Core Infrastructure and Security Blog

3 MIN READ

“Automating Export of Microsoft Sentinel Analytic Rules mapped to MITRE Tactics & Techniques”

SantoshPargi

Microsoft

Jan 26, 2026

1. Introduction

In modern Security Operations Centers (SOCs), mapping detections to the MITRE ATT&CK framework is critical. MITRE ATT&CK provides a structured, globally recognized model of adversary behavior, categorized into Tactics (goals) and Techniques (methods).

Microsoft Sentinel analytic rules frequently include MITRE mappings, but viewing or exporting these at scale isn’t straightforward within the portal.

Security teams often need:

• A centralized view of existing detections mapped to MITRE ATT&CK

• A CSV export for reporting, audits, and threat coverage assessments

• Insights for SOC maturity, gap analysis, and threat-informed defense

Having an automated way to extract this information ensures accuracy, consistency, and faster operational insights — all essential for high-performing SOCs.

2) Why This Script Is Required

While Sentinel analytic rules individually display MITRE mappings, organizations typically need a workspace-wide export for:

Detection Coverage & Gap Analysis

Identify which Tactics & Techniques are covered.
Highlight missing ATT&CK areas.
Support threat modelling or purple team exercises.

Security Operations Reporting

Governance and oversight meetings
Compliance documentation
SOC KPI reporting and dashboards.

Detection Engineering Lifecycle

Maintaining a detection catalogue.
Versioning and documentation
Supporting change management and audits

Exporting rules into a CSV using automation avoids manual errors, saves analyst time, and ensures accurate, up-to-date data.

3) Script to Export Microsoft Sentinel Analytic Rules with MITRE Tactics & Techniques (TO BE RUN FROM AZURE CLI)

Important:
This Bash script must be executed from Azure CLI, either:

Azure Cloud Shell, or
A workstation/server with Azure CLI installed (Linux, macOS, or WSL on Windows)

The script uses az rest and jq to pull analytic rules and generate a CSV containing MITRE Tactics, Techniques, Severity, Enabled state, and KQL query.

Bash Script (Run in Azure CLI)

------------------------------------------------------------------------------------------------------------------------

#!/bin/bash

# Variables

export SUB="99005f96-e572-4035-b476-836fd9d83d64"

export RG="CyberSOC"

export WS="CyberSOC"

API="2024-03-01"

# Step 1: Set subscription

az account set --subscription "$SUB"

# Step 2: Fetch alert rules

echo "Fetching alert rules..."

az rest \

--method GET \

--uri "https://management.azure.com/subscriptions/$SUB/resourceGroups/$RG/providers/Microsoft.OperationalInsights/workspaces/$WS/providers/Microsoft.SecurityInsights/alertRules?api-version=$API" \

--output json > rules.json

# Step 3: Validate file

if [ ! -s rules.json ]; then

echo "Error: rules.json is empty or missing."

exit 1

echo "Total rules found:"

jq '.value | length' rules.json

# Step 4: Generate CSV with MITRE mapping, severity, enabled

echo "Generating CSV..."

jq -r '

(["RuleName","Tactics","Techniques","MITRE_Map","Severity","Enabled","Query"] | @csv),

(

.value[]

| select(.kind == "Scheduled")

| . as $r

| ($r.properties // {}) as $p

| [

($p.displayName // $r.name // "N/A"),

(( $p.tactics // $p.attackTactics // [] ) | join(";")),

(( $p.techniques // $p.attackTechniqueIds // [] ) | join(";")),

(

( ($p.tactics // []) | map("TA" + (.[2:]? // "")) ) as $tacs |

( ($p.techniques // []) | map(.) ) as $techs |

( [$tacs[], $techs[]] | join(";"))

($p.severity // "N/A"),

($p.enabled | tostring),

(( $p.query // "" ) | gsub("\\r?\\n"; " "))

]

| @csv

)

' rules.json > Scheduled_Rules_TTP_Query.csv

------------------------------------------------------------------------------------------------------------------------

4) Summary

Mapping detections to MITRE ATT&CK is a cornerstone of threat-informed defense. This script simplifies the process of exporting Microsoft Sentinel analytic rules with their MITRE mappings into a CSV — enabling SOC teams to: