It’s often helpful to have visibility into all the built-in analytical rules included within a solution—especially prior to deployment. Whether you're preparing for a client discussion or reviewing Microsoft recommendations, having a clear, exportable view of these rules is essential. That’s exactly what this PowerShell script delivers. It automatically pulls all built-in analytical rules for a selected Microsoft Sentinel solution (like "Microsoft Defender XDR" or "McAfee ePolicy Orchestrator", "1Password") directly from the Microsoft Sentinel GitHub repository and exports them into a CSV file. While the CSV provides a consolidated view, it may require some formatting before sharing or converting to Excel (.xls) for presentation purposes. It recursively parses YAML rule definitions—including those in subfolders—and exports key details like rule name, description, severity, and MITRE mappings into a consolidated CSV file. The exported CSV serves as a reference to help Architects, Consultant to suggest relevant analytics rules and can be shared with clients to validate and finalize initial analytics rules requirements across Solution.
🔧 Enhancing Pre-Deployment Rule Insights
Extracting metadata like Rule Name, Severity, MITRE Tactics, and Techniques for out-of-the-box analytical rules across multiple solutions can be time-consuming when done manually—especially before the rules are deployed.
🚀 Script Overview
The PowerShell script, hosted on GitHub, lets you:
- Provide the exact Microsoft Sentinel solution name as input, from
Microsoft Sentinel GitHub: Azure-Sentinel/Solutions at master · Azure/Azure-Sentinel · GitHub - Automatically query the [Microsoft Sentinel GitHub repo]
- Parse all associated analytical rule YAMLs under that solution
- Export relevant metadata into a structured CSV
đź“Ą GitHub Link
This is My GitHub repository where the custom PowerShell script is hosted. It allows you to extract built-in analytical rules from Microsoft Sentinel solutions based on the solution name:
đź”— GitHub - SentinelArtifactExtract (Optimized Script)
đź“ť Pre-Requisites:
- Generate GitHub Personal Access token:
GitHub official page to generate PAT:
Managing your personal access tokens - GitHub Docs
Why GitHub PAT token: It will help us to Authenticate and overcome the GitHub API rate limit Error (403). - Download the Script from GitHub to Azure CloudShell:
Use Invoke-WebRequest or curl to download the raw script:
Command to Download the Raw Script from GitHub:
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/vdabhi123/SentinelArtifactExtract/main/Extract%20Sentinel%20Analytical%20Rule%20with%20Solution%20Name%20prompt/OptimizedVersionPromptforSolutionNameOnly" -OutFile "ExtractRules.ps1
Using Invoke-WebRequest in Azure CloudShell - Update the Script with you GitHub PAT (generated in pre-requisite 1) in main script:
To update the PAT token you can use vim and ensure to run the updated script.
As depicted after generating you GitHub PAT token update the line 9 value
Using vim in azure CloudShell
Update the $githubToken variable.
🧪 How to Use the Script
- Open Azure Cloud Shell (PowerShell).
Navigate to Azure portal and click on the Shell to open the Azure Cloud Shell as depicted. - Upload and run the script. (This is Optional if Pre-requisite 3 is followed)
Upload the GitHub PAT updated script to Azure Cloud ShellUse LS command to verify if your file is uploaded
- Run the Script and Enter the **exact** solution name (e.g., `McAfee ePolicy Orchestrator`).
Run the uploaded PowerShell(.ps1) file as depicted in this screenshot
Sample execution in test environment for Microsoft Entra ID:
- The script fetches rule metadata and exports to CSV in the same directory.
CSV of exported Analytical rules placed in same directory, ready to be downloaded - Download the CSV from Cloud Shell.
Download CSV from Azure cloud Shell as depicted
To Download the output follow Step 1 & 2 as highlighted.Ensure to click this to actually start downloading the Analytical Rule export
Observe File in Browser downloads
📤 Sample Output
The script generates a CSV with the following columns:
- `Solution`
- `AnalyticalRuleName`
- `Description`
- `Severity`
- `MITRE_Tactics`
- `MITRE_Techniques`
Example file name:
Formatted Output with all Analytical Rule and other metadata for the Solution:
The CSV provides a consolidated view; it may require some formatting before sharing or converting to Excel (.xls) for presentation purposes.âś… Benefits
- Streamlines discovery of built-in analytical rules for initial Microsoft Sentinel deployments.
- Accelerates requirements gathering by exporting rules into a shareable CSV format.
- Enables collaborative planning—output can be shared with clients or Microsoft to determine which rules to implement or recommend.
- Eliminates manual effort of browsing GitHub or Microsoft Sentinel UI or exporting and reviewing full JSON rule files individually.
đź’ˇ Pro Tips
- Always verify the solution name from the official Microsoft Sentinel GitHub Solutions folder.
Azure-Sentinel/Solutions at master · Azure/Azure-Sentinel · GitHub
đź“Ś Final Thoughts
This script was created in response to a real-world project need and is focused on improving the discovery and extraction of Microsoft Sentinel analytical rules. A follow-up blog covering the export of additional Sentinel artifacts—such as Playbooks, Workbooks, and Hunting Queries—will be published soon.
Microsoft