cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

How to mass apply a playbook to all analytic rules at once?

printscreen
Contributor

‎Jan 18 2021 05:00 AM

‎Jan 18 2021 05:00 AM

How to mass apply a playbook to all analytic rules at once?

Hi, Can anyone help me if we have any feature to mass apply any playbook to all analytic rules. When I searched for the same, I found this Allow for selection of playbooks to multiple rules at the same time – Customer Feedback for ACE Comm..., which says that this option is in public preview mode, but I couldn't find any option for the same? can anyone help me here?

1,381 Views
0 Likes
5 Replies
Reply
5 Replies
best response confirmed by printscreen (Contributor)
Javier Soriano

‎Jan 18 2021 06:01 AM

‎Jan 18 2021 06:01 AM

Solution

Re: How to mass apply a playbook to all analytic rules at once?

HI@printscreen , yes, that option is in preview under a new feature called automation rules. You can sign up for the Sentinel private preview program here: http://aka.ms/securityprp

 

Regards

0 Likes
Reply
printscreen

‎Jan 21 2021 09:40 AM - edited ‎Jan 21 2021 11:13 AM

‎Jan 21 2021 09:40 AM - edited ‎Jan 21 2021 11:13 AM

Re: How to mass apply a playbook to all analytic rules at once?

hey @Javier Soriano, Is there any option to do Powershell execution to mass apply the playbook to all rules?  I was just messing myself and tried below by uploading a JSON file in CLI and the command will create an analytic rule, and in that, we can add a playbook, which worked perfectly.

 

Import-AzSentinelAlertRule -WorkspaceName "rg-test" -SettingsFile "alertrule.json"

 

But, I tried the same way to update by doing Update-AzSentinelAlertRule which didn't work saying as attached snip. Is there any specific rule update command which helps to update the playbook configuration?

Preview file
34 KB
0 Likes
Reply
Javier Soriano

‎Jan 22 2021 01:39 AM

‎Jan 22 2021 01:39 AM

Re: How to mass apply a playbook to all analytic rules at once?

@printscreen Yes, it should be possible using Powershell, but you would need to write a script for that (can't do it with a single command). The script could get read the rules in the file one by one and then use Update-AzSentinelAlertRule.

 

You can also use the "Automation Rules" feature that is currently in private preview.

 

Regards

0 Likes
Reply
mattburrough

‎Jun 21 2021 08:43 PM

‎Jun 21 2021 08:43 PM

Re: How to mass apply a playbook to all analytic rules at once?

I needed to bulk apply a playbook to all of my rules recently, so I wrote a PS script as Javier suggested. You can find it on my blog or on GitHub.

 

-Matt

0 Likes
Reply