troubleshooting Question

Covertto-YAML using Powershell-YAML module

Avatar of Kelly Garcia
Kelly GarciaFlag for United Kingdom of Great Britain and Northern Ireland asked on
AzurePowershell* azure devops
4 Comments1 Solution45 ViewsLast Modified:
Hi All,

i am running the script below in Azure Cloud Shell to pull informaton into a YAML file:

$alertrule=@()

Get-AzSentinelAlertRule -WorkspaceName sentinel01 | % {

$a = @{
name = $_.displayname
description = $_.description
enabled = $_.enabled
suppressionDuration = $_.suppressionDuration
suppressionEnabled = $_.suppressionEnabled
environment = ("Dev","Qa","Prd","IPGLab")
kind = "scheduled"
severity = $_.severity
queryfrequency = $_.queryFrequency
queryPeriod = $_.queryPeriod
triggerOperator = $_.triggerOperator
triggerThreshold = $_.triggerThreshold
tactics = $_.tactics
query = $_.query
}
$alertrule += $a
}

foreach ($b in $alertrule){

$name = $b.name

write-host "processing $name"

$b | convertto-yaml >> "$name".yml

}

The code below doesnt work - it returns no YAML File:

$b | convertto-yaml >> "$name".yml

so instead i tried this code for testing $b | ConvertTo-Yaml >> test.yaml and noticed a few issues with the yaml file produced.

It doesnt return the fields in the yml file in the correct order, e.g. instead of name at the top it will give me tactics, etc.

Also the query it returns looks like this, I wanted it to return without ecaping the characters with \" , \r\n|, etc :

"SecurityEvent\r\n| where EventID == \"5145\"\r\n| where AccountType == \"User\" \r\n| where ShareName == \"\\\\\\\\*\\\\SYSVOL$\"\r\n| where AccessList has \"%%4417\"\r\n| where RelativeTargetName == \"ScheduledTasks.xml\" \r\n| extend SourceIp = IpAddress, Account = SubjectUserName, IPCustomEntity = IpAddress, AccountCustomEntity = Account, HostCustomEntity = Computer"

the Get-AzSentinelAlertRule | gm returns the following results:

   TypeName: System.Management.Automation.PSCustomObject

Name                  MemberType   Definition
----                  ----------   ----------
Equals                Method       bool Equals(System.Object obj)
GetHashCode           Method       int GetHashCode()
GetType               Method       type GetType()
ToString              Method       string ToString()
alertRuleTemplateName NoteProperty string alertRuleTemplateName=f71aba3d-28fb-450b-b192-4e76a83015c8
description           NoteProperty string description=By using Fusion technology that’s based on machine learning, Azure Sentinel can automatic…
displayName           NoteProperty string displayName=Advanced Multistage Attack Detection
enabled               NoteProperty bool enabled=True
lastModifiedUtc       NoteProperty datetime lastModifiedUtc=5/12/2020 7:09:46 PM
name                  NoteProperty string name=BuiltInFusion
playbookName          NoteProperty string playbookName=
severity              NoteProperty string severity=High
tactics               NoteProperty Object[] tactics=System.Object[]

Thank you in advance.
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros