Microsoft Sentinel Article Series: Mass Enable Analytics Rules using Powershell
Analytics rules in Microsoft Sentinel are logic sets that automatically run queries over your data at regular intervals. When the output of a rule’s query matches its criteria, the system creates an alert or an incident, which can initiate a response to potential security threats. Because until today there is no tool that can enable all analytics rules, I made this tutorial.
Pre-Requisites
Active Sentinel Subscriptions
Github account
Powershell Modules :
- PowerShellForGitHub
- Az.Accounts
- Az.SecurityInsights
- powershell-yaml
Minimal Roles : Microsoft Sentinel Contributor
Step-by-step
- Configure your Github account requirements
Navigate to https://github.com/settings/tokens/new - Generate a new token with the public_repo scope
You can fill expiration recommend setting to 7 days. then dont forget to save your github unique code.
3. At your portal azure, top right you can view this
4. Copy these github script to your Azure Powershell :
5. you can git clone whole github :
6. Then move using cd to analytics_rules folder
7. Then go to browser, choose your detection folder that you want to enable (just copy the folder name) :
8. Then prepare the running parameter script like this, you can remove and rename detectionFolderName according to what you want
.\create-scheduledRuleFromTemplate.ps1 -subscriptionId 'xxxxxx-4xxxx-42xxx-xxxx-xxxxxxxxxx' -resourceGroupName 'rg-sentinel' -workspaceName 'log-sentinel' -githubToken 'ghp_xxxxxxxxxxxxaz1lYRJU' -detectionFolderName 'AuditLogs','AzureActivity','AzureDiagnostics','AzureFirewall','AzureWAF','CommonSecurityLog','DeviceEvents','DeviceFileEvents','DeviceNetworkEvents','DeviceProcessEvents','OfficeActivity','SecurityAlert','SecurityEvent','SecurityNestedRecommendation','SigninLogs','Syslog','WindowsEvents'
9. It will be showing like below :
10. Then it’s showing at the Sentinel Overview Tab :
11. Or you can check the analytics rules :