Microsoft Sentinel comes with analytics rule built-in templates that you can turn into active analytic rules by effectively creating a copy of them – that’s what happens when you create a rule from a template.
What if you want to delete duplicate analytics rule templates?
In this article, we will share with you how to remove and delete Microsoft Sentinel Analytics Rule templates using PowerShell, this is useful if you have Rule templates imported from Content Hub and you want to delete one or more duplicate templates.
Table of Contents
Introduction
Microsoft Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Microsoft Sentinel Analytics Rules templates were designed by Microsoft’s team of security experts and analysts based on known threats, common attack vectors, and suspicious activity escalation chains. Many of these templates can be customized to search for activities, or filter them out, according to your needs.
Solutions in Microsoft Sentinel Content Hub provide a consolidated way to acquire Microsoft Sentinel content, like data connectors, workbooks, analytics, and automation, in your workspace with a single deployment step.
We have recently come across a scenario where we’ve imported a solution from Content Hub that has more than 50 Analytics rules, and before we started enabling them at scale, we noticed that some templates have the same (duplicate) name.
If you have worked with Analytics Rule Templates for quite a bit, you’ll notice that we cannot delete, import, or export them. Those options are greyed out in the Analytics blade in Microsoft Sentinel as shown in the figure below.
So what is the solution then?
Let’s see how to automate this process and delete Microsoft Sentinel built-in rules using PowerShell and Azure Resource Graph.
Prerequisites
To follow this article, you need to have the following:
1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
2) Log Analytics workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.
3) Enable Microsoft Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31 days, follow the instructions here. Once Microsoft Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace can be retained at no charge for the first 90 days.
4) Azure PowerShell installed locally on your machine or using the Cloud Shell.
5) The Azure Resource Graph module for PowerShell. Please note that this module can be used with locally installed PowerShell, with Azure Cloud Shell, or with the PowerShell Docker image.
To install Azure Resource Graph and Azure Accounts PowerShell modules on your machine, you can run the following command:
# Install and update to the latest Az PowerShell module
Install-Module -Name Az.Accounts,Az.ResourceGraph -AllowClobber -Force
# Check Az PowerShell modules version installed
Get-Module -Name Az.Accounts,Az.ResourceGraph -ListAvailable | Select Name, VersionDelete Analytics Rule Templates
You have a couple of options to run the script, you can either use Azure Cloud Shell, Visual Studio Code, or Windows Terminal. The Script works with PowerShell 5.1 or PowerShell 7 (core) with the Az module.
.EXAMPLE
.\Delete-AnalyticsRules -SubscriptionId "xxxxxxxx-aaaa-bbbb-cccc-zzzzzzzzzzzz" -ResourceGroup "RG-Name" `
-WorkspaceName "Log-Analytics-Name" -RuleTemplateName "Rule-Template-Name" `
-verionNumber "Rule-Version-Number" -VerboseThis example will connect to your Azure account using the subscription Id specified, and then delete the built-in analytic rule for the specified template name and version number.
Last, you need to confirm to perform this action and delete the built-in Analytic Rule Template.
Here is an example of the output once you run this tool:
PowerShell Code
The complete script is detailed below to delete built-in Analytics Rule Templates:
<#
.SYNOPSIS
Delete Microsoft Sentinel Analytics Rule Templates.
.DESCRIPTION
How to remove and delete Microsoft Sentinel Built-in Analytics Rule Templates using PowerShell.
.NOTES
File Name : Delete-AnalyticsRules.ps1
Author : Microsoft MVP/MCT - Charbel Nemnom
Version : 1.0
Date : 31-October-2022
Update : 31-October-2022
Requires : PowerShell 5.1 or PowerShell 7.2.x (Core)
Module : Az Module & Az Resource Graph
.LINK
To provide feedback or for further assistance please visit: https://charbelnemnom.com
.EXAMPLE
.\Delete-AnalyticsRules.ps1 -SubscriptionId "SUB-ID" -ResourceGroup "RG-Name" `
-WorkspaceName "Log-Analytics-Name" -RuleTemplateName "Rule-Template-Name" `
-verionNumber "Rule-Version-Number" -Verbose
This example will connect to your Azure account using the subscription Id specified, and then delete the analytic rule for the specified template name and version number.
Last, you need to confirm to perform this action and delete the built-in Analytic Rule Template.
