How to create .yaml for Analytic Rules to include our custom analytic rules in microsoft sentinel solution package

Question

We have created analytic rules in Microsoft Sentinel. Now we want to ship them in our Sentinel Solution package to make it publicly available in Microsoft Sentinel. When we export them from azure portal it will give us the .json template but we have observed that All the solutions available on Microsoft Sentinel Github Repository contains .yaml file for analytic rules.

So, we have a question that is it necessary to ship .yaml file for analytic rules or we can put .json file? And if .yaml file is must then do we need to create it manually or is there any way to get .yaml of analytic rule from azure portal?

Can you please provide guidance on it or any other possible solutions for it?

Answer 1

Hi @Nirali Shah

Our documentation has a style guide, but the only tool referenced is powershell-yaml. https://github.com/Azure/Azure-Sentinel/wiki/Query-Style-Guid. I haven't had to make a solution yet, or convert to yaml ein bulk, so I haven't tested any scripts to do this. However a starter script would look something like this.

Install-Module powershell-yaml

$ContentRaw = get-Content "Azure_Sentinel_analytics_rules.json"

$ContentObject = $ContentRaw | ConvertFrom-Json -Depth 99 

$OutDirectory = New-Item "AnalyticRulesYAML" -ItemType Directory -Force

foreach ($Rule in $ContentObject.resources){
    $FileName = $Rule.properties.displayName.Replace(" ","_") + ".yaml"
    $OutPath = $OutDirectory.FullName + "\" + $FileName
    ConvertTo-Yaml -Data $Rule -OutFile $OutPath 
}

I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.

Kind regards

Alistair