Skip to content

ABREG0/az-sentinel

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.helper
.helper
 
 
export-rules
export-rules
 
 
import-rules
import-rules
 
 
templateRules
templateRules
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Export Import Sentinel Rules - az-sentinel

Goal

Automate the export and import of analytic rules to one or multiple sentinel instance in selected subscriptions.

Helper Script: 
    Do-checks.ps1
    Export: export-azSentinelRules.ps1
    import: import-azSentinelRules.ps1

Pre-requirements: run Do-Checks.ps1
    System admin rights
    PowerShell Core version 6.2 or higher (required for AzSentinel module)
    Azure PowerShell Module (AZ)
    Sentinel PowerShell Module (AzSentinel)
    Set PowerShell Execution Policy

Download and run checks

Download files from github ABREG0/az-sentinel: sentinel work (github.com) - in a web browser zipped format or by cloning the repo with git. 
Verify system has all required components
    Open PowerShell version  installed with Windows 10
    Set execution policy: Set-ExecutionPolicy -ExecutionPolicy Bypass|unrestricted (check with your IT security if policies to restrict this are implemented)
    Run Do-Checks.ps1 script

Exporting

    Have an Azure Subscriptions
        Logon to Azure with required permissions
        Create or use an empty Azure Sentinel Instance
        Manually add analytic rules to export (if using existing instance and rules exist, this step is not necessary)
    Verify all pre-requirements are in place
    Open PowerShell 5.x or Core
    Navigate to folder containing scripts
    Edit export-azSentinelRules.ps1. find variable named "$tenantID" and add your tenant id inside the single quotes
    Run: export-azSentinelRules.ps1
        Prompts:
            Authenticate to your Azure tenant (email/password and MFA if required)
            Select Subscription that contains your Sentinel Log Analytics instance
            Select the Log Analytics Workspace that contains rules to export
            Select folder name for exported rules (note: a subfolder with log analytics workspace name is created during export process)

Importing

    Have an Azure Subscriptions
        Logon to Azure with required permissions
        Create or use an empty Azure Sentinel Instance
        Manually add analytic rules to export (if using existing instance and rules exist, this step is not necessary)
    Verify all pre-requirements are in place
    Open PowerShell 5.x or Core
    Navigate to folder containing scripts
    Edit import-azSentinelRules.ps1. find variable named "$tenantID" and add your tenant id inside the single quotes
    Run: import-azSentinelRules.ps1
        Prompts:
            Authenticate to your Azure tenant (email/password and MFA if required)
            Select Subscription that contains your Sentinel Log Analytics instance
            Select the Log Analytics Workspace that contains rules to export
            Select folder name containing your rules (you can select one or multiples)

cabrego 202104

About

sentinel work

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

7 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases 1

RC Latest
Apr 22, 2021

Packages

No packages published

Languages