cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

How to sync automation rules from Github to Sentinel

Steven_Su
Copper Contributor

‎May 06 2022 01:07 AM

‎May 06 2022 01:07 AM

How to sync automation rules from Github to Sentinel

Hi,

 

As for the analytics rule synced from Github to Sentinel, we could just simply export the rules and import it to github. However, I am not able to export the automation rules to json file and could not find the guide for the sync.

Could you provide some guidance on it? Thanks

Labels:
2,488 Views
1 Like
6 Replies
Reply
6 Replies
Gary Bushey

‎May 06 2022 04:27 AM

‎May 06 2022 04:27 AM

Re: How to sync automation rules from Github to Sentinel

@Steven_Su It does not look like the MS Sentinel PowerShell (https://www.powershellgallery.com/packages/Az.SecurityInsights/1.1.0) has added the functionality for automation yet so you would need to use the REST API.  You can go to azure-rest-api-specs/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/prev...  to get the information on how to make the calls. 

 

I would think you would need to make a call to LIST all the automation rules and then either break apart the returned JSON to save each one individually or just use it to get the individual rule's ID.  Then you can make a call to GET each individual rule and save it.

0 Likes
Reply
Steven_Su

‎May 06 2022 04:49 AM

‎May 06 2022 04:49 AM

Re: How to sync automation rules from Github to Sentinel

Hi Gary,Thanks for your prompt reply.

Actually what we want to do is to use repo in github to deploy and maintain the analytic rules and automation rules attached. It is easy for analytic rules but difficult for automation rules.

We only have few playbooks like creating ticket but we will applied it to each analytics rule. So we wanna see if there is any approach to do so.
0 Likes
Reply
best response confirmed by Steven_Su (Copper Contributor)
Gary Bushey

‎May 09 2022 05:19 AM

‎May 09 2022 05:19 AM

Solution

Re: How to sync automation rules from Github to Sentinel

Have you looked at using a MS Sentinel repository to push all the rules (I am guessing you when you say repo you mean a Github repo and not MS Sentinel repository).

BTW, I wrote some PowerShell scripts to extract automation rules and a blog post about it. https://www.garybushey.com/2022/05/08/get-or-export-microsoft-sentinel-automation-rules/
0 Likes
Reply
Steven_Su

‎May 11 2022 01:09 AM

‎May 11 2022 01:09 AM

Re: How to sync automation rules from Github to Sentinel

Hi Gary,

This is a helpful documents to export the config. As tested, i still need to modify the format of the output to meet the requirement of the syntax so that I could create the new automation rule with this approach.
Really thanks for your reply.
0 Likes
Reply
Gary Bushey

‎May 11 2022 04:23 AM

‎May 11 2022 04:23 AM

Re: How to sync automation rules from Github to Sentinel

I'd be interested in hearing what changes you needed to make so I can make them to the PowerShell script.
0 Likes
Reply
Steven_Su

‎May 12 2022 07:34 PM

‎May 12 2022 07:34 PM

Re: How to sync automation rules from Github to Sentinel

@Gary Bushey Hi, this is the format i used to sync from Github repo to Sentinel. 

ps. I masked some information with xxxx/yyyy/zzzz/wwww

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.1",
    "parameters": {
        "workspace": {
            "type": "String"
        }
    },    
    "resources": [
        {
            "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/AutomationRules/yyyyyyyyyy')]",
            "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/yyyyyyyyyy')]",
            "type": "Microsoft.OperationalInsights/workspaces/providers/automationRules",
            "apiVersion": "2021-10-01-preview",
            "properties": {
                "displayName": "testing _jira_0511_0336",
                "order": 1,
                "triggeringLogic": {
                    "isEnabled": true,
                    "triggersOn": "Incidents",
                    "triggersWhen": "Created",
                    "conditions": [
                        {
                            "conditionType": "Property",
                            "conditionProperties": {
                                "propertyName": "IncidentRelatedAnalyticRuleIds",
                                "operator": "Contains",
                                "propertyValues": [
                                    "/subscriptions/xxxxxxxxxxxxxx/resourceGroups/endpoint_log_testing/providers/Microsoft.OperationalInsights/workspaces/endpoint-log-testing/providers/Microsoft.SecurityInsights/alertRules/zzzzzzzzzz"
                                ]
                            }
                        },
                        {
                            "conditionType": "Property",
                            "conditionProperties": {
                                "propertyName": "IncidentStatus",
                                "operator": "Equals",
                                "propertyValues": [
                                    "New"
                                ]
                            }
                        }
                    ]
                },
                "actions": [
                    {
                        "order": 1,
                        "actionType": "RunPlaybook",
                        "actionConfiguration": {
                            "logicAppResourceId": "/subscriptions/xxxxxxxxxxxxxx/resourceGroups/endpoint_log_testing/providers/Microsoft.Logic/workflows/CreateJiraIssue",
                            "tenantId": "wwwwwwwwww"
                        }
                    }
                ]
            }
        }
    ]
}

 

0 Likes
Reply