Shows an image of code

Whenever Microsoft release new features in preview, I always get the same questions.

  • When it the feature going to be general available?
  • Why can’t we do this in the portal?
  • How do we do X? there isn’t any documentation for it.

And today is no different, this time I’ve been asked how to export Microsoft Sentinel Hunts as code to an ARM template. If you don’t know what hunts are in Microsoft Sentinel, then check out the documentation here. https://learn.microsoft.com/en-us/azure/sentinel/hunts.

TLDR: Hunts are a way of you aggregating queries, evidence and comments with regards to a hypothesis in Microsoft Sentinel and performing actions on the results.

DISCLAIMER: Microsoft Hunts is currently in preview and subject to change without warning, meaning my code may stop working. If it does… let me know!

Right now, while in preview, there is no export button in the portal, no PowerShell cmdlets and no ARM template reference. But there is the API and schema available.

I will keep this post short and sweet and not go into deep details of what the script is doing. But here are the steps you need to know

  1. Sign in with your Azure Account to the tenant where your workspace resides, using Connect-AzAccount
  2. Get the resource id of the log analytics workspace. It should look something like this
  3. Run the script.
PowerShell
$workspaceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/<myResourceGroup>/providers/microsoft.operationalinsights/workspaces/<myWorkspaceName>"

.\Export-Hunts.ps1 - WorkspaceId $workspaceId

It will get all the hunts in your workspace and all relations (queries etc) and populate a single ARM template in the same directory which you are currently in.

I am not saying this is perfect, as you will most likely want to parameterise some values, you may wish to only export certain hunts or even hit some throttling issues (I’ve limited the request per hunt to 2 per second, so it “should” be fine). If you have any suggestions, please let me know or even make a pull request in GitHub.

The code can be found here in my GitHub Repo. https://github.com/TheAlistairRoss/The-Cloud-Brain-Dump/blob/main/Toolshed/Sentinel%20Toolbox/Export-Hunts.ps1