Last active
March 10, 2023 11:38
-
-
Save manualbashing/d52f7a74e03a2942628caa45fe3c8f65 to your computer and use it in GitHub Desktop.
Export-SentinelWatchlist
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Export-SentinelWatchlist { | |
| [CmdletBinding()] | |
| param ( | |
| # Id of the subscription in which the sentinel workspace is located | |
| [Parameter()] | |
| [string] | |
| $SubscriptionId = (Get-AzContext).Subscription.Id, | |
| # Name of the resourec group in which the sentinel workspace is located | |
| [Parameter(Mandatory)] | |
| [string] | |
| $ResourceGroupName, | |
| # Name of the sentinel workspace | |
| [Parameter(Mandatory)] | |
| [string] | |
| $WorkspaceName, | |
| # Short name of the Sentinel Watchlist | |
| [Parameter(Mandatory)] | |
| [string] | |
| $WatchlistName, | |
| # Path and filename of the exported watchlist csv | |
| [Parameter()] | |
| [string] | |
| $OutputFilePath = 'watchlist.csv' | |
| ) | |
| $uri = "https://management.azure.com/subscriptions/${SubscriptionId}" + | |
| "/resourceGroups/${ResourceGroupName}" + | |
| "/providers/Microsoft.OperationalInsights/workspaces/${WorkspaceName}" + | |
| "/providers/Microsoft.SecurityInsights/watchlists/${WatchlistName}" + | |
| "/watchlistItems?api-version=2022-12-01-preview" | |
| $response = Invoke-AzRestMethod -Method Get -Uri $uri | | |
| Select-Object -ExpandProperty Content | | |
| ConvertFrom-Json | |
| $response.value.properties.itemsKeyValue | | |
| Export-Csv -Encoding UTF8 -Path $OutputFilePath -QuoteFields:$false | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Used in blog post: https://manualbashing.github.io/posts/how-to-export-csv-watchlists-from-azure-sentinel/