Microsoft Sentinel

• Search feature
• Export feature
  • Remove detection rules
  • Disable detection rules
• MSSP feature
  • Search and retrieve results from multiple tenants
  • Export in multiple tenants
• Detection rule actions

Note

It is possible to deploy Microsoft Defender for Endpoint rules to Sentinel using the the sm argument.

Authentication

Two authentication mode are supported:

• default: Default authentication via az login
• app: Azure Registration App

When using the default authentication:

1. Head to portal.azure.com and authenticate using MFA
2. Use az cli to fetch the authentication session

When using the Azure Registation App, load the following environment variables:

• DROID_AZURE_TENANT_ID: Azure tenant ID
• DROID_AZURE_CLIENT_ID: Client ID of the registration app
• DROID_AZURE_CLIENT_SECRET: Azure client secret

The keys workspace_id and workspace_name are the base workspace declaration but this values can be replaced with the environments DROID_AZURE_WORKSPACE_ID and DROID_AZURE_WORKSPACE_NAME.