Create multiple Microsoft Sentinel rules from rule templates – The Next Generation

Introduction

Just over three years ago I wrote a blog post and code about how to create multiple rules from Microsoft Sentinel analytic rule template. A lot has changed in that three years. Not only have new features been added to Microsoft Sentinel, but I have learned better ways to work with PowerShell.

With all that in mind, I figured it was time to update the old PowerShell scripts to handle the new features. For instance, while MITRE Tactics were available before, there was no Techniques, so those were added.

With all the rule templates being moved into the Sentinel Hub, either as solutions or stand-alone, there was a need to add the ability to be able to create the rules from those templates as well. You can read about that here: Out-of-the-box (OOTB) content centralization changes – Microsoft Sentinel | Microsoft Learn Hopefully the Microsoft Sentinel REST API will change to look at the solution templates so the hoops I jump through in the code will not be needed in the future.

Best practice to perform this action is to use Microsoft Sentinel’s Repository feature. The only issue with this is that you will need to see templates have changed and update your code as needed. Using these PowerShell scripts, you will always have the latest and greatest. OK, that may not be 100% accurate as it is possible that your solution may need an update, but at least it is one less step.

All the code can be downloaded from here: garybushey/CreateRulesTNG: The next generation of the Create multiple rules from rule templates (github.com)

The CSV File

Like before, one of the PowerShell scripts, Export-AzSentinelAnalyticsRuleTemplatesToCSV.ps1, will read all the analytic rule templates and create the CV file. The file, rulestemplate.csv, is a sample file of the output. I would not recommend using it in your own environment since there is no guarantee that all the GUIDs present will work in your environment. I have also selected some of the rules to be created as a test.

The CSV file is comprised of the following columns:

NameDescription
SelectedPlace an “X” in this column to create a rule from this template
NameThe Name of the rule template
IDThe rule template’s GUID
SourceEither “Sentinel” if it is an OOTB rule template or “Solution” if coming from a solution
SeverityThe rule template’s default severity
KindThe rule template’s kind. Either “Scheduled” or “NRT”
DescriptionThe rule template’s description
TacticsThe MITRE tactics
TechniquesThe MITRE technique
QueryFrequencyHow often the rule runs. This will be blank for a NRT
QueryPeriodHow far back to look. This will be blank for a NRT

As stated above, go through the file, determine which rule(s) you want to create, and place a “X” in the “Selected” column. Save this and run the next PowerShell script.

Creating the rules

Once you have your CSV file setup and ready to go, run New-AzSentinelAnalyticsRulesFromCSV.ps1 to create the rules. Like before, it will tell you what is going on by displaying messages on the screen, but a new feature is that it also creates a CSV file that stores all the information for later review.

The file, rulesOutput.csv, shows a sample output file. Note that I did modify my “rulestemplate.csv” file in order to get the “Unable to find rule template” error message. This should not happen normally.

Some caveats

There are some caveats that should be noted.

  1. There is a 5 second delay between rule creation. I found that without this, I was overloading the number of REST API calls that I make in a specified time period. You can adjust this to see if you can get away with a smaller value
  2. This probably is related to the 5 second delay but when I tried to enable all the available rules in my environment, I got an error that the token had expired towards the end. Granted, I was trying to do over 400 rules at once, which I hope you never have to do, but be aware of this. I would suggest no more than 100 rules at a time.
  3. You will see errors if the table(s) that the rule needs does not exist or if there is an error in the KQL code. This is coming directly from the REST API call and there is nothing that can be done about it.

Summary

This is the second generation of my code to create multiple rules from templates. There have been many changes in Microsoft Sentinel that require the new PowerShell scripts.

I hope it works for you and makes your life a bit easier.

2 thoughts on “Create multiple Microsoft Sentinel rules from rule templates – The Next Generation

  • Hello Gary,

    Does the Export-AzSentinelAnalyticsRuleTemplatesToCSV.ps1 script also collect ‘custom’ or ‘duplicated’ Analytic Rules, or are we only talking about only the related templates?

    Jason S

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.