if so then the configuration will be returned
      .PARAMETER SubscriptionId
      Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
      .PARAMETER WorkspaceName
      Enter the Workspace name
      .PARAMETER RuleName
      Enter the name of the Alert rule
      .PARAMETER RuleId
      Enter the Alert Rule ID that you want to configure
      Remove-AzSentinelAlertRuleAction -WorkspaceName "" -RuleName "AlertRule01"
      This example will get the Workspace ands return the full data object
      NAME: Remove-AzSentinelAlertRuleAction

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,

        [string] $WorkspaceName,

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

    begin {

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName

        if ($RuleName) {
            $result = Get-AzSentinelAlertRuleAction @arguments -RuleName $RuleName
        elseif ($RuleId) {
            $result = Get-AzSentinelAlertRuleAction @arguments -RuleId $RuleId
        else {
            Write-Error "No Alert Name or ID is provided"

        if ($result) {
            $uri = "$($Script:baseUri)/providers/Microsoft.SecurityInsights/alertRules/$($'asicustomalertsv3_')[-1])?api-version=2019-01-01-preview"
            Write-Verbose $uri

            if ($PSCmdlet.ShouldProcess("Do you want to remove Alert Rule action for rule: $($RuleName)")) {
                try {
                    $return = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader
                    Write-Verbose $return
                    Write-Output "Rule action $($'/')[-1]) removed for rule $($RuleName) with status: $($return.StatusCode)"
                    return $return.StatusCode
                catch {
                    Write-Verbose $_
                    return $_.Exception.Message
        else {
            Write-Output "No Alert Action found for Rule: $($RuleName)"

function Remove-AzSentinelHuntingRule {
    Remove Azure Sentinal Hunting Rules
    With this function you can remove Azure Sentinal hunting rules from Powershell, if you don't provide andy Hunting rule name all rules will be removed
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER RuleName
    Enter the name of the rule that you wnat to remove
    Remove-AzSentinelHuntingRule -WorkspaceName "" -RuleName ""
    In this example the defined hunting rule will be removed from Azure Sentinel
    Remove-AzSentinelHuntingRule -WorkspaceName "" -RuleName "","", ""
    In this example you can define multiple hunting rules that will be removed
    Remove-AzSentinelHuntingRule -WorkspaceName ""
    In this example no hunting rule is specified, all hunting rules will be removed one by one. For each rule you need to confirm the action

    [cmdletbinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,


        [Parameter(Mandatory = $false,

    begin {

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
        Get-LogAnalyticWorkspace @arguments

        if ($RuleName) {
            # remove defined rules
            foreach ($rule in $RuleName) {
                $item = Get-AzSentinelHuntingRule @arguments -Filter 'HuntingQueries' -RuleName $rule
                if ($item) {
                    $uri = "$script:baseUri/savedSearches/$($"

                    if ($PSCmdlet.ShouldProcess("Do you want to remove: $rule")) {
                        Write-Output $item
                        try {
                            $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader
                            Write-Output "Successfully removed hunting rule: $($rule) with status: $($result.StatusDescription)"
                        catch {
                            Write-Verbose $_
                            Write-Error "Unable to remove rule: $($rule) with error message: $($_.Exception.Message)" -ErrorAction Continue
                    else {
                        Write-Output "No change have been made for hunting rule: $rule"
                else {
                    Write-Warning "Hunting rule $rule not found in $WorkspaceName"
        else {
            Write-Warning "No hunting rule selected, All hunting rules will be removed one by one!"
            Get-AzSentinelHuntingRule @arguments -Filter 'HuntingQueries' | ForEach-Object {
                $uri = "$script:baseUri/savedSearches/$($"
                if ($PSCmdlet.ShouldProcess("Do you want to remove: $($_.displayName)")) {
                    try {
                        $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader
                        Write-Output "Successfully removed hunting rule: $($_.displayName) with status: $($result.StatusDescription)"
                    catch {
                        Write-Verbose $_
                        Write-Error "Unable to remove rule: $($_.displayName) with error message: $($_.Exception.Message)" -ErrorAction Continue
                else {
                    Write-Output "No change have been made for hunting rule: $($_.displayName)"

function Set-AzSentinel {
    Enable Azure Sentinel
    This function enables Azure Sentinel on a existing Workspace
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    Set-AzSentinel -WorkspaceName ""
    This example will enable Azure Sentinel for the provided workspace

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,


    begin {

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
        $workspaceResult = Get-LogAnalyticWorkspace @arguments -FullObject

        # Variables
        $errorResult = ''

        if ($ -eq 'Succeeded') {
            $body = @{
                'id'         = ''
                'etag'       = ''
                'name'       = ''
                'type'       = ''
                'location'   = $workspaceResult.location
                'properties' = @{
                    'workspaceResourceId' = $
                'plan'       = @{
                    'name'          = 'SecurityInsights($workspace)'
                    'publisher'     = 'Microsoft'
                    'product'       = 'OMSGallery/SecurityInsights'
                    'promotionCode' = ''
            $uri = "$(($Script:baseUri).Split('microsoft.operationalinsights')[0])Microsoft.OperationsManagement/solutions/SecurityInsights($WorkspaceName)?api-version=2015-11-01-preview"

