Share via

Analytic rules in Sentinel Solutions

LXF 205 Reputation points
2024-06-11T02:01:49.2633333+00:00

I am going to provide analytic rules in Sentinel's Solutions. I've observed that All the solutions by other companies available on Microsoft Sentinel Github contains .yaml file for analytic rules, but Azure's wiki/documentation does not mandate that submissions for solutions should be in YAML or JSON formats, or perhaps i overlooked..could you please let me know the recommendations? Thank you!

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,154 questions
Azure Startups
Azure Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Startups: Companies that are in their initial stages of business and typically developing a business model and seeking financing.
382 questions
0 comments
Accepted answer
  1. Shweta Mathur 29,781 Reputation points Microsoft Employee
    2024-06-11T07:43:57.5633333+00:00

    Hi @LXF ,

    Thanks for reaching out.

    n Microsoft Sentinel, Analytics rules can only be created and defined using YAML and JSON formats. While there are multiple methods to create analytics rules, the underlying code will always be in JSON or YAML. Some of the method used to define analytics rules are:

    1. Azure Resource Manager (ARM) Templates: However, these are JSON-based templates used for deploying resources in Azure. You can define Sentinel Analytics rules within ARM templates for deployment via Azure Resource Manager.
    2. User Interface (UI): The Azure Portal provides a graphical user interface for creating and managing Analytics rules. Through the UI, you can define rules without directly writing YAML or JSON, although these formats are generated and used behind the scenes. Any type of analytics rule can be imported or exported to and from a JSON file only. Reference - https://learn.microsoft.com/en-us/azure/sentinel/import-export-analytics-rules
    3. PowerShell: Using Azure PowerShell cmdlets, you can create and manage Analytics rules programmatically. This often involves embedding JSON or YAML within PowerShell scripts. Reference - https://github.com/seanstark/sentinel-tools/blob/main/analytics_rules/create-scheduledRuleFromTemplate.ps1 Azure CLI: Similar to PowerShell, the Azure Command-Line Interface (CLI) allows for the creation and management of Sentinel Analytics rules, typically by embedding JSON definitions within CLI commands.

    These various methods provide flexibility depending on your preferred method of deployment and management, whether it be through code, scripts, templates, or a graphical interface.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.