Development toolkit for Microsoft Sentinel Analytics Rules
Guard your Sentinel rules with precision
Complete documentation is available in our Wiki
- Getting Started Guide - Complete feature overview and quick start
- Rule Templates - Professional templates with best practices
- ARM to YAML Conversion - Comprehensive migration guide
- Configuration - Detailed setup and customization
SentinelCodeGuard is currently in beta (v0.0.11). We're actively developing and improving the extension. Please report any issues or feedback via GitHub Issues.
Created by TobyG - Visit sentinel.blog for more Microsoft Sentinel resources, tutorials, and insights.
- Content-based detection - Automatically identifies Sentinel rules by analyzing YAML content
- Real-time validation with instant feedback and error correction
- Professional templates for all rule types (Standard, Advanced, NRT, Behavior Analytics)
- Multi-framework MITRE ATT&CK validation - Enterprise, Mobile, and ICS frameworks
- Smart IntelliSense for all Sentinel fields and values
- Single and bulk conversion from ARM templates to YAML
- Multiple naming strategies for organized file management
- Comprehensive field mapping with validation
- Configurable conversion options for enterprise needs
- Progress tracking and detailed conversion summaries
- Professional formatting with field reordering and duration auto-correction
- Live validation in the Problems panel with rule-type-specific checks
- Code snippets and auto-completion
- Entity mapping helpers for all entity types
- Workspace integration for team collaboration
- Optimized Validation Engine - Significantly improved rule validation performance with streamlined data processing
- Enhanced Security Framework - Strengthened dependency management and updated security protocols
- Updated Dependencies - Latest security patches and compatibility improvements for all core libraries
- Modernized Build Pipeline - Updated CI/CD workflows for more reliable builds and releases
- Enhanced Test Coverage - Comprehensive test suite improvements ensuring higher code quality
- Better Resource Management - Optimized background processes for seamless development experience
- Official Sentinel Connector Database - Validates against the complete catalog of Microsoft Sentinel data connectors from Content Hub
- Smart Connector Suggestions - Intelligent autocomplete for connector IDs with descriptions and categories
- Data Type Validation - Comprehensive validation of data types (tables) for each connector with helpful suggestions
- Custom Connector Support - Full support for custom and codeless connectors alongside official ones
- Enhanced Error Messages - Clear, actionable validation messages with suggested alternatives for misspelled connectors
- Category-Based Organization - Connectors grouped by categories (Cloud, Network, Security, etc.) for easier discovery
- Rich Connector Details - Hover over connector IDs to see descriptions, categories, and available data types
- Data Type Tooltips - Hover over data types to see which connectors provide them
- Always-Fresh Data - Connector information automatically updated from official Microsoft sources
- Deprecation Warnings - Alerts for deprecated connectors with migration guidance
- Smart Completion - Context-aware suggestions that understand your rule requirements
- Eliminated False Positives - No more "unknown connector" errors for valid Microsoft connectors
- Faster Development - Instant validation and suggestions reduce time spent looking up connector documentation
- Professional Validation - Enterprise-grade validation using the same data sources as Azure Portal
- Backward Compatibility - Existing rules continue to work while benefiting from enhanced validation
- Multi-Framework Coverage - Now supports Enterprise, Mobile, and ICS MITRE ATT&CK frameworks
- Eliminated "Tactics Not Found" Errors - Comprehensive coverage of all Sentinel-supported tactics and techniques
- Framework-Aware Hover Information - Enhanced tooltips showing which framework tactics/techniques belong to
- Official MITRE Data Integration - Direct use of official MITRE JSON data sources for accuracy
- Regenerate Rule GUID - Right-click on YAML files to replace existing GUIDs with new ones
- Add Missing GUID - Automatically detect files without GUIDs and offer to add them
- Smart GUID Detection - Recognises both actual GUIDs and template placeholders (
{{GUID}}) - Confirmation Dialogs - Preview old and new GUIDs before replacement
- Auto-GUID Templates - All new templates automatically replace
{{GUID}}placeholders with real UUIDs
- Unified Command Interface - Single "Generate Rule Template" command in command palette with interactive template selection
- Streamlined Command Palette - Removed individual template commands for cleaner interface
- Dual Access Points - Templates available via both command palette and right-click context menu
- Unique IDs for Every Template - No more duplicate GUIDs when creating multiple templates
- Proper Indentation Preservation - GUID replacement maintains YAML formatting
- Context Menu Integration - "Regenerate Rule GUID" available via right-click
- Bulk Template Creation - Each template gets a unique GUID automatically
- Simplified Workflow - One command for all template types instead of multiple separate commands
- Quick GUID Regeneration - Perfect for duplicating existing rules
- Template-to-Production - Convert templates with placeholder GUIDs to production-ready rules
- Rule Duplication Workflow - Copy existing rules and generate new GUIDs instantly
- Error Prevention - Ensures unique identifiers across rule sets
- Professional Command Structure - Clean, organized command palette experience
- Interactive template selection with visual quick-pick interface
- Intelligent right-click workflow - Right-click folder β Create Sentinel Rule Template β Choose type β Select location
- All template types available from context menu (Standard, Advanced, NRT, Behaviour Analytics, Minimal, Fallback)
- Smart default locations using right-clicked folder path
- Professional file naming with template-specific suggestions
- Single entry point for all template creation via "Create Sentinel Rule Template..."
