Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Trouble importing analytic rules that has been exported using powershell/api

Copper Contributor

Hello! Trying import analytic rules to sentinel using repository and azure devops as source. If I manually export trough gui it is working. Pipeline and everything. Issue is if I export it using powershell with Get-AzSentinelAlertRule or with api and converting it to json the fun stops.

Creating repository "connections" from sentinel creates a default ps1 script (azure-sentinel-deploy-XXXX) where I suspect the mismatch is happening.

it failes with the error: "The file contains resources for content that was not selected for deployment". (yes I have selcted analytic rules in the options when connecting to repository)

Clearly I am doing something wrong in the converting to json and missing something that identify the json as an analytic rule. If I manually try to import it with gui, nothing happens

So, is there someone out there that has managed to create an export to json using powershell/api that works with import/repository in azuredevops

2 Replies
Have you compared the file that gets exported from the GUI to what the API call returns? If I recall, the API will return items like the rules GUID which should not be in the file when you try to upload it.
Thanks for good tip @GBushey .
After investigated the json file it's clear that the json file exportet with api call is missing some format/code (sorry for my noobness). its missing this in the top:
"$schema": "https://schema.management.azure.com/schemas/2019-0401/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [

adding this with the closing brackets at the bottom, it works. Now I just need to figure out how to include this in the export job or doing som kind of merging afterwards