如何使用 PowerShell 或 Azure CLI 克隆或复制驻留在 Microsoft Sentinel 中的分析规则?
克隆的分析规则将需要新的规则 ID 和名称,但所有其他属性可以保持不变。
$resourceGroupName = "XYZ"
$workspaceName = "abc" # Get all analytic rules
$analyticRules = Get-AzSentinelAlertRule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName
foreach ($rule in $analyticRules) { # Duplicate each rule
$newRule = $rule
$newRule.DisplayName = "_" + $rule.DisplayName
$newRule.Id = $null # Clear ID for new rul creation # Create the duplicated rule # ///
New-AzOperationalInsightsSavedSearch -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Properties $newRule.Properties
#? New-AzSentinelAlertRule ? parameters to add
}
尝试使用Sentinel相关的PowerShell模块和功能。
如何克隆或复制分析规则:
您可以使用下面的 PowerShell 脚本来克隆分析规则,它对我很有用,如下所示。
$rg = "xxxx"
$ws = "workjah"
$ars = Get-AzSentinelAlertRule -ResourceGroupName $rg -WorkspaceName $ws
foreach ($rule in $ars) {
$newRule = New-Object PSObject -Property @{
DisplayName = "Cloned-" + $rule.DisplayName
Enabled = $rule.Enabled
# you can add the required properties based on the requirement
}}
$created = New-AzSentinelAlertRule -ResourceGroupName $rg -WorkspaceName $ws -RuleId $newRule
您也可以参考 set-Azsentinel.ps1 脚本来更新分析规则属性。