Deploying collateral from our GitHub repository to your Azure Sentinel instance is very similar in that it is a copy/paste operation. This guidance is specific to an Analytics Rule.
P.S. There’s automated ways to accomplish this, but it’s also a good thing to know for basic understanding. For an automated way, see Wortell’s PowerShell module: AZSentinel/AzSentinel at master · wortell/AZSentinel (github.com)
How to do it
Analytics Rules are located in the Detections folder of the GitHub repo. Locate an Analytics Rule you want in the GitHub Repo. Click the “Raw” button on the page to “sanitize” the code. Sanitizing code ensures there’s no hidden characters or bad formatting.
In the Analytics blade in Azure Sentinel, click “Create – Scheduled query rule.”
On the first page of the Analytics Rule creation wizard, use the following image (click to enlarge the image) to copy/paste the content from the sanitized Analytics Rule from the GitHub repo to Azure Sentinel.
Move to the “Set rule logic” tab/step in the wizard and use the following image (click to enlarge) to copy/paste the content from the sanitized Analytics Rule from the GitHub repo to Azure Sentinel.
Finally, skip to the “Review and Create” tab/step in the wizard to Save the new Analytics Rule.
The items in the code (KQL) that I’ve not highlighted in the above image are important for guidance and information, but not used for creating the actual Analytics Rule
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
One thought on “How to Deploy an Analytics Rule to Azure Sentinel from the GitHub Repository”
You must log in to post a comment.