From b9c891aed7345fc11102116ff71a481557828527 Mon Sep 17 00:00:00 2001 From: Tiander Turpijn Date: Mon, 1 Feb 2021 09:38:54 +0100 Subject: [PATCH] added exportAzureSentinelRules.ps1 --- .../exportAzureSentinelRules.ps1 | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 Tools/Az.SecurityInsights-Samples/Alert Rules/Export Analytics Rules/exportAzureSentinelRules.ps1 diff --git a/Tools/Az.SecurityInsights-Samples/Alert Rules/Export Analytics Rules/exportAzureSentinelRules.ps1 b/Tools/Az.SecurityInsights-Samples/Alert Rules/Export Analytics Rules/exportAzureSentinelRules.ps1 new file mode 100644 index 0000000000..20e525265a --- /dev/null +++ b/Tools/Az.SecurityInsights-Samples/Alert Rules/Export Analytics Rules/exportAzureSentinelRules.ps1 @@ -0,0 +1,78 @@ +# Sample script to export Azure Sentinel rules +# Author: Tiander Turpijn - Microsoft +# Dependencies: Az.Accounts and Az.SecurityInsights PowerShell modules imported, +# please download from https://www.powershellgallery.com +# +# ToDo: +# 1. Login to Azure +# 2. Provide values for your Azure Sentinel Resource Group and Workspace +# 3. Provide a name for your rule export folder + +$ErrorActionPreference = "Stop" + +# *** Values to update *** +# Provide your Azure Sentinel connection settings +$subscriptionId = "" +$SentinelConnection = @{ + ResourceGroupName = "" #your Resource Group name where your workspace is located + WorkspaceName = "" #your Sentinel Workspace name +} +# Configure your rule export folder +$ruleExportPath = "C:\SentinelRules\Export\" # specify your rule export folder + +# Login to Azure and selecting your Azure Sentinel subscription - make sure you have installed the Az.Accounts module +Login-AzAccount +Set-AzContext -SubscriptionId $subscriptionId + +# Testing your Azure connection +$azureConnection = Get-AzContext +If([string]::IsNullOrEmpty($azureConnection.Account)) { + Write-Host ("You are not connected to Azure, please login") -ForegroundColor Red + break +} + +# Create folder if it does not exist +if (!(Test-Path -Path $ruleExportPath)) +{ + Write-Host ("Folder " + $ruleExportPath + " does not exist, creating the folder for you....") -ForegroundColor Red + New-Item -itemType Directory -Path $ruleExportPath +} + +# Export Scheduled Rules +try { + $rules = Get-AzSentinelAlertRule @SentinelConnection | Where-Object {$_.Kind -eq "Scheduled"} + Write-Host ("Exporting " + $rules.count + " Scheduled rules...") -ForegroundColor Yellow + $rules | ConvertTo-Json -Depth 15 | Out-File ($myExportPath + "Scheduled.json") -Force +} +catch { + Write-Host "Either your Azure connection is invalid or your Azure Sentinel settings are incorrect" -ForegroundColor Red + Write-Host $_.Exception.Message -ForegroundColor Red + break +} + + +# Export Fusion Rules +try { + $rules = Get-AzSentinelAlertRule @SentinelConnection | Where-Object {$_.Kind -eq "Fusion"} + Write-Host ("Exporting " + $rules.count + " Fusion rules...") -ForegroundColor Yellow + $rules | ConvertTo-Json -Depth 15 | Out-File ($myExportPath + "Fusion.json") -Force +} +catch { + Write-Host "Either your Azure connection is invalid or your Azure Sentinel settings are incorrect" -ForegroundColor Red + Write-Host $_.Exception.Message -ForegroundColor Red + break +} + +# Export MicrosoftSecurityIncidentCreation Rules +try { + $rules = Get-AzSentinelAlertRule @SentinelConnection | Where-Object {$_.Kind -eq "MicrosoftSecurityIncidentCreation"} + Write-Host ("Exporting " + $rules.count + " MicrosoftSecurityIncidentCreation rules...") -ForegroundColor Yellow + $rules | ConvertTo-Json -Depth 15 | Out-File ($myExportPath + "MicrosoftSecurityIncidentCreation.json") -Force +} +catch { + Write-Host "Either your Azure connection is invalid or your Azure Sentinel settings are incorrect" -ForegroundColor Red + Write-Host $_.Exception.Message -ForegroundColor Red + break +} + +Write-Host ("Azure Analytics Rules are exported to " + $ruleExportPath) -ForegroundColor Yellow \ No newline at end of file