Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Optimise Rule checking in Import-AzSentinelAlertRule #74

Closed
MathiasVandePol opened this issue May 7, 2020 · 2 comments · Fixed by #92
Closed

Feature Request: Optimise Rule checking in Import-AzSentinelAlertRule #74

MathiasVandePol opened this issue May 7, 2020 · 2 comments · Fixed by #92
Assignees
@pkhabazi
Labels
enhancement New feature or request

Comments

@MathiasVandePol
Copy link

MathiasVandePol commented May 7, 2020
edited
Loading

Summary of the new feature/enhancement

I want to use this commandlet to import a couple of hundred rules from one workspace to another.

  1. Currently the command will iterate accross all rules in an array and do a separate API call for every rule in that array to see if it already exists or not. You could optimise this by providing your own command Get-AzSentinelAlertRule with an array of Rulenames, reducing it to 1 call.

A second optimisation is to not fetch the alertruleaction (playbookname) for that rule if we simply want to know if the rule exists or not.
I see that in a later phase, that fetched playbookname of that alertruleaction is used to verify if a rule has changed playbookname. It might be useful to provide a flag 'UpdatePlaybooks' to either enable or disable this feature as we use separate AlertAction files to enable a certain playbook for a certain customer, meaning that we do not care about playbooks while importing a set of new rules.

        foreach ($item in $analytics) {
            try {
                $content = Get-AzSentinelAlertRule @arguments -RuleName $($item.displayName) -ErrorAction SilentlyContinue
                if ($content) {
                    Write-Output "Rule $($item.displayName) exists in Azure Sentinel"
...
                else {
                    Write-Verbose -Message "Rule $($item.displayName) doesn't exist in Azure Sentinel"
...
                }
            }
@pkhabazi pkhabazi added the enhancement New feature or request label Sep 3, 2020
@pkhabazi pkhabazi self-assigned this Sep 3, 2020
@pkhabazi
Copy link
Contributor

pkhabazi commented Sep 3, 2020

hi @MathiasVandePol thanks for the great feedback and sorry for late response! Just updated the import function to first get all the rules instead of in the for each loop. Great performance boost. The second point is an interesting idea, I haven't thought about it before and haven't heard it before from the community. So basically you would like to have a flag for skipping the whole playbook configuration for the rules, is that correct?

@MathiasVandePol
Copy link
Author

MathiasVandePol commented Sep 11, 2020
edited
Loading

Thanks for the reply. Yes indeed!

@pkhabazi pkhabazi linked a pull request Sep 18, 2020 that will close this issue
Release version 0.6.6 #92
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pkhabazi pkhabazi

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Release version 0.6.6 wortell/AZSentinel
2 participants
@MathiasVandePol @pkhabazi