Introduction
This is a program I have been wanting to write for quite some time. It is the number 1 most requested feature from the community at large for Microsoft Sentinel, although I cannot find the URL right now. I have spoken with the development team and, at least at the time I spoke with them, there are no plans for this feature to be added to Microsoft Sentinel.
You can download the code from: garybushey/CreateMultiRulesGUI: Create multiple rules from rule templates using a GUI
User Interface
I wrote this to mimic the existing Microsoft Sentinel UI that shows the rule templates. There are a few differences, like having the “IN USE” message in a separate column to make it sortable. That was one thing I have a problem within Microsoft Sentinel’s UI. That, and the update flag not being sortable, but I digress. You can compare the look and feel below.
You can see some differences. This program does not have the context sensitive menu, since it is only used to create a rule from the rule templates. This program also has checkboxes. This will allow you to select multiple rule templates that have been deployed using the Content Hub. It will not show Fusion or Microsoft Security rules.
It does show the details of the analytic rule when one is selected. If more than one is selected, it will show the data from the last one selected. It is close to, but not exactly like, the one in the Microsoft Sentinel’s UI as shown below:
This program is written using React and Typescript, which is a great combination. It is what Microsoft Sentinel uses so I figure that would be a good reason to use the same libraries. Some other libraries that are being used include:
| Name | Description | URL |
| MSAL | This is the react library that allows a JavaScript/TypeScript program to connect to Entra ID. See below for more on that | microsoft-authentication-library-for-js/lib/msal-react/README.md at dev · AzureAD/microsoft-authentication-library-for-js React single-page application using MSAL React to authenticate users against Microsoft Entra External ID – Code Samples | Microsoft Learn |
| Fluent UI 9 controls | This is used UI controls, colors, and CSS | Concepts / Introduction – Docs ⋅ Storybook |
There are plenty more, but those two are the big ones.
Development
As mentioned above, you will need to connect to Entra ID. In order to do that, you will need to create an Entra ID App registration. Look at my previous post on how to set this up: Call Microsoft Sentinel REST APIs from JavaScript – Yet Another Security Blog
You will also need to create a “.env” file in the root of your application that stores all the variables. For obvious reasons, I do not include this file in the GitHub repository. You will need the following entries. Make sure they all start with “REACT_APP_” otherwise the code cannot find them.
REACT_APP_TENANT_ID= <The GUID of your Entra ID Tenant>
REACT_APP_SUBSCRIPTION_ID = <The GUID of the subscription your MS Sentinel resides in>
REACT_APP_RESOURCE_GROUP_NAME= <The name of the resource group your MS Sentinel resides in>
REACT_APP_WORKSPACE_NAME=<The name of the workspace your MS Sentinel resides in>
REACT_APP_CLIENT_ID=<The application ID from the app you created above>Of course, this uses the Microsoft Sentinel REST API to read the Analytic Rule templates as well as create the rules. There is also an additional call to the “metadata” REST API that makes sure the rule is associated correctly with the solution it comes from. If you are familiar with the code from the “Microsoft Sentinel All-In-One V2” offering, it is same code translated from PowerShell to TypeScript.
There isn’t much else to talk about. There are a lot of comments in the code that should explain everything that is going on.
Additional TO-DOs
There are a few other things I would like to do with the program.
- Right now, if you select multiple rules, the “status” field will update for all of them at one time. I would like it to update in real time
- Allow for a switch between light and dark themes. The code is written in such a way to allow for this to happen easily, it is just a matter of adding the code.
- I could also update the details pane to look more like what is in the Microsoft Sentinel UI’s. It shows all the basic information, but not in the same format. Again, this is probably a fairly easy update
- I would love to figure how they color code the KQL that shows up the detail pane so if anyone knows how that is done, please let me know.
Summary
This program will allow you to select one or more rule templates in a User Interface and create new Analytic rules from them. It is something that has been asked about for quite a while and I finally got around to writing it.