Mass Creating Scheduled Analytics Rules From Templates

create-scheduledRuleFromTemplate.ps1 is a PowerShell script you can leverage to import (create) multiple scheduled analytics rules from the Sentinel Github rule template repository

This script was written to account for current limitations when leveraging the AzSentinel or Az.SecurityInsights PowerShell modules. Most of which are related to an incomplete set of properties being returned such as tactics and techniques from the API endpoints.

Updated New Features: Creating Scheduled Analytics Rules From Templates – New Features (

| Get the script here: sentinel-tools/analytics_rules at main · seanstark/sentinel-tools (


Known Limitations

Configuration Requirements

Github Personal Access Token

You will need to setup a GitHub personal access token in order for the PowerShell script to gather the rule template details. This is required to avoid GitHub API limits.

  1. Navigate to
  2. Generate a new token with the public_repo scope
  3. I would also recommend setting the expiration to 7 days
  4. Copy the generated token value for use the -githubToken parameter

Required PowerShell Modules

The script will check and install any missing modules. For reference the below is required

Required Sentinel Roles

Running the Script

Below are some examples on running the script. In the examples below the script output is assigned to a variable $rules. I would recommend assigning the script output to a variable to easily review the results as some rule creations may fail.

$rules | Where created -eq $false | Select ruleName, created, errorCode, errorMessage$rules | Where created -eq $true

Rules will be created in an enabled state by default

Note: -githubToken example is not a valid token

Create rules from all templates

$rules = .\create-scheduledRuleFromTemplate.ps1 -subscriptionId 'ada06e68-375e-4564-be3a-c6cacebf41c5' -resourceGroupName 'sentinel-prd' -workspaceName 'sentinel-prd' -githubToken 'ghp_ECgzFoyPsbSKrFB2pTrEEOUmy4P0Rb3yd'

Create rules from all templates in a disabled state

$rules = .\create-scheduledRuleFromTemplate.ps1 -subscriptionId 'ada06e68-375e-4564-be3a-c6cacebf41c5' -resourceGroupName 'sentinel-prd' -workspaceName 'sentinel-prd' -githubToken 'ghp_ECgzFoyPsbSKrFB2pTrEEOUmy4P0Rb3yd' -enabled $false

Run in report only mode

$rules = .\create-scheduledRuleFromTemplate.ps1 -subscriptionId 'ada06e68-375e-4564-be3a-c6cacebf41c5' -resourceGroupName 'sentinel-prd' -workspaceName 'sentinel-prd' -detectionFolderName 'ASimAuthentication','ASimProcess' -githubToken 'ghp_ECgzFoyPsbSKrFoK5B2pOUmy4P0Rb3yd' -reportOnly$rules | Select name, severity, tactics, techniques, requiredDataConnectors, templateURL

Filter by detection child folder name

$rules = .\create-scheduledRuleFromTemplate.ps1 -subscriptionId 'ada06e68-375e-4564-be3a-c6cacebf41c5' -resourceGroupName 'sentinel-prd' -workspaceName 'sentinel-prd' -githubToken 'ghp_ECgzFoyPsbSKrFoK5B2EOUmy4P0Rb3yd' -detectionFolderName 'ASimAuthentication','ASimProcess'

Filter by severity of alert rule templates

$rules = .\create-scheduledRuleFromTemplate.ps1 -subscriptionId 'ada06e68-375e-4564-be3a-c6cacebf41c5' -resourceGroupName 'sentinel-prd' -workspaceName 'sentinel-prd' -githubToken 'ghp_ECgzFoyPsbSKrFoK5B2EOUmy4P0Rb3yd' -detectionFolderName 'ASimAuthentication','ASimProcess'

Filter by severity and tactics of alert rule templates

$rules = .\create-scheduledRuleFromTemplate.ps1 -subscriptionId 'ada06e68-375e-4564-be3a-c6cacebf41c5' -resourceGroupName 'sentinel-prd' -workspaceName 'sentinel-prd' -githubToken 'ghp_ECgzFoyPsbSKrFoK5B2pOUmy4P0Rb3yd' -severity 'High','Medium'

Filter by tags

The below example returns all templates tagged with Log4j

$rules = .\create-scheduledRuleFromTemplate.ps1 -subscriptionId 'ada06e68-375e-4564-be3a-c6cacebf41c5' -resourceGroupName 'sentinel-prd' -workspaceName 'sentinel-prd' -githubToken 'ghp_ECgzFoyPsbSKrFoK5B2pOUmy4P0Rb3yd' -tag 'Log4j'
Exit mobile version