SOLVED

How to mass apply a playbook to all analytic rules at once?

%3CLINGO-SUB%20id%3D%22lingo-sub-2070715%22%20slang%3D%22en-US%22%3EHow%20to%20mass%20apply%20a%20playbook%20to%20all%20analytic%20rules%20at%20once%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2070715%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20Can%20anyone%20help%20me%20if%20we%20have%20any%20feature%20to%20mass%20apply%20any%20playbook%20to%20all%20analytic%20rules.%20When%20I%20searched%20for%20the%20same%2C%20I%20found%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%2Fsuggestions%2F38899663-allow-for-selection-of-playbooks-to-multiple-rules%23%7Btoggle_previous_statuses%7D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EAllow%20for%20selection%20of%20playbooks%20to%20multiple%20rules%20at%20the%20same%20time%20%E2%80%93%20Customer%20Feedback%20for%20ACE%20Community%20Tooling%20(azure.com)%3C%2FA%3E%2C%20which%20says%20that%20this%20option%20is%20in%20public%20preview%20mode%2C%20but%20I%20couldn't%20find%20any%20option%20for%20the%20same%3F%20can%20anyone%20help%20me%20here%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2070845%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20mass%20apply%20a%20playbook%20to%20all%20analytic%20rules%20at%20once%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2070845%22%20slang%3D%22en-US%22%3E%3CP%3EHI%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F923986%22%20target%3D%22_blank%22%3E%40printscreen%3C%2FA%3E%26nbsp%3B%2C%20yes%2C%20that%20option%20is%20in%20preview%20under%20a%20new%20feature%20called%20automation%20rules.%20You%20can%20sign%20up%20for%20the%20Sentinel%20private%20preview%20program%20here%3A%20%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fsecurityprp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2Fsecurityprp%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2083410%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20mass%20apply%20a%20playbook%20to%20all%20analytic%20rules%20at%20once%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2083410%22%20slang%3D%22en-US%22%3E%3CP%3Ehey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%20Is%20there%20any%20option%20to%20do%20Powershell%20execution%20to%20mass%20apply%20the%20playbook%20to%20all%20rules%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2086166%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20mass%20apply%20a%20playbook%20to%20all%20analytic%20rules%20at%20once%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2086166%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F923986%22%20target%3D%22_blank%22%3E%40printscreen%3C%2FA%3E%26nbsp%3BYes%2C%20it%20should%20be%20possible%20using%20Powershell%2C%20but%20you%20would%20need%20to%20write%20a%20script%20for%20that%20(can't%20do%20it%20with%20a%20single%20command).%20The%20script%20could%20get%20read%20the%20rules%20in%20the%20file%20one%20by%20one%20and%20then%20use%20Update-AzSentinelAlertRule.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20use%20the%20%22Automation%20Rules%22%20feature%20that%20is%20currently%20in%20private%20preview.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2467995%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20mass%20apply%20a%20playbook%20to%20all%20analytic%20rules%20at%20once%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2467995%22%20slang%3D%22en-US%22%3E%3CP%3EI%20needed%20to%20bulk%20apply%20a%20playbook%20to%20all%20of%20my%20rules%20recently%2C%20so%20I%20wrote%20a%20PS%20script%20as%20Javier%20suggested.%20You%20can%20find%20it%20on%20%3CA%20href%3D%22https%3A%2F%2Fburrough.org%2Farchives%2F220%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Emy%20blog%3C%2FA%3E%20or%20on%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmburrough%2Fsentinel-scripts%2Fblob%2Fmain%2FSentinel-AddAlertAction.ps1%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EGitHub%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Matt%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2468595%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20mass%20apply%20a%20playbook%20to%20all%20analytic%20rules%20at%20once%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2468595%22%20slang%3D%22en-US%22%3ENice!!%3C%2FLINGO-BODY%3E
Contributor

Hi, Can anyone help me if we have any feature to mass apply any playbook to all analytic rules. When I searched for the same, I found this Allow for selection of playbooks to multiple rules at the same time – Customer Feedback for ACE Comm..., which says that this option is in public preview mode, but I couldn't find any option for the same? can anyone help me here?

5 Replies
best response confirmed by printscreen (Contributor)
Solution

HI@printscreen , yes, that option is in preview under a new feature called automation rules. You can sign up for the Sentinel private preview program here: http://aka.ms/securityprp

 

Regards

hey @Javier Soriano, Is there any option to do Powershell execution to mass apply the playbook to all rules?  I was just messing myself and tried below by uploading a JSON file in CLI and the command will create an analytic rule, and in that, we can add a playbook, which worked perfectly.

 

Import-AzSentinelAlertRule -WorkspaceName "rg-test" -SettingsFile "alertrule.json"

 

But, I tried the same way to update by doing Update-AzSentinelAlertRule which didn't work saying as attached snip. Is there any specific rule update command which helps to update the playbook configuration?

@printscreen Yes, it should be possible using Powershell, but you would need to write a script for that (can't do it with a single command). The script could get read the rules in the file one by one and then use Update-AzSentinelAlertRule.

 

You can also use the "Automation Rules" feature that is currently in private preview.

 

Regards

I needed to bulk apply a playbook to all of my rules recently, so I wrote a PS script as Javier suggested. You can find it on my blog or on GitHub.

 

-Matt