#>
param (
[Parameter(Position = 0, Mandatory = $true, HelpMessage = 'Enter Azure Subscription ID')]
[string]$subscriptionId,
[Parameter(Position = 1, Mandatory = $true, HelpMessage = 'Enter Resource Group Name where Microsoft Sentinel is deployed')]
[string]$resourceGroupName,
[Parameter(Position = 2, Mandatory = $true, HelpMessage = 'Enter Log Analytics Workspace Name')]
[string]$workspaceName,
[Parameter(Position = 3, Mandatory = $true, HelpMessage = 'Enter Analytic Rule Template Name')]
[string]$ruleTemplateName,
[Parameter(Position = 4, Mandatory = $true, HelpMessage = 'Enter Analytic Rule Template Version')]
[string]$verionNumber
)
#! Install Az Module If Needed
function Install-Module-If-Needed {
param([string]$ModuleName)
if (Get-Module -ListAvailable -Name $ModuleName) {
Write-Host "Module '$($ModuleName)' already exists, continue..." -ForegroundColor Green
}
else {
Write-Host "Module '$($ModuleName)' does not exist, installing..." -ForegroundColor Yellow
Install-Module $ModuleName -Force -AllowClobber -ErrorAction Stop
Write-Host "Module '$($ModuleName)' installed." -ForegroundColor Green
}
}
#! Install Az Resource Graph Module If Needed
Install-Module-If-Needed Az.ResourceGraph
#! Install Az Accounts Module If Needed
Install-Module-If-Needed Az.Accounts
#! Check Azure Connection
Try {
Write-Verbose "Connecting to Azure Cloud..."
Connect-AzAccount -ErrorAction Stop | Out-Null
}
Catch {
Write-Warning "Cannot connect to Azure Cloud. Please check your credentials. Exiting!"
Break
}
$rgQuery = @"
resources
| where type =~ 'Microsoft.Resources/templateSpecs/versions'
| where tags['hidden-sentinelContentType'] =~ 'AnalyticsRule' and tags['hidden-sentinelWorkspaceId'] =~ '/subscriptions/$subscriptionid/resourceGroups/$resourceGroupName/providers/Microsoft.OperationalInsights/workspaces/$workspaceName'
| extend workspaceName = strcat(split('/subscriptions/$subscriptionid/resourceGroups/$resourceGroupName/providers/Microsoft.OperationalInsights/workspaces/$workspaceName', "/")[-1],'-')
| extend versionArray=split(id, "/")
| extend content_kind = tags['hidden-sentinelContentType']
| extend version = name
| extend parsed_version = parse_version(version)
| extend resources = parse_json(parse_json(parse_json(properties).template).resources)
| extend metadata = parse_json(resources[array_length(resources)-1].properties)
| extend template = parse_json(resources[array_length(resources)-2].properties)
| extend contentId = tostring(metadata.contentId)
| extend templateName = tostring(template.displayName)
| where templateName == '$ruleTemplateName' and version == '$verionNumber'
| summarize arg_max(parsed_version, version, properties, templateName) by contentId, id
| project contentId, version, properties, id, templateName
"@
try {
$templates = Search-AzGraph -Query $rgQuery
if ($templates.Count -eq 0) {
throw "Resource Graph query error"
}
}
catch {
Write-Error $_ -ErrorAction Stop
}
$duplicateTemplates = $templates.data | select-object -Property id, contentId, version, templateName
foreach ($template in $duplicateTemplates) {
Write-Verbose "Rule Template Name: [$($template.templateName)]"
Write-Verbose "Rule Template Id: [$($template.contentId)]"
Write-Verbose "Rule Template Version: [$($template.version)]"
Remove-AzResource -ResourceId $template.id -Confirm
}Before running the tool, we can see the built-in template rule name “D365 – Mass export of records to Excel” with version number “2.0.13“.
Once we run this tool, we can refresh the Analytics Rule Templates page and check if the rule is deleted. In this example, the “D365 – Mass export of records to Excel” built-in rule is removed.
That’s it there you have it. Happy Analytics rules template deletion with Microsoft Sentinel!
If you have any feedback or changes that everyone should receive, please feel free to leave a comment below.
Summary
This article showed you how to remove and delete Microsoft Sentinel Analytics Rules using PowerShell, this is useful if you have many Analytics Rule templates as part of a Content Hub solution and you want to delete one or more due to duplicate names or wrong versions.
Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and remediation processes.
This is one of the many features in Microsoft Sentinel that can be utilized to provide immense value to threat detection out-of-the-box.
The power of Microsoft Sentinel comes from the ability to detect, investigate, respond to, and remediate threats.
> Learn more on how to create and enable Microsoft Sentinel Analytics Rules at scale.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
