Check This Out! (CTO!) Guide (April 2025)
May 10, 2025From Complexity to Simplicity: The ASC and Azure AI Partnership
May 10, 2025
🔧 Enhancing Pre-Deployment Rule Insights
Extracting metadata like Rule Name, Severity, MITRE Tactics, and Techniques for out-of-the-box analytical rules across multiple solutions can be time-consuming when done manually—especially before the rules are deployed.
🚀 Script Overview
The PowerShell script, hosted on GitHub, lets you:
- Provide the exact Microsoft Sentinel solution name as input, from
Microsoft Sentinel GitHub: Azure-Sentinel/Solutions at master · Azure/Azure-Sentinel · GitHub - Automatically query the [Microsoft Sentinel GitHub repo]
- Parse all associated analytical rule YAMLs under that solution
- Export relevant metadata into a structured CSV
📥 GitHub Link
This is My GitHub repository where the custom PowerShell script is hosted. It allows you to extract built-in analytical rules from Microsoft Sentinel solutions based on the solution name:
🔗 GitHub – SentinelArtifactExtract (Optimized Script)
📝 Pre-Requisites:
- Generate GitHub Personal Access token:
GitHub official page to generate PAT:
Managing your personal access tokens – GitHub Docs
Why GitHub PAT token: It will help us to Authenticate and overcome the GitHub API rate limit Error (403). - Download the Script from GitHub to Azure CloudShell:
Use Invoke-WebRequest or curl to download the raw script:
Command to Download the Raw Script from GitHub:
Invoke-WebRequest -Uri “https://raw.githubusercontent.com/vdabhi123/SentinelArtifactExtract/main/Extract%20Sentinel%20Analytical%20Rule%20with%20Solution%20Name%20prompt/OptimizedVersionPromptforSolutionNameOnly” -OutFile “ExtractRules.ps1Using Invoke-WebRequest in Azure CloudShell
- Update the Script with you GitHub PAT (generated in pre-requisite 1) in main script:
To update the PAT token you can use vim and ensure to run the updated script.As depicted after generating you GitHub PAT token update the line 9 value
Using vim in azure CloudShell
🧪 How to Use the Script
- Open Azure Cloud Shell (PowerShell).
Navigate to Azure portal and click on the Shell to open the Azure Cloud Shell as depicted.
- Upload and run the script. (This is Optional if Pre-requisite 3 is followed)
Upload the GitHub PAT updated script to Azure Cloud Shell
Use LS command to verify if your file is uploaded
- Run the Script and Enter the **exact** solution name (e.g., `McAfee ePolicy Orchestrator`).
Run the uploaded PowerShell(.ps1) file as depicted in this screenshot
- The script fetches rule metadata and exports to CSV in the same directory.
CSV of exported Analytical rules placed in same directory, ready to be downloaded
- Download the CSV from Cloud Shell.
Download CSV from Azure cloud Shell as depicted
📤 Sample Output
The script generates a CSV with the following columns:
– `Solution`
– `AnalyticalRuleName`
– `Description`
– `Severity`
– `MITRE_Tactics`
– `MITRE_Techniques`
Example file name:
Formatted Output with all Analytical Rule and other metadata for the Solution:
✅ Benefits
- Streamlines discovery of built-in analytical rules for initial Microsoft Sentinel deployments.
- Accelerates requirements gathering by exporting rules into a shareable CSV format.
- Enables collaborative planning—output can be shared with clients or Microsoft to determine which rules to implement or recommend.
- Eliminates manual effort of browsing GitHub or Microsoft Sentinel UI or exporting and reviewing full JSON rule files individually.
💡 Pro Tips
- Always verify the solution name from the official Microsoft Sentinel GitHub Solutions folder.
Azure-Sentinel/Solutions at master · Azure/Azure-Sentinel · GitHub
📌 Final Thoughts
This script was created in response to a real-world project need and is focused on improving the discovery and extraction of Microsoft Sentinel analytical rules. A follow-up blog covering the export of additional Sentinel artifacts—such as Playbooks, Workbooks, and Hunting Queries—will be published soon.