You dont have javascript enabled! Please enable it!

How To Enable Microsoft Sentinel Analytics Rules at Scale

5 Min. Read

Microsoft Sentinel comes with analytics rule built-in templates that you can turn into active analytic rules by effectively creating a copy of them – that’s what happens when you create a rule from a template.

What if you have a large number of analytics rule templates?

In this article, we will share with you how to create and enable Microsoft Sentinel Analytics Rules at scale using PowerShell, this is very useful if you have many Analytics Rule templates and you want to enable them at once, this will save thousands of mouse clicks.

Introduction

Microsoft Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Microsoft Sentinel Analytics Rules templates were designed by Microsoft’s team of security experts and analysts based on known threats, common attack vectors, and suspicious activity escalation chains. Many of these templates can be customized to search for activities, or filter them out, according to your needs.

Solutions in Microsoft Sentinel Content Hub provide a consolidated way to acquire Microsoft Sentinel content, like data connectors, workbooks, analytics, and automation, in your workspace with a single deployment step.

The question that comes often is, what if we have imported a solution from Content Hub that has more than 40 Analytics rules and we need to create rules from these templates?

Analytics Rules get created when the solution is installed.
Analytics Rules get created when the solution is installed.

As you probably know, this is a tedious operation to do in the Azure portal.

Let’s see how to automate this process and detect threats faster by creating and enabling the Microsoft Sentinel built-in rules at scale.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Log Analytics workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.

3) Enable Microsoft Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31-days, follow the instructions here. Once Microsoft Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace can be retained at no charge for the first 90-days.

4) Azure PowerShell installed locally on your machine or using the Cloud Shell.

5) The Azure Resource Graph module for PowerShell. Please note that this module can be used with locally installed PowerShell, with Azure Cloud Shell, or with the PowerShell Docker image.

To install Azure Resource Graph and Azure Accounts PowerShell modules on your machine, you can run the following command:

# Install and update to the latest Az PowerShell module
Install-Module -Name Az.Accounts,Az.ResourceGraph -AllowClobber -Force

# Check Az PowerShell modules version installed
Get-Module -Name Az.Accounts,Az.ResourceGraph -ListAvailable | Select Name, Version

Enable Microsoft Sentinel Analytics Rules

You have a couple of options to run the script, you can either use Azure Cloud Shell, Visual Studio Code, or Windows Terminal. The Script works with PowerShell 5.1 or PowerShell 7 (core) with the Az module.

.EXAMPLE

.\Set-AnalyticsRules -SubscriptionId "xxxxxxxx-aaaa-bbbb-cccc-zzzzzzzzzzzz" -ResourceGroup "RG-Name" `
 -WorkspaceName "Log-Analytics-Name" -SolutionName "Source-Name" -enableRules [Yes] -Verbose

This example will connect to your Azure account using the subscription Id specified, and then create all analytics rules from templates for the specified Microsoft Sentinel solution name (E.g SAP, Cloudflare, Dynamics 365, Azure Activity, or Azure Active Directory).

By default, all of the rules will be created in a Disabled state, however, you have the option to enable the rules at creation time as well by setting the parameter (enable rules) to Yes.

Here is an example of the output once you run this tool:

Microsoft Sentinel Creating Analytics Rules from Templates
Microsoft Sentinel Creating Analytics Rules from Templates

PowerShell Code

The complete script is detailed below to automate the entire creation process of Analytics Rules:

<#
.SYNOPSIS
Enable Microsoft Sentinel Analytics Rules at Scale.

.DESCRIPTION
How to create and enable Microsoft Sentinel Analytics Rules at Scale using PowerShell.

.NOTES
File Name : Set-AnalyticsRules.ps1
Author    : Microsoft MVP/MCT - Charbel Nemnom
Version   : 1.0
Date      : 24-October-2022
Updated   : 25-October-2022
Requires  : PowerShell 5.1 or PowerShell 7.2.x (Core)
Module    : Az Module & Az Resource Graph

.LINK
To provide feedback or for further assistance please visit: https://charbelnemnom.com 

.EXAMPLE
.\Set-AnalyticsRules.ps1 -SubscriptionId "SUB-ID" -ResourceGroup "RG-Name" `
 -WorkspaceName "Log-Analytics-Name" -SolutionName "Source-Name" -enableRules [Yes] -Verbose
This example will connect to your Azure account using the subscription Id specified, and then create all analytics rules from templates for the specified Microsoft Sentinel solution.
By default, all of the rules will be created in a Disabled state. You have the option to enable the rules at creation time by setting the parameter -enableRules [Yes].
#>

param (
    [Parameter(Position = 0, Mandatory = $true, HelpMessage = 'Enter Azure Subscription ID')]
    [string]$subscriptionId,
    [Parameter(Position = 1, Mandatory = $true, HelpMessage = 'Enter Resource Group Name where Microsoft Sentinel is deployed')]
    [string]$resourceGroupName,
    [Parameter(Position = 2, Mandatory = $true, HelpMessage = 'Enter Log Analytics Workspace Name')]
    [string]$workspaceName,    
    [Parameter(Position = 3, Mandatory = $true, HelpMessage = 'Enter Microsoft Sentinel Solution Name')]
    [string]$solutionName,
    [ValidateSet("Yes", "No")]
    [String]$enableRules = 'No'
)

