Creating Scheduled Analytics Rules From Templates – New Features

A while back I developed a PowerShell script that provides the ability to import multiple Scheduled Analytics from the Sentinel template library. Check out the original article here: Mass Creating Scheduled Analytics Rules From Templates

Grab the script here: sentinel-tools/analytics_rules at main · seanstark/sentinel-tools (

Since then I have recently added a few new features that should add a fair amount of value to the script.

Additional scanning of the Solutions github repo folder

Come to find out there are over 400+ additional analytics rules under Solutions folder in the Sentinel Github repo. The downside is that currently these Analytics Rules don’t show up under the Template view in the Sentinel Analytics Rules pane until you install the solution from the Content Hub. With this included you can now discover analytics rules and import a significant number of new rules based on your use cases.

Ability to filter by rule name

I don’t specifically remember why I didn’t include the ability to filter based on rule name, but its added now.

Example: Create rules from all templates with “TI map” in the name

$rules = .\create-scheduledRuleFromTemplate.ps1 -subscriptionId 'ada06e68-375e-4564-be3a-c6cacebf41c5' -resourceGroupName 'sentinel-prd' -workspaceName 'sentinel-prd' -githubToken 'ghp_ECgzFoyPsbSKrFB2pTrEEOUmy4P0Rb3yd' -name '*TI map*

Ability to open a rule selection UI

I received some feedback a while back to provide the ability to only select specific rules after the discovery has been completed. With this new feature you can open up an Out-GridView window to select specific rules to import.

$rules = .\create-scheduledRuleFromTemplate.ps1 -subscriptionId 'ada06e68-375e-4564-be3a-c6cacebf41c5' -resourceGroupName 'sentinel-prd' -workspaceName 'sentinel-prd' -githubToken 'ghp_ECgzFoyPsbSKrFoK5B2pOUmy4P0Rb3yd' -selectUI
Exit mobile version