Currently the Microsoft Sentinel Workspace Manager (Preview) is only available through the Azure Portal of via the REST API.
Because the Azure Portal is using API calls in the background, and because the Microsoft Sentinel Workspace Manager API
contains some errors, I have decided to create a PowerShell Module called AzWorkspaceManager
This module is especially useful in scenario's where you want to manage the Workspace Manager using Infrastructure as Code or using pipelines.
To get started with this PowerShell module you only need to follow these basic steps.
Click on the topics below to fold them out.
Install Module
Install-Module AzWorkspaceManagerThis section shows a couple of examples on how to get started with this module.
Workspace Manager Configuration
Creating a Workspace Manager configuration in the parent Microsoft Sentinel instance.
Add-AzWorkpaceManager -Name 'myWorkspace' -ResourceGroup 'myResourceGroup'
Add Workspace Manager Members and Groups
Creating Workspace Manager members in the Workspace Manager Configuration.
To add a workspace member the identlty used has to have Microsoft Sentinel Contributor permissions on the target workspace.
$arguments = @{
workspaceName = 'myWorkspace'
resourceId = $resourceId
tenantId = $tenantId
}
Add-AzWorkpaceManagerMember @arguments$arguments = @{
workspaceName = 'myWorkspace'
name = 'myGroup'
workspaceManagerMembers = 'mySecondWorkspace(f6426b36-04fa-4a41-a9e4-7f13abe34d55)'
}
Add-AzWorkpaceManagerGroup @arguments$arguments = @{
workspaceName = 'myWorkspace'
resourceId = $resourceId
tenantId = $tenantId
}
Add-AzWorkpaceManagerMember @arguments | Add-AzWorkspaceManagerGroup -GroupName 'myGroup'
}
Add Workspace Manager Assignments
This example creates an empty assignment.
Because the assignment name is not provided, the 'GroupName' value will be used.
$arguments = @{
workspaceName = 'myWorkspace'
groupName = 'myGroup'
resourceId = $resourceId
}
Add-AzWorkspaceManagerAssignment @argumentsThis example adds the resourceId of an alert rule to an assignment
$arguments = @{
workspaceName = 'myWorkspace'
name = 'myAssignment'
groupName = 'myGroup'
resourceId = $resourceId
}
Add-AzWorkspaceManagerAssignment @argumentsThis example gets all saved searches and adds them to an assignment
$SavedSearches = Get-AzWorkspaceManagerItem -WorkspaceName 'myWorkspace' -Type SavedSearches
$arguments = @{
workspaceName = 'myWorkspace'
name = 'myAssignment'
groupName = 'myGroup'
resourceId = $SavedSearches.resourceId
}
Add-AzWorkspaceManagerAssignment @argumentsCreate an Assignment Job and get status
Creating a Workspace Manager assignment job.
$arguments = @{
workspaceName = 'myWorkspace'
name = 'myAssignment'
}
Add-AzWorkspaceManagerAssignmentJob @argumentsThis example creates an assignment job for each Workspace Manager assignment
$arguments = @{
workspaceName = 'myWorkspace'
}
Get-AzWorkspaceManagerAssignment @arguments | Add-AzWorkspaceManagerAssignmentJobThis example gets all jobs for a Workspace Manager Assignment
$arguments = @{
workspaceName = 'myWorkspace'
name = 'myAssignment'
}
Get-AzWorkspaceManagerAssignmentJob @argumentsWe all thrive on feedback and community involvement!
Have a question? → open a GitHub issue.
Want to get involved? → Learn how to contribute.
I am running on coffee and good music when writing code. So feel free to buy me a coffee.
If you encounter any issues, have suggestions for improvements or anything else, feel free to open an Issue I will try to respond to each issue and Pull requests within 48 hours.