#! Install Az Module If Needed
function Install-Module-If-Needed {
    param([string]$ModuleName)
 
    if (Get-Module -ListAvailable -Name $ModuleName) {
        Write-Host "Module '$($ModuleName)' already exists, continue..." -ForegroundColor Green
    } 
    else {
        Write-Host "Module '$($ModuleName)' does not exist, installing..." -ForegroundColor Yellow
        Install-Module $ModuleName -Force  -AllowClobber -ErrorAction Stop
        Write-Host "Module '$($ModuleName)' installed." -ForegroundColor Green
    }
}

#! Install Az Resource Graph Module If Needed
Install-Module-If-Needed Az.ResourceGraph

#! Install Az Accounts Module If Needed
Install-Module-If-Needed Az.Accounts

#! Check Azure Connection
Try { 
    Write-Verbose "Connecting to Azure Cloud..." 
    Connect-AzAccount -ErrorAction Stop | Out-Null 
}
Catch { 
    Write-Warning "Cannot connect to Azure Cloud. Please check your credentials. Exiting!" 
    Break 
}

$rgQuery = @"
resources
| where type =~ 'Microsoft.Resources/templateSpecs/versions'
| where tags['hidden-sentinelContentType'] =~ 'AnalyticsRule' and tags['hidden-sentinelWorkspaceId'] =~ '/subscriptions/$subscriptionid/resourceGroups/$resourceGroupName/providers/Microsoft.OperationalInsights/workspaces/$workspaceName'
| extend workspaceName = strcat(split('/subscriptions/$subscriptionid/resourceGroups/$resourceGroupName/providers/Microsoft.OperationalInsights/workspaces/$workspaceName', "/")[-1],'-')
| extend versionArray=split(id, "/")
| extend content_kind = tags['hidden-sentinelContentType']
| extend version = name
| extend parsed_version = parse_version(version)
| extend resources = parse_json(parse_json(parse_json(properties).template).resources)
| extend metadata = parse_json(resources[array_length(resources)-1].properties)
| extend contentId=tostring(metadata.contentId)
| summarize arg_max(parsed_version, version, properties) by contentId
| project contentId, version, properties
| mv-expand solution = properties.template.resources
| where solution.properties.source.name == '$($solutionName)'
| project-away solution
"@

Write-Output $rgQuery

try {
    $templates = Search-AzGraph -Query $rgQuery
    if ($templates.Count -eq 0) {
        throw "Resource Graph query error"
    }
}
catch {
    Write-Error $_ -ErrorAction Stop
}

foreach ($template in $templates) {
    $ruleId = $template.contentId
    $rule = $template.properties.template.resources | Where-Object type -eq 'Microsoft.SecurityInsights/AlertRuleTemplates' | Select-Object kind, properties
    $rule.properties | Add-Member -NotePropertyName alertRuleTemplateName -NotePropertyValue $ruleId
    $rule.properties | Add-Member -NotePropertyName templateVersion -NotePropertyValue $template.version
    
    If ($enableRules -eq "Yes") {
        $rule.properties.enabled = $true
    }    

    $payload = $rule | ConvertTo-Json -Depth 100
    $apiPath = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.OperationalInsights/workspaces/$workspaceName/providers/Microsoft.SecurityInsights/alertRules/$($ruleId)?api-version=2022-09-01-preview"
    try {        
        $result = Invoke-AzRestMethod -Method PUT -path $apiPath -Payload $payload
        If ($enableRules -eq "Yes") {
            Write-Verbose "Creating and Enabling rule $($rule.properties.displayName)"
        }
        Else {
            Write-Verbose "Creating rule $($rule.properties.displayName)"
        }
        if (!($result.StatusCode -in 200, 201)) {
            Write-Host $result.StatusCode
            Write-Host $result.Content
            throw "Error when enabling Analytics rule $($rule.properties.displayName)"
        }
    }
    catch {
        Write-Error $_ -ErrorAction Continue
    }
}

Before running the tool, we can see that we don’t have any active rules created in the Disabled state. In this example, we have 15 Active rules only.

Microsoft Sentinel | Analytics
Microsoft Sentinel | Analytics

Once you run this tool, you can refresh the Analytics rules page and check all the rules are created in the Disabled state. In this example, we have 58 Active rules.

Microsoft Sentinel | Analytics Rules Creation
Microsoft Sentinel | Analytics Rules Creation

That’s it there you have it. Happy Analytics Rules creation with Microsoft Sentinel!

If you have any feedback or changes that everyone should receive, please feel free to leave a comment below.

Summary

This article showed you how to create and enable Microsoft Sentinel Analytics Rules at scale using PowerShell, this is very useful if you have many Analytics Rule templates as part of a Content Hub solution and you want to enable them at once.

Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and remediation processes.

This is one of the many features in Microsoft Sentinel that can be utilized to provide immense value to threats detection out-of-the-box.

The power of Microsoft Sentinel comes from the ability to detect, investigate, respond to, and remediate threats.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect, Swiss Certified ICT Security Expert, Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT). He has over 20 years of broad IT experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems with extensive practical knowledge of complex systems build, network design, business continuity, and cloud security.

Related Posts

Previous

What Is Cloudflare Rocket Loader? A Complete Guide Is Here

How To Set Up Cloudflare DNS? Easily

Next

Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in 'Black' by selecting the Code. Thank You!