SentinelWatchlist¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Name | Key | String | Tha name of the watchlist. | |
| SubscriptionId | Write | String | The name of the resource group. The name is case insensitive. | |
| ResourceGroupName | Write | String | The name of the resource group. The name is case insensitive. | |
| WorkspaceName | Write | String | The name of the workspace. | |
| Id | Write | String | The id (a Guid) of the watchlist | |
| DisplayName | Write | String | The display name of the watchlist. | |
| SourceType | Write | String | The source of the watchlist. Only accepts 'Local file' and 'Remote storage'. And it must included in the request. | |
| ItemsSearchKey | Write | String | The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. | |
| Description | Write | String | A description of the watchlist | |
| DefaultDuration | Write | String | The default duration of a watchlist (in ISO 8601 duration format) | |
| Alias | Write | String | The watchlist alias | |
| NumberOfLinesToSkip | Write | UInt32 | The number of lines in a csv content to skip before the header | |
| RawContent | Write | String | The raw content that represents to watchlist items to create. Example : This line will be skipped header1,header2 value1,value2 | |
| Ensure | Write | String | Present ensures the instance exists, absent ensures it is removed. | Absent, Present |
| Credential | Write | PSCredential | Credentials of the workload's Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
Description¶
Configures watchlists in Azure Sentinel.
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions¶
-
Read
- None
-
Update
- None
Application permissions¶
-
Read
- None
-
Update
- None
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelWatchlist "SentinelWatchlist-TestWatch"
{
Alias = "MyAlias";
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
DefaultDuration = "P1DT3H";
Description = "My description";
DisplayName = "My Display Name";
Ensure = "Present";
ItemsSearchKey = "Test";
Name = "MyWatchList";
NumberOfLinesToSkip = 1;
RawContent = 'MyContent'
ResourceGroupName = "MyResourceGroup";
SourceType = "Local";
SubscriptionId = "20f41296-9edc-4374-b5e0-b1c1aa07e7d3";
TenantId = $TenantId;
WorkspaceName = "MyWorkspace";
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelWatchlist "SentinelWatchlist-TestWatch"
{
Alias = "MyAlias";
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
DefaultDuration = "P1DT3H";
Description = "My description";
DisplayName = "My Display Name";
Ensure = "Present";
ItemsSearchKey = "Test";
Name = "MyWatchList";
NumberOfLinesToSkip = 0; # Drift
RawContent = 'MyContent'
ResourceGroupName = "MyResourceGroup";
SourceType = "Local";
SubscriptionId = "20f41296-9edc-4374-b5e0-b1c1aa07e7d3";
TenantId = $TenantId;
WorkspaceName = "MyWorkspace";
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelWatchlist "SentinelWatchlist-TestWatch"
{
Alias = "MyAlias";
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
DefaultDuration = "P1DT3H";
Description = "My description";
DisplayName = "My Display Name";
Ensure = "Absent";
ItemsSearchKey = "Test";
Name = "MyWatchList";
NumberOfLinesToSkip = 1;
RawContent = 'MyContent'
ResourceGroupName = "MyResourceGroup";
SourceType = "Local";
SubscriptionId = "20f41296-9edc-4374-b5e0-b1c1aa07e7d3";
TenantId = $TenantId;
WorkspaceName = "MyWorkspace";
}
}
}