SOLVED

Sentinel automation - create Analytics alert rules from Alert rule templates using PowerShell

Brass Contributor

Hi,

 

I regularly deploy Sentinel to several clients as part of Security Workshops and every time, I spend a lot of time enabling scheduled analytic rules related to the deployed connectors. I'd like to use PowerShell and I found the AzSentinel module today. I can use it to create a scheduled analytic rule but even if I give a template name, I still have to provide severity, trigger and so on. I  wanna use default values from the template.

I thought about exporting those rules from an already existing Sentinel environment but if the Sentinel template changes, my export becomes worthless for new clients. 

Does anyone have an idea about how to do that ? I mean, being able to create a scheduled analytic rule from a template name by only providing a new alert rule should be something easy, right ?

Regards,

 

P. Augras

3 Replies
best response confirmed by PhilippeAugras (Brass Contributor)
Solution

Hi @PhilippeAugras 

 

I would recommend going to the Azure Sentinel GitHub page and getting your rules there.

Don't know if all of the built-in rules are there, but there are more rules there than there are templates within Azure Sentinel. Azure/Azure-Sentinel: Cloud-native SIEM for intelligent security analytics for your entire enterpris...

 

Otherwise, you can also use the AzSentinel mode to first retrieve the templates (AZSentinel/Get-AzSentinelAlertRuleTemplates.ps1 at master · wortell/AZSentinel (github.com)) and then push them

Additionally, @PhilippeAugras  and @Thijs Lecomte ... there was a PowerShell module developed last week that will allow direct import from a GitHub repo...

 

How to See Which Playbooks Have Run Against an Azure Sentinel Incident – Azure Cloud & AI Domain Blo...

 

 

@Rod_Trent and @Thijs Lecomte , thank you very much for your answers, they are what I needed :).

P.

1 best response

Accepted Solutions
best response confirmed by PhilippeAugras (Brass Contributor)
Solution

Hi @PhilippeAugras 

 

I would recommend going to the Azure Sentinel GitHub page and getting your rules there.

Don't know if all of the built-in rules are there, but there are more rules there than there are templates within Azure Sentinel. Azure/Azure-Sentinel: Cloud-native SIEM for intelligent security analytics for your entire enterpris...

 

Otherwise, you can also use the AzSentinel mode to first retrieve the templates (AZSentinel/Get-AzSentinelAlertRuleTemplates.ps1 at master · wortell/AZSentinel (github.com)) and then push them

View solution in original post