Skip to content

Microsoft Sentinel script to extract all Content Hub items for a particular data table

Notifications You must be signed in to change notification settings

KostaS10/SentinelContentFinder

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 

Repository files navigation

SentinelContentFinder

About

This PowerShell script can be used to search Microsoft Sentinel Content Hub items (Analytics Rules and Hunting Queries) based on given data table(s)

Prerequisite

PowerShell version 7 or higher - https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.4

Az Powershell module - https://learn.microsoft.com/en-us/powershell/azure/install-azps-windows?view=azps-11.5.0&tabs=powershell&pivots=windows-psgallery

How to use?

  • Multiple table check - you need to call from pwsh with -Command switch (put in your variables):
    pwsh.exe -Command .\sentinelContentFinder.ps1 -TenantId '' -subscriptionId '' -WorkspaceName '' -ResourceGroupName '' -TableNames "WindowsEvent,SecurityEvent" -Path "C:\temp\sentinelContentFinderOutput.csv"

  • Single table check - you can call directly:
    .\sentinelContentFinder.ps1 -TenantId '' -subscriptionId '' -WorkspaceName '' -ResourceGroupName '' -TableNames 'WindowsEvent' -Path "C:\temp\sentinelContentFinderOutput.csv"

  • If you are only interested in Analytics Rules in Content Hub - you can include an optional parameter:
    .\sentinelContentFinder.ps1 -TenantId '' -subscriptionId '' -WorkspaceName '' -ResourceGroupName '' -TableNames 'WindowsEvent' -Path "C:\temp\sentinelContentFinderOutput.csv" -AnalyticsRules

    pwsh.exe -Command .\sentinelContentFinder.ps1 -TenantId '' -subscriptionId '' -WorkspaceName '' -ResourceGroupName '' -TableNames "WindowsEvent,SecurityEvent" -Path "C:\temp\sentinelContentFinderOutput.csv" -AnalyticsRules

  • If you are only interested in Hunting Queries in Content Hub - you can include an optional parameter:
    .\sentinelContentFinder.ps1 -TenantId '' -subscriptionId '' -WorkspaceName '' -ResourceGroupName '' -TableNames 'WindowsEvent' -Path "C:\temp\sentinelContentFinderOutput.csv" -HuntingQueries

    pwsh.exe -Command .\sentinelContentFinder.ps1 -TenantId '' -subscriptionId '' -WorkspaceName '' -ResourceGroupName '' -TableNames "WindowsEvent,SecurityEvent" -Path "C:\temp\sentinelContentFinderOutput.csv" -HuntingQueries

  • Path variable is expecting full path along with file name which will be used

About

Microsoft Sentinel script to extract all Content Hub items for a particular data table

Topics

Resources

Stars

Watchers

Forks