SentinelWatchlist¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Name | Key | String | Tha name of the watchlist. | |
| SubscriptionId | Write | String | The name of the resource group. The name is case insensitive. | |
| ResourceGroupName | Write | String | The name of the resource group. The name is case insensitive. | |
| WorkspaceName | Write | String | The name of the workspace. | |
| Id | Write | String | The id (a Guid) of the watchlist | |
| DisplayName | Write | String | The display name of the watchlist. | |
| SourceType | Write | String | The source of the watchlist. Only accepts 'Local file' and 'Remote storage'. And it must included in the request. | |
| ItemsSearchKey | Write | String | The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. | |
| Description | Write | String | A description of the watchlist | |
| DefaultDuration | Write | String | The default duration of a watchlist (in ISO 8601 duration format) | |
| Alias | Write | String | The watchlist alias | |
| NumberOfLinesToSkip | Write | UInt32 | The number of lines in a csv content to skip before the header | |
| RawContent | Write | String | The raw content that represents to watchlist items to create. Example : This line will be skipped header1,header2 value1,value2 | |
| Ensure | Write | String | Present ensures the instance exists, absent ensures it is removed. | Absent, Present |
| Credential | Write | PSCredential | Credentials of the workload's Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
Description¶
Configures watchlists in Azure Sentinel.
Permissions¶
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelWatchlist "SentinelWatchlist-TestWatch"
{
Alias = "MyAlias";
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
DefaultDuration = "P1DT3H";
Description = "My description";
DisplayName = "My Display Name";
Ensure = "Present";
ItemsSearchKey = "Test";
Name = "MyWatchList";
NumberOfLinesToSkip = 1;
RawContent = 'MyContent'
ResourceGroupName = "MyResourceGroup";
SourceType = "Local";
SubscriptionId = "20f41296-9edc-4374-b5e0-b1c1aa07e7d3";
TenantId = $TenantId;
WorkspaceName = "MyWorkspace";
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelWatchlist "SentinelWatchlist-TestWatch"
{
Alias = "MyAlias";
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
DefaultDuration = "P1DT3H";
Description = "My description";
DisplayName = "My Display Name";
Ensure = "Present";
ItemsSearchKey = "Test";
Name = "MyWatchList";
NumberOfLinesToSkip = 0; # Drift
RawContent = 'MyContent'
ResourceGroupName = "MyResourceGroup";
SourceType = "Local";
SubscriptionId = "20f41296-9edc-4374-b5e0-b1c1aa07e7d3";
TenantId = $TenantId;
WorkspaceName = "MyWorkspace";
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelWatchlist "SentinelWatchlist-TestWatch"
{
Alias = "MyAlias";
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
DefaultDuration = "P1DT3H";
Description = "My description";
DisplayName = "My Display Name";
Ensure = "Absent";
ItemsSearchKey = "Test";
Name = "MyWatchList";
NumberOfLinesToSkip = 1;
RawContent = 'MyContent'
ResourceGroupName = "MyResourceGroup";
SourceType = "Local";
SubscriptionId = "20f41296-9edc-4374-b5e0-b1c1aa07e7d3";
TenantId = $TenantId;
WorkspaceName = "MyWorkspace";
}
}
}