cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Sentinel automation - create Analytics alert rules from Alert rule templates using PowerShell

PhilippeAugras
Brass Contributor

‎Mar 22 2021 12:21 PM

‎Mar 22 2021 12:21 PM

Sentinel automation - create Analytics alert rules from Alert rule templates using PowerShell

Hi,

 

I regularly deploy Sentinel to several clients as part of Security Workshops and every time, I spend a lot of time enabling scheduled analytic rules related to the deployed connectors. I'd like to use PowerShell and I found the AzSentinel module today. I can use it to create a scheduled analytic rule but even if I give a template name, I still have to provide severity, trigger and so on. I  wanna use default values from the template.

I thought about exporting those rules from an already existing Sentinel environment but if the Sentinel template changes, my export becomes worthless for new clients. 

Does anyone have an idea about how to do that ? I mean, being able to create a scheduled analytic rule from a template name by only providing a new alert rule should be something easy, right ?

Regards,

 

P. Augras

2,459 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by PhilippeAugras (Brass Contributor)
Thijs Lecomte

‎Mar 22 2021 12:43 PM

‎Mar 22 2021 12:43 PM

Solution

Re: Sentinel automation - create Analytics alert rules from Alert rule templates using PowerShell

Hi @PhilippeAugras 

 

I would recommend going to the Azure Sentinel GitHub page and getting your rules there.

Don't know if all of the built-in rules are there, but there are more rules there than there are templates within Azure Sentinel. Azure/Azure-Sentinel: Cloud-native SIEM for intelligent security analytics for your entire enterpris...

 

Otherwise, you can also use the AzSentinel mode to first retrieve the templates (AZSentinel/Get-AzSentinelAlertRuleTemplates.ps1 at master · wortell/AZSentinel (github.com)) and then push them

0 Likes
Reply
Rod_Trent

‎Mar 22 2021 01:26 PM

‎Mar 22 2021 01:26 PM

Re: Sentinel automation - create Analytics alert rules from Alert rule templates using PowerShell

Additionally, @PhilippeAugras  and @Thijs Lecomte ... there was a PowerShell module developed last week that will allow direct import from a GitHub repo...

 

How to See Which Playbooks Have Run Against an Azure Sentinel Incident – Azure Cloud & AI Domain Blo...

 

 

2 Likes
Reply
PhilippeAugras

‎Mar 24 2021 07:56 AM

‎Mar 24 2021 07:56 AM

Re: Sentinel automation - create Analytics alert rules from Alert rule templates using PowerShell

@Rod_Trent and @Thijs Lecomte , thank you very much for your answers, they are what I needed :).

P.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by PhilippeAugras (Brass Contributor)
Thijs Lecomte

‎Mar 22 2021 12:43 PM

‎Mar 22 2021 12:43 PM

Solution

Re: Sentinel automation - create Analytics alert rules from Alert rule templates using PowerShell

Hi @PhilippeAugras 

 

I would recommend going to the Azure Sentinel GitHub page and getting your rules there.

Don't know if all of the built-in rules are there, but there are more rules there than there are templates within Azure Sentinel. Azure/Azure-Sentinel: Cloud-native SIEM for intelligent security analytics for your entire enterpris...

 

Otherwise, you can also use the AzSentinel mode to first retrieve the templates (AZSentinel/Get-AzSentinelAlertRuleTemplates.ps1 at master · wortell/AZSentinel (github.com)) and then push them

View solution in original post

0 Likes
Reply