            try {
                $solutionResult = Invoke-webrequest -Uri $uri -Method Get -Headers $script:authHeader
                Write-Output "Azure Sentinel is already enabled on $WorkspaceName and status is: $($solutionResult.StatusDescription)"
            catch {
                $errorReturn = $_
                $errorResult = ($errorReturn | ConvertFrom-Json ).error
                if ($errorResult.Code -eq 'ResourceNotFound') {
                    Write-Output "Azure Sentinetal is not enabled on workspace: $($WorkspaceName)"
                    try {
                        if ($PSCmdlet.ShouldProcess("Do you want to enable Sentinel for Workspace: $workspace")) {
                            $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json)
                            Write-Output "Successfully enabled Sentinel on workspae: $WorkspaceName with result code $($result.StatusDescription)"
                        else {
                            Write-Output "No change have been made for rule $WorkspaceName, deployment aborted"
                    catch {
                        Write-Verbose $_
                        Write-Error "Unable to enable Sentinel on $WorkspaceName with error message: $($_.Exception.Message)"

                else {
                    Write-Verbose $_
                    Write-Error "Unable to Azure Sentinel with error message: $($_.Exception.Message)" -ErrorAction Stop

        else {
            Write-Error "Workspace $WorkspaceName is currently in $($ status, setup canceled"

function Update-AzSentinelIncident {
    Update Azure Sentinel Incident
    With this function you can update existing Azure Sentinel Incident.
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER CaseNumber
    Enter the case number to get specfiek details of a open case
    .PARAMETER Severity
    Enter the Severity, you can choose from Medium, High, Low and Informational
    .PARAMETER Status
    Enter the Status of the incident, you can choose from New, InProgress and Closed
    .PARAMETER Comment
    Enter Comment tekst to add comment to the incident
    .PARAMETER Labels
    Add Lebels to the incident, current configured Labels will be added to the existing Labels
    .PARAMETER CloseReason
    When Status is equil to Closed, CloseReason is required. You can select from: TruePositive, FalsePositive
    .PARAMETER ClosedReasonText
    When Status is equil to Closed, ClosedReasonText is required to be filled in.
    Update-AzSentinelIncident -WorkspaceName ""
    Get a list of all open Incidents
    Update-AzSentinelIncident -WorkspaceName '' -CaseNumber 42291 -Labels "NewLabel"
    Add a new Label to list of Labels for a Incident
    Update-AzSentinelIncident -WorkspaceName '' -CaseNumber 42293 -Status Closed -CloseReason FalsePositive -ClosedReasonText "Your input"
    Close the Incidnet using status Closed, when status closed is selected then CloseReason and ClosedReasonText prperty are required to be filled in

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [string] $SubscriptionId,



        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

    begin {

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
        Write-Verbose -Message "Using URI: $($uri)"

        $incident = Get-AzSentinelIncident @arguments -CaseNumber $CaseNumber

        if ($incident) {
            if ($Comment) {
                $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/Cases/$($$(New-Guid)?api-version=2019-01-01-preview"
                $body = @{
                    "properties" = @{
                        "message" = $Comment
            else {
                $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/Cases/$($"
                $LabelsUnique = $incident.labels + $Labels | Select-Object -Unique
                $body = @{
                    "etag"       = $($incident.etag)
                    "properties" = @{
                        "caseNumber"                               = $CaseNumber
                        "createdTimeUtc"                           = $($incident.incidentcreatedTimeUtc)
                        "endTimeUtc"                               = $($incident.endTimeUtc)
                        "lastUpdatedTimeUtc"                       = $($incident.lastUpdatedTimeUtc)
                        "lastComment"                              = ""
                        "totalComments"                            = 0
                        "metrics"                                  = @{ }
                        [pscustomobject]"relatedAlertIds"          = @(
                        [pscustomobject]"relatedAlertProductNames" = @(
                        "severity"                                 = if ($Severity) { $Severity } else { $incident.severity }
                        "startTimeUtc"                             = $($incident.startTimeUtc)
                        "status"                                   = if ($Status) { $Status } else { $incident.status }
                        "closeReason"                              = if ($Status -eq 'Closed') { if ($null -ne [CloseReason]$CloseReason) { $CloseReason } else { Write-Error "No Close Reasen provided" -ErrorAction Stop } } else { $null }
                        "closedReasonText"                         = if ($Status -eq 'Closed') { if ($ClosedReasonText) { $ClosedReasonText } else { Write-Error 'No closed comment provided' } } else { $null }
                        [pscustomobject]"labels"                   = @( $LabelsUnique)
                        "title"                                    = $($incident.title)
                        "description"                              = ""
                        "firstAlertTimeGenerated"                  = ""
                        "lastAlertTimeGenerated"                   = ""
                        "owner"                                    = @{
                            "name"     = $null
                            "email"    = $null
                            "objectId" = $null

            Write-Output "Found incident with case number: $($incident.caseNumber)"

            if ($PSCmdlet.ShouldProcess("Do you want to update Incident: $($body.Properties.DisplayName)")) {
                try {
                    $return = Invoke-WebRequest -Uri $uri -Method Put -Body ($body | ConvertTo-Json -Depth 99 -EnumsAsStrings) -Headers $script:authHeader
                    return ($return.Content | ConvertFrom-Json).properties
                catch {
                    $return = $_.Exception.Message
                    Write-Verbose $_
                    Write-Error "Unable to update Incident $($incident.caseNumber) with error message $return"
                    return $return
            else {
                Write-Output "No change have been made for Incident $($incident.caseNumber), update aborted"