Forum Discussion
Solved
Sentinel automation - create Analytics alert rules from Alert rule templates using PowerShell
Hi,
I regularly deploy Sentinel to several clients as part of Security Workshops and every time, I spend a lot of time enabling scheduled analytic rules related to the deployed connectors. I'd like to use PowerShell and I found the AzSentinel module today. I can use it to create a scheduled analytic rule but even if I give a template name, I still have to provide severity, trigger and so on. I wanna use default values from the template.
I thought about exporting those rules from an already existing Sentinel environment but if the Sentinel template changes, my export becomes worthless for new clients.
Does anyone have an idea about how to do that ? I mean, being able to create a scheduled analytic rule from a template name by only providing a new alert rule should be something easy, right ?
Regards,
P. Augras
I would recommend going to the Azure Sentinel GitHub page and getting your rules there.
Don't know if all of the built-in rules are there, but there are more rules there than there are templates within Azure Sentinel. Azure/Azure-Sentinel: Cloud-native SIEM for intelligent security analytics for your entire enterprise. (github.com)
Otherwise, you can also use the AzSentinel mode to first retrieve the templates (AZSentinel/Get-AzSentinelAlertRuleTemplates.ps1 at master · wortell/AZSentinel (github.com)) and then push them
I would recommend going to the Azure Sentinel GitHub page and getting your rules there.
Don't know if all of the built-in rules are there, but there are more rules there than there are templates within Azure Sentinel. Azure/Azure-Sentinel: Cloud-native SIEM for intelligent security analytics for your entire enterprise. (github.com)
Otherwise, you can also use the AzSentinel mode to first retrieve the templates (AZSentinel/Get-AzSentinelAlertRuleTemplates.ps1 at master · wortell/AZSentinel (github.com)) and then push them
- Rod_Trent
Microsoft
Additionally, @PhilippeAugras and Thijs Lecomte ... there was a PowerShell module developed last week that will allow direct import from a GitHub repo...
Rod_Trent and Thijs Lecomte , thank you very much for your answers, they are what I needed :).
P.
