我遇到了以下问题:
- 我有一个为特定租户创建自动化响应规则的脚本
现在,当Logic应用程序位于同一租户和订阅中时,这就像一种魅力。
但我偶然发现一个错误,即具有不同订阅的不同租户不接受它,因为它缺少Microsoft.SecurityInsights/alertRules/read权限。
我知道这是手动实现的,导航到自动化选项卡,在那里创建自动响应并选择剧本,但它不适用于我编写的Powershell脚本。
我的问题:
- 是否可以通过位于不同租户的逻辑应用程序添加自动化规则
如果是,如何操作?
当前Powershell脚本:
$SentinelConnection = @{
ResourceGroupName = "resourcegroupwithsentinel"
WorkspaceName = "azuresentinel"
}
$LogicAppConnection = @{
ResourceGroupName = "resourcegroupwithlogicappindifferenttenant"
Name = "logicappname"
}
$LogicAppResourceId = Get-AzLogicApp @LogicAppConnection
$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl @LogicAppConnection -TriggerName "Microsoft_Sentinel_alert"
$AlertRules = Get-AzSentinelAlertRule @SentinelConnection
foreach ($rule in $AlertRules) {
New-AzSentinelAlertRuleAction @SentinelConnection -AlertRuleId $rule.Name -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
}
总结:
- 我想要一个脚本,它允许使用"行动手册"(一个自行创建的逻辑应用程序(作为不同租户中不同Azure Sentinel环境的自动响应,并使用自动Powershell脚本
错误示例:
Get-AzSentinelAlertRule : The client 'emailaddress' with object id 'objectid' does not have authorization to perform action
'Microsoft.SecurityInsights/alertRules/read' over scope
'/subscriptions/subscriptionid/resourceGroups/resourcegroup/providers/Microsoft.OperationalInsights/workspaces/workspace/providers/Microsoft.SecurityInsights' or
the scope is invalid. If access was recently granted, please refresh your credentials.
感谢@Mathias R.Jessen的帮助,我找到了如何解决问题而不再出现错误。原来你必须进行两次身份验证。1用于需要应用自动化规则的租户,1用于包含逻辑应用程序的租户。我所做的:
- 为强制用户输入创建参数
- 为用户输入创建了一些可选参数
- 将Connect AzAccount配置文件保存到变量(2(
- 根据脚本为执行了正确的配置文件。LogicAppRules命令需要具有sentinel环境连接到的环境的DefaultProfile
完整的解决方案代码如下:
Write-Host "Please Connect to Tenant with Account that manages Sentinel Environment: $($DestinationResourceGroupName)$($DestinationWorkpaceName) first!"
$DestinationProfile = Connect-AzAccount -Subscription $DestinationID -ErrorAction Stop
Write-Host "Please Connect to Tenant with Account that manages LogicApp: $($LogicAppResourceName)$($LogicAppName)!"
$SourceProfile = Connect-AzAccount -Subscription $SourceID -ErrorAction Stop
$SentinelConnection = @{
ResourceGroupName = $DestinationResourceGroupName
WorkspaceName = $DestinationWorkpaceName
}
$LogicAppConnection = @{
ResourceGroupName = $LogicAppResourceName
Name = $LogicAppName
}
function CreateAutomationRule(){
$LogicAppResourceId = Get-AzLogicApp @LogicAppConnection
$TriggerName = (Get-AzLogicAppTrigger @LogicAppConnection).Name
$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl @LogicAppConnection -TriggerName $TriggerName
$AlertRules = Get-AzSentinelAlertRule @SentinelConnection -DefaultProfile $DestinationProfile
foreach ($rule in $AlertRules){
New-AzSentinelAlertRuleAction @SentinelConnection -DefaultProfile $DestinationProfile -AlertRuleId $rule.Name -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
}
}
CreateAutomationRule