How to clone or duplicate an Analytic Rule in Microsoft Sentinel using PowerShell

Question

How can you clone or duplicate an Analytic Rule that resides in Microsoft Sentinel using either PowerShell or Azure CLI?

The cloned Analytic Rule will require a new ruleId and name but all other properties can remain the same.

I have tried using the Sentinel-related PowerShell module and functions...

$resourceGroupName = "XYZ"
$workspaceName = "abc"

# Get all analytic rules
$analyticRules = Get-AzSentinelAlertRule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName

foreach ($rule in $analyticRules) {

# Duplicate each rule
$newRule = $rule
$newRule.DisplayName = "_" + $rule.DisplayName
$newRule.Id = $null # Clear ID for new rule creation

# Create the duplicated rule
# /// New-AzOperationalInsightsSavedSearch -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Properties $newRule.Properties
#? New-AzSentinelAlertRule ? parameters to add

}

jaymcc510 · Answer

looks good in code

jmshw0420 · Answer

Thank you for the response jaymcc510.Just not getting time to test at the moment, but unsure of the parameters to use in New-AzSentinelAlertRule

raphaelcustodiosoares · Answer

Hello, in Sentinel it is possible to clone the analytical rule, adding a new title and keeping the settings the same, would this help you via Sentinel or is it necessary via PowerShell?

Linkedin: https://www.linkedin.com/in/raphael-custodio-soares/
Youtube: https://www.youtube.com/channel/UCbrwqdI-61v3Q2zFUW2YNUQ

Forum Discussion

How to clone or duplicate an Analytic Rule in Microsoft Sentinel using PowerShell

3 Replies

Resources