Microsoft Sentinel
- Search feature
- Export feature
- Remove detection rules
- Disable detection rules
- MSSP feature
- Search and retrieve results from multiple tenants
- Export in multiple tenants
- Detection rule actions
Note
It is possible to deploy Microsoft Defender for Endpoint rules to Sentinel using the the sm
argument.
Authentication
Two authentication mode are supported:
default
: Default authentication viaaz login
app
: Azure Registration App
When using the default authentication:
- Head to
portal.azure.com
and authenticate using MFA - Use
az cli
to fetch the authentication session
When using the Azure Registation App, load the following environment variables:
DROID_AZURE_TENANT_ID
: Azure tenant IDDROID_AZURE_CLIENT_ID
: Client ID of the registration appDROID_AZURE_CLIENT_SECRET
: Azure client secret
The keys workspace_id
and workspace_name
are the base workspace declaration but this values can be replaced with the environments DROID_AZURE_WORKSPACE_ID
and DROID_AZURE_WORKSPACE_NAME
.