Alertrule from github to Azure sentinel
The Azure Sentinel community is great. Many people contribute to the Azure Sentinel GitHub site. Rod Trent wrote an article on how to deploy analytic rules from GitHub to your Sentinel instance. This is great, however, the rules are written in YAML and can therefore easily be imported programmatically.
I have written a short PowerShell function for that purpose. Let’s check the workflow:
Browse to the Sentinel repo: https://github.com/Azure/Azure-Sentinel/tree/master/Detections
Click on your a detection query, then click on raw:
Copy the raw URL and save it somewhere temporarily. Now, in Sentinel, click on Settings / Workplace Settings and note the resource group and the workspace name.
That’s all we need. Now lets start the with the script from GitHub.
import-module .\alertRuleFromGHToSentinel.ps1 New-AzSentinelAlertRuleFromGitHub -resourceGroupName "resource group name" -workspaceName "workspace name" -gitHubRawUrl "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml"
Next, you will be prompted for authentication and then the alert rule will be created based on the criteria specified in the yaml file:
Back in Sentinel, the Rule has been created for you …
… with the paramters from the yaml file.
Of course, you can edit the rule to meet your needs:
Since you asked for it: this function now also supports batch-mode. For that you have to set -isGitHubDirectoryUrl to $true and specify the Sentinel GitHub Repo URL of a directory beneath “Detections”:
New-AzSentinelAlertRuleFromGitHub -resourceGroupName "rg-name" -workspaceName "ws-name" -gitHubRawUrl "https://github.com/Azure/Azure-Sentinel/tree/master/Detections/SecurityEvent" -isGitHubDirectoryUrl $true
With this you can easily create like 30 rules from a directory in the repo in a few minutes.