We help IT Professionals succeed at work.
Get Started

Covertto-YAML using Powershell-YAML module

33 Views
Last Modified: 2020-10-16
Hi All,

i am running the script below in Azure Cloud Shell to pull informaton into a YAML file:

$alertrule=@()

Get-AzSentinelAlertRule -WorkspaceName sentinel01 | % {

$a = @{
name = $_.displayname
description = $_.description
enabled = $_.enabled
suppressionDuration = $_.suppressionDuration
suppressionEnabled = $_.suppressionEnabled
environment = ("Dev","Qa","Prd","IPGLab")
kind = "scheduled"
severity = $_.severity
queryfrequency = $_.queryFrequency
queryPeriod = $_.queryPeriod
triggerOperator = $_.triggerOperator
triggerThreshold = $_.triggerThreshold
tactics = $_.tactics
query = $_.query
}
$alertrule += $a
}

foreach ($b in $alertrule){

$name = $b.name

write-host "processing $name"

$b | convertto-yaml >> "$name".yml

}

Open in new window


The code below doesnt work - it returns no YAML File:

$b | convertto-yaml >> "$name".yml

Open in new window


so instead i tried this code for testing $b | ConvertTo-Yaml >> test.yaml and noticed a few issues with the yaml file produced.

It doesnt return the fields in the yml file in the correct order, e.g. instead of name at the top it will give me tactics, etc.

Also the query it returns looks like this, I wanted it to return without ecaping the characters with \" , \r\n|, etc :

"SecurityEvent\r\n| where EventID == \"5145\"\r\n| where AccountType == \"User\" \r\n| where ShareName == \"\\\\\\\\*\\\\SYSVOL$\"\r\n| where AccessList has \"%%4417\"\r\n| where RelativeTargetName == \"ScheduledTasks.xml\" \r\n| extend SourceIp = IpAddress, Account = SubjectUserName, IPCustomEntity = IpAddress, AccountCustomEntity = Account, HostCustomEntity = Computer"

Open in new window


the Get-AzSentinelAlertRule | gm returns the following results:

   TypeName: System.Management.Automation.PSCustomObject

Name                  MemberType   Definition
----                  ----------   ----------
Equals                Method       bool Equals(System.Object obj)
GetHashCode           Method       int GetHashCode()
GetType               Method       type GetType()
ToString              Method       string ToString()
alertRuleTemplateName NoteProperty string alertRuleTemplateName=f71aba3d-28fb-450b-b192-4e76a83015c8
description           NoteProperty string description=By using Fusion technology that’s based on machine learning, Azure Sentinel can automatic…
displayName           NoteProperty string displayName=Advanced Multistage Attack Detection
enabled               NoteProperty bool enabled=True
lastModifiedUtc       NoteProperty datetime lastModifiedUtc=5/12/2020 7:09:46 PM
name                  NoteProperty string name=BuiltInFusion
playbookName          NoteProperty string playbookName=
severity              NoteProperty string severity=High
tactics               NoteProperty Object[] tactics=System.Object[]

Open in new window


Thank you in advance.
Comment
Watch Question
CERTIFIED EXPERT
Top Expert 2014
Commented:
This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant

An Experts Exchange subscription includes unlimited access to online courses.

Get Started
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE