-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathGet-MicrosoftSentinelAnalyticRulesStandalone.ps1
50 lines (46 loc) · 1.93 KB
/
Get-MicrosoftSentinelAnalyticRulesStandalone.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
function Parse-MicrosoftSentinelAnalyticRules {
PARAM(
$DownloadedRules,
$outputPath
)
try {
foreach($DownloadedRule in $DownloadedRules.Value) {
# Set name variable
$Name = $DownloadedRule.Properties.DisplayName
# Remove all spaces and colons from names
$Name = $Name.Replace(" ", "")
$Name = $Name.Replace(":", "")
$File = "$Name.json"
if($Name) {
Write-Host "Parsing rule: $($Name) and saving to $($Name).json"
$DownloadedRule.PSObject.Properties.Remove("id")
$DownloadedRule.PSObject.Properties.Remove("etag")
$DownloadedRule.properties.PSObject.Properties.Remove("lastModifiedUtc")
$DownloadedRule | ConvertTo-Json -Depth 15 | Out-File $outputPath/$File
}
}
} catch {
Write-Host "An error occured in the MicrosoftSentinelAnalyticRules-function: $($_)"
}
}
function Get-MicrosoftSentinelAnalyticRules {
PARAM(
$resourceGroup,
$subscriptionId,
$outputPath,
$workspaceName
)
try {
# First, craft the URI for downloading the analytic rules
$uri = "/subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/${workspaceName}/providers/Microsoft.SecurityInsights/alertRules?api-version=2022-01-01-preview"
# Download all analytic rules
$DownloadedRules = (Invoke-AzRestMethod -Path $uri).Content | ConvertFrom-Json -Depth 15
# Check that outputPath exists, if not create
If(!(Test-Path $outputPath)) {
New-Item -ItemType Directory -Path $outputPath
}
Parse-MicrosoftSentinelAnalyticRules -DownloadedRules $DownloadedRules -outputPath $outputPath
} catch {
Write-Host "An error occured in the MicrosoftSentinelAnalyticRules-function: $($_)"
}
}