Not too long ago I wrote a blog post describing how to use Cloud Shell to create Export Rules for automating the backup of Azure Sentinel tables to Blob storage for long-term backup. This is useful for those organizations that need to store data, due to policy, for longer periods than the default 2 years maximum for Log Analytics workspaces.
If you missed that blog post, see: How to Automate the Backup of Azure Sentinel Tables to Long-term Storage Using Cloud Shell
But, after writing that one, I realized there a number of folks that prefer the comfort of the PowerShell UI and don’t spend as much time in the Azure console as I do (Yes, I heard you!). So, I slapped together some PowerShell scripts that can provide the same functionality without having to jump into the Azure portal and spin up Cloud Shell. Each script prompts for your Azure login credentials and then executes the defined process.
Make sure to personalize each variable.
Create an export rule for an Azure Sentinel table
#==============================================================
# Make the Connection
#==============================================================
# Authenticate to AzureRM
Login-AzureRmAccount
#==============================================================
# Define environment variables
#==============================================================
# Fill in the Resource Group the Azure Sentinel instance exists in
$ResourceGroup = "YourResourceGroup"
# Fill in your Log Analytics workspace name of your Azure Sentinel instance
$WorkspaceName = "YourName"
# Fill in the table name you want to export
$TableName = "YourTable"
# Name your new export rule
$ExportRule = "YourExportRuleName"
# Fill in the destination of the export (full path to your storage blob)
$ExportDestination = "YourDestinationPath"
#==============================================================
# Create the Export Rule
#==============================================================
az monitor log-analytics workspace data-export create -g $ResourceGroup --workspace-name $WorkspaceName -n $ExportRule --destination $ExportDestination --enable -t $TableName Delete an export rule
#==============================================================
# Make the Connection
#==============================================================
# Authenticate to AzureRM
Login-AzureRmAccount
#==============================================================
# Define environment variables
#==============================================================
# Fill in the Resource Group the Azure Sentinel instance exists in
$ResourceGroup = "YourResourceGroupName"
# Fill in your Log Analytics workspace name of your Azure Sentinel instance
$WorkspaceName = "YourWorkspaceName"
# The Name of your Export Rule
$ExportRule = "YourExportRuleName"
#==============================================================
# Delete the Export Rule
#==============================================================
az monitor log-analytics workspace data-export delete --name $ExportRule --resource-group $ResourceGroup --workspace-name $WorkspaceNameGenerate a list your existing export rules
#==============================================================
# Make the Connection
#==============================================================
# Authenticate to AzureRM
Login-AzureRmAccount
#==============================================================
# Define environment variables
#==============================================================
# Fill in the Resource Group the Azure Sentinel instance exists in
$ResourceGroup = "YourResourceGroupName"
# Fill in your Log Analytics workspace name of your Azure Sentinel instance
$WorkspaceName = "YourWorkspaceName"
#==============================================================
# Get the list of existing Export Rules
#==============================================================
az monitor log-analytics workspace data-export list --resource-group $ResourceGroup --workspace-name $WorkspaceNameP.S. You can always grab the most current versions from my GitHub repo: https://github.com/rod-trent/SentinelPS
