SOLVED

How to mass apply a playbook to all analytic rules at once?

%3CLINGO-SUB%20id%3D%22lingo-sub-2070715%22%20slang%3D%22en-US%22%3EHow%20to%20mass%20apply%20a%20playbook%20to%20all%20analytic%20rules%20at%20once%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2070715%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20Can%20anyone%20help%20me%20if%20we%20have%20any%20feature%20to%20mass%20apply%20any%20playbook%20to%20all%20analytic%20rules.%20When%20I%20searched%20for%20the%20same%2C%20I%20found%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%2Fsuggestions%2F38899663-allow-for-selection-of-playbooks-to-multiple-rules%23%7Btoggle_previous_statuses%7D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EAllow%20for%20selection%20of%20playbooks%20to%20multiple%20rules%20at%20the%20same%20time%20%E2%80%93%20Customer%20Feedback%20for%20ACE%20Community%20Tooling%20(azure.com)%3C%2FA%3E%2C%20which%20says%20that%20this%20option%20is%20in%20public%20preview%20mode%2C%20but%20I%20couldn't%20find%20any%20option%20for%20the%20same%3F%20can%20anyone%20help%20me%20here%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2070845%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20mass%20apply%20a%20playbook%20to%20all%20analytic%20rules%20at%20once%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2070845%22%20slang%3D%22en-US%22%3E%3CP%3EHI%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F923986%22%20target%3D%22_blank%22%3E%40printscreen%3C%2FA%3E%26nbsp%3B%2C%20yes%2C%20that%20option%20is%20in%20preview%20under%20a%20new%20feature%20called%20automation%20rules.%20You%20can%20sign%20up%20for%20the%20Sentinel%20private%20preview%20program%20here%3A%20%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fsecurityprp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2Fsecurityprp%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2083410%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20mass%20apply%20a%20playbook%20to%20all%20analytic%20rules%20at%20once%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2083410%22%20slang%3D%22en-US%22%3E%3CP%3Ehey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%20Is%20there%20any%20option%20to%20do%20Powershell%20execution%20to%20mass%20apply%20the%20playbook%20to%20all%20rules%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2086166%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20mass%20apply%20a%20playbook%20to%20all%20analytic%20rules%20at%20once%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2086166%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F923986%22%20target%3D%22_blank%22%3E%40printscreen%3C%2FA%3E%26nbsp%3BYes%2C%20it%20should%20be%20possible%20using%20Powershell%2C%20but%20you%20would%20need%20to%20write%20a%20script%20for%20that%20(can't%20do%20it%20with%20a%20single%20command).%20The%20script%20could%20get%20read%20the%20rules%20in%20the%20file%20one%20by%20one%20and%20then%20use%20Update-AzSentinelAlertRule.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20use%20the%20%22Automation%20Rules%22%20feature%20that%20is%20currently%20in%20private%20preview.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi, Can anyone help me if we have any feature to mass apply any playbook to all analytic rules. When I searched for the same, I found this Allow for selection of playbooks to multiple rules at the same time – Customer Feedback for ACE Comm..., which says that this option is in public preview mode, but I couldn't find any option for the same? can anyone help me here?

3 Replies
Best Response confirmed by printscreen (Contributor)
Solution

HI@printscreen , yes, that option is in preview under a new feature called automation rules. You can sign up for the Sentinel private preview program here: http://aka.ms/securityprp

 

Regards

hey @Javier Soriano, Is there any option to do Powershell execution to mass apply the playbook to all rules?  I was just messing myself and tried below by uploading a JSON file in CLI and the command will create an analytic rule, and in that, we can add a playbook, which worked perfectly.

 

Import-AzSentinelAlertRule -WorkspaceName "rg-test" -SettingsFile "alertrule.json"

 

But, I tried the same way to update by doing Update-AzSentinelAlertRule which didn't work saying as attached snip. Is there any specific rule update command which helps to update the playbook configuration?

@printscreen Yes, it should be possible using Powershell, but you would need to write a script for that (can't do it with a single command). The script could get read the rules in the file one by one and then use Update-AzSentinelAlertRule.

 

You can also use the "Automation Rules" feature that is currently in private preview.

 

Regards