Link to home
Start Free TrialLog in
Avatar of Kelly Garcia
Kelly GarciaFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Covertto-YAML using Powershell-YAML module

Hi All,

i am running the script below in Azure Cloud Shell to pull informaton into a YAML file:

$alertrule=@()

Get-AzSentinelAlertRule -WorkspaceName sentinel01 | % {

$a = @{
name = $_.displayname
description = $_.description
enabled = $_.enabled
suppressionDuration = $_.suppressionDuration
suppressionEnabled = $_.suppressionEnabled
environment = ("Dev","Qa","Prd","IPGLab")
kind = "scheduled"
severity = $_.severity
queryfrequency = $_.queryFrequency
queryPeriod = $_.queryPeriod
triggerOperator = $_.triggerOperator
triggerThreshold = $_.triggerThreshold
tactics = $_.tactics
query = $_.query
}
$alertrule += $a
}

foreach ($b in $alertrule){

$name = $b.name

write-host "processing $name"

$b | convertto-yaml >> "$name".yml

}

Open in new window


The code below doesnt work - it returns no YAML File:

$b | convertto-yaml >> "$name".yml

Open in new window


so instead i tried this code for testing $b | ConvertTo-Yaml >> test.yaml and noticed a few issues with the yaml file produced.

It doesnt return the fields in the yml file in the correct order, e.g. instead of name at the top it will give me tactics, etc.

Also the query it returns looks like this, I wanted it to return without ecaping the characters with \" , \r\n|, etc :

"SecurityEvent\r\n| where EventID == \"5145\"\r\n| where AccountType == \"User\" \r\n| where ShareName == \"\\\\\\\\*\\\\SYSVOL$\"\r\n| where AccessList has \"%%4417\"\r\n| where RelativeTargetName == \"ScheduledTasks.xml\" \r\n| extend SourceIp = IpAddress, Account = SubjectUserName, IPCustomEntity = IpAddress, AccountCustomEntity = Account, HostCustomEntity = Computer"

Open in new window


the Get-AzSentinelAlertRule | gm returns the following results:

   TypeName: System.Management.Automation.PSCustomObject

Name                  MemberType   Definition
----                  ----------   ----------
Equals                Method       bool Equals(System.Object obj)
GetHashCode           Method       int GetHashCode()
GetType               Method       type GetType()
ToString              Method       string ToString()
alertRuleTemplateName NoteProperty string alertRuleTemplateName=f71aba3d-28fb-450b-b192-4e76a83015c8
description           NoteProperty string description=By using Fusion technology that’s based on machine learning, Azure Sentinel can automatic…
displayName           NoteProperty string displayName=Advanced Multistage Attack Detection
enabled               NoteProperty bool enabled=True
lastModifiedUtc       NoteProperty datetime lastModifiedUtc=5/12/2020 7:09:46 PM
name                  NoteProperty string name=BuiltInFusion
playbookName          NoteProperty string playbookName=
severity              NoteProperty string severity=High
tactics               NoteProperty Object[] tactics=System.Object[]

Open in new window


Thank you in advance.
Avatar of footech
footech
Flag of United States of America image

Regarding the ordering, when you define $a you're creating a hash table.  Hash tables are unordered just as a matter of fact. See the difference by running these.
@{
    "1" = "a"
    "2" = "b"
    "3" = "c"
    "4" = "d"
}

[ordered]@{
    "1" = "a"
    "2" = "b"
    "3" = "c"
    "4" = "d"
}

Open in new window

You can try specifying the [ordered] type.

I couldn't say much (if anything) about the YAML produced.
Avatar of Kelly Garcia

ASKER

is there any way I can export to yml file without it escaping the characters? normally you need to escape the characters in json files , but in yaml this is not required. how do I stop it from escaping when it outputs the yaml file?
ASKER CERTIFIED SOLUTION
Avatar of footech
footech
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
there must be a way, at the moment I am exporting to yaml and another file I am exporting to text and the manually I am copy the query from the text into the yaml :( this is tedious and I need to automate this