Hopefully, you already know about the methods using PowerShell to import and export Azure Sentinel Analytics Rules. If not, see How to Import One or Multiple Analytics Rules into Azure Sentinel – Azure Cloud & AI Domain Blog (azurecloudai.blog) and Official Azure Sentinel PowerShell Module Released – Azure Cloud & AI Domain Blog (azurecloudai.blog).
But, there’s a recent addition to the UI in Azure Sentinel that allows you to accomplish this directly in the console.
The official documentation around this is here: Import and export Azure Sentinel analytics rules | Microsoft Docs
But, there’s some nuances about this function that you might appreciate.
First off, you can import and export one or multiple Analytics Rules. The resulting JSON-formatted ARM template is saved automatically to the web browser’s Downloads folder on the local PC. It should be noted that you can only export Active Analytics Rules – not Rule Templates.
When you choose to export a single Analytics Rule, the file in the Downloads folder is named Azure_Sentinel_analytic_rule.json. When you choose to export multiple Analytics Rules, all of the ones selected are exported into a single file named Azure_Sentinel_analytics_rules.json.
The ARM deployment templates are formatted as you’d expect. I suggest that prior to importing the Analytics Rule(s), you make a slight modification to the displayName property for each Analytics Rule. Maybe its just me, but I feel this helps better identify the imported rules, keeps things organized, and ensures there’s no duplicate names in the Analytics blade. You can always adjust the names later in the console.
Even though you can change the name of the Analytics Rule in the JSON file before its imported, the import is actually based on the ID that is auto-generated and assigned when it is exported. This means that if you import the same export twice or more, it will continually overwrite the original – no matter how many times you change the name.
There’s no special access role required for an Azure Sentinel user to perform the export function for this action. Any user with the Azure Sentinel Reader role and above can perform both the export. But, the Azure Sentinel Contributor role is required to perform the import function. And, this makes sense, considering Contributor is essentially the creator role for Azure Sentinel.
Lastly, just so you are aware – there’s a limitation in the number of Analytics Rules that can be imported in a single JSON file. That limitation is 50. So, similarly, make sure you don’t export more than 50 at once.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
You must log in to post a comment.