- Step-by-step workflow with clear prompts and cancellation support
- Automatic file opening after template creation
- Enhanced notifications for success and error states
- Native VS Code integration using standard save dialogues and UI patterns
- Visual template selection with icons, descriptions, and use cases
- Template-specific filenames following established naming conventions
- Support for both extensions (.yaml and .yml)
- Comprehensive template library covering all Sentinel rule scenarios
- From VS Code Marketplace: Search for "SentinelCodeGuard" in Extensions
- From Visual Studio Marketplace: SentinelCodeGuard
- Manual Installation: Download
.vsixfrom GitHub Releases
- Open Command Palette (
Ctrl+Shift+P/Cmd+Shift+P) - Run:
Sentinel: Generate Standard Rule Template - Edit the template with real-time validation feedback
- Format automatically with
Shift+Alt+F
- Right-click any
.jsonfile containing ARM templates - Select: "Decompile ARM to YAML"
- Choose naming strategy and output location
- Review conversion summary with any warnings
| Command | Description |
|---|---|
Sentinel Rules: Generate Rule Template |
Interactive template creation workflow with multiple template types |
Sentinel Rules: Generate New Rule ID |
Generate new GUID for current rule |
Sentinel Rules: Generate New IDs for All Rules |
Bulk GUID regeneration for workspace |
Sentinel Rules: Fix Field Order |
Reorder fields according to best practices |
Sentinel Rules: Format Sentinel Rule |
Format and optimise rule structure |
Sentinel Rules: Bulk Maintenance & Validation |
Workspace-wide validation and maintenance |
Sentinel Rules: Decompile ARM to YAML |
Convert ARM templates to YAML |
| Template | Complexity | Use Case | Target Audience |
|---|---|---|---|
| Minimal |  |
Quick prototyping | New users, rapid testing |
| Standard |  |
General detection | SOC analysts, security engineers |
| Advanced |  |
Complex correlation | Senior analysts, threat hunters |
| NRT | |
Real-time alerts | Critical asset monitoring |
| Anomaly Detection | |
Behavioural analysis | Advanced threat hunting |
No special naming required! Works with any YAML file containing Sentinel rule fields:
detection-rules/
βββ login-anomalies.yaml # β
Auto-detected
βββ data-exfiltration.yml # β
Auto-detected
βββ rules/
β βββ privilege-escalation.yaml # β
Auto-detected
β βββ malware-detection.yaml # β
Auto-detected
Convert multiple rules from a single ARM template:
Input: SecurityRules.json (5 rules) β Output: 5 separate YAML files
suspicious_login_activity.yamldata_exfiltration_alert.yamlprivilege_escalation.yaml- etc.
{
"sentinelRules.validation.enabled": true,
"sentinelRules.formatting.enabled": true,
"sentinelRules.conversion.defaultNamingStrategy": "displayName"
}For comprehensive configuration options, see: Configuration Guide
- Microsoft Sentinel Docs - Official documentation
- MITRE ATT&CK - Framework reference
- KQL Reference - Query language docs
- Fork the repository
- Create a feature branch
- Make your changes
- Submit a pull request
MIT License - see LICENSE for details.
SentinelCodeGuard - A development toolkit for Microsoft Sentinel Analytics Rules