Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

How to clone or duplicate an Analytic Rule in Microsoft Sentinel using PowerShell

Brass Contributor

How can you clone or duplicate an Analytic Rule that resides in Microsoft Sentinel using either PowerShell or Azure CLI?

The cloned Analytic Rule will require a new ruleId and name but all other properties can remain the same.

I have tried using the Sentinel-related PowerShell module and functions...

$resourceGroupName = "XYZ"
$workspaceName = "abc"

# Get all analytic rules
$analyticRules = Get-AzSentinelAlertRule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName

foreach ($rule in $analyticRules) {

# Duplicate each rule
$newRule = $rule
$newRule.DisplayName = "_" + $rule.DisplayName
$newRule.Id = $null # Clear ID for new rule creation

# Create the duplicated rule
# /// New-AzOperationalInsightsSavedSearch -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Properties $newRule.Properties
#? New-AzSentinelAlertRule ? parameters to add

}

3 Replies
Thank you for the response @jaymcc510.

Just not getting time to test at the moment, but unsure of the parameters to use in New-AzSentinelAlertRule
Hello, in Sentinel it is possible to clone the analytical rule, adding a new title and keeping the settings the same, would this help you via Sentinel or is it necessary via PowerShell?



Linkedin: https://www.linkedin.com/in/raphael-custodio-soares/
Youtube: https://www.youtube.com/channel/UCbrwqdI-61v3Q2zFUW2YNUQ