Microsoft Sentinel Article Series: Mass Enable Analytics Rules using Powershell

Jeffry Gunawan
MII Cyber Security Consulting Services
3 min readJul 17, 2023

Analytics rules in Microsoft Sentinel are logic sets that automatically run queries over your data at regular intervals. When the output of a rule’s query matches its criteria, the system creates an alert or an incident, which can initiate a response to potential security threats. Because until today there is no tool that can enable all analytics rules, I made this tutorial.

Pre-Requisites

Active Sentinel Subscriptions

Github account

Powershell Modules :

  • PowerShellForGitHub
  • Az.Accounts
  • Az.SecurityInsights
  • powershell-yaml

Minimal Roles : Microsoft Sentinel Contributor

Step-by-step

  1. Configure your Github account requirements
    Navigate to https://github.com/settings/tokens/new
  2. Generate a new token with the public_repo scope
Source : Sean Github

You can fill expiration recommend setting to 7 days. then dont forget to save your github unique code.

3. At your portal azure, top right you can view this

4. Copy these github script to your Azure Powershell :

5. you can git clone whole github :

6. Then move using cd to analytics_rules folder

7. Then go to browser, choose your detection folder that you want to enable (just copy the folder name) :

8. Then prepare the running parameter script like this, you can remove and rename detectionFolderName according to what you want

.\create-scheduledRuleFromTemplate.ps1 -subscriptionId 'xxxxxx-4xxxx-42xxx-xxxx-xxxxxxxxxx' -resourceGroupName 'rg-sentinel' -workspaceName 'log-sentinel' -githubToken 'ghp_xxxxxxxxxxxxaz1lYRJU' -detectionFolderName 'AuditLogs','AzureActivity','AzureDiagnostics','AzureFirewall','AzureWAF','CommonSecurityLog','DeviceEvents','DeviceFileEvents','DeviceNetworkEvents','DeviceProcessEvents','OfficeActivity','SecurityAlert','SecurityEvent','SecurityNestedRecommendation','SigninLogs','Syslog','WindowsEvents'

9. It will be showing like below :

Mass Analytics Rules Running

10. Then it’s showing at the Sentinel Overview Tab :

Analytics Rules Enabled

11. Or you can check the analytics rules :

72 Rules Active

References

https://github.com/Azure/Azure-Sentinel

--

--

MII Cyber Security Consulting Services
MII Cyber Security Consulting Services

Published in MII Cyber Security Consulting Services

MII Cyber Security Consulting Services is a division under PT. Mitra Integrasi Informatika and part of Metrodata Group. MII Cyber Security Consulting Services provide following services : Security Assessment, DFIR Services, MSS SOC, Training, and other cyber security fields.

Jeffry Gunawan
Jeffry Gunawan

Written by Jeffry Gunawan

Cyber Security Consultant | CEH(P), CHFI, ECIH, CSA, CSCU, SC200,400,300,900

No responses yet