Mar 22 2021 12:21 PM
Hi,
I regularly deploy Sentinel to several clients as part of Security Workshops and every time, I spend a lot of time enabling scheduled analytic rules related to the deployed connectors. I'd like to use PowerShell and I found the AzSentinel module today. I can use it to create a scheduled analytic rule but even if I give a template name, I still have to provide severity, trigger and so on. I wanna use default values from the template.
I thought about exporting those rules from an already existing Sentinel environment but if the Sentinel template changes, my export becomes worthless for new clients.
Does anyone have an idea about how to do that ? I mean, being able to create a scheduled analytic rule from a template name by only providing a new alert rule should be something easy, right ?
Regards,
P. Augras
Mar 22 2021 12:43 PM
Solution
I would recommend going to the Azure Sentinel GitHub page and getting your rules there.
Don't know if all of the built-in rules are there, but there are more rules there than there are templates within Azure Sentinel. Azure/Azure-Sentinel: Cloud-native SIEM for intelligent security analytics for your entire enterpris...
Otherwise, you can also use the AzSentinel mode to first retrieve the templates (AZSentinel/Get-AzSentinelAlertRuleTemplates.ps1 at master · wortell/AZSentinel (github.com)) and then push them
Mar 22 2021 01:26 PM
Additionally, @PhilippeAugras and @Thijs Lecomte ... there was a PowerShell module developed last week that will allow direct import from a GitHub repo...
Mar 24 2021 07:56 AM
@Rod_Trent and @Thijs Lecomte , thank you very much for your answers, they are what I needed :).
P.
Mar 22 2021 12:43 PM
Solution
I would recommend going to the Azure Sentinel GitHub page and getting your rules there.
Don't know if all of the built-in rules are there, but there are more rules there than there are templates within Azure Sentinel. Azure/Azure-Sentinel: Cloud-native SIEM for intelligent security analytics for your entire enterpris...
Otherwise, you can also use the AzSentinel mode to first retrieve the templates (AZSentinel/Get-AzSentinelAlertRuleTemplates.ps1 at master · wortell/AZSentinel (github.com)) and then push them