Support for ARM templates with multiple alert rules

[f-bader]

Summary of the new feature / enhancement

Add support for ARM templates that contain more than one analytics rule. This can be done by selecting multiple ARs in Sentinel and exporting them.

The naming can be tricky and should respect the switch the user sets, but never export multiple ARs in one YAML file

Proposed technical implementation details (optional)

Detect multiple ARs in the template and call the function multiple times

[Manbearpiet]

I've thought about this for a moment and I've come up with a design. I assume this just pertains to Convert-SentinelARArmToYaml, meaning that we will not support integrating multiple YAML's in a single ARM file. This would be great for deployment speed, but also requires any dependencies for the ART to be present. I will not integrate this into my PR.

Some design decisions/suggestions:

• UseOriginalFilename will normally take the Basename of the JSON-file and use that. We could create logic that appends _$Number to the filename (to discern from GUID's easily). This implies that once more than one alert in a file is found, the number will be appended (MyAlertRules.json ==> MyAlertRules_1.yaml, MyAlertRules_2.yaml
• ART's hopefully have a unique Displayname, so UseDisplayNameAsFilename won't give issues if multiple are found per file.
• UseIdAsFilename has the same logic applied, since alertRuleTemplateName will probably be unique, we can use this for filenames without applying own logic.

The nice thing is, is that when using the $Data parameter, we could extract the displayname and id as the filename too.

• OutFile will potentially give some issues. In it's current form I think we can just use this parameter if a single ART is present in the Data or Filename. We could move this to a filebase name (like with UseOriginalFilename), meaning this paramter will suggest the basename prefix and by using this param we append _1 ,_2 to the filebasename.

Looking forward to your input or to hear if you're fine with the suggestions 😄. I think this does suggest a new major since breaking OutFile will break current functionality.

[f-bader]

I very much like the proposed solution.

A few ideas for conflict handling UseDisplayNameAsFilename and alertRuleTemplateName

• There should be no complicated conflict handling
• Proposal
  • Default: No overwrite when a duplicated filename occurs
  • New switch -Force: Will overwrite any duplicated filenames
  • Always write a warning when a conflict occurs

For OutFile we should use the same logic UseOriginalFilename and use the numeric suffix.

Can't wait for version 2.0

[Manbearpiet]

Created #13 to fix this 😄