Azure Sentinel Analytics Rule Extraction [Bulk | Custom]
In this blog, we will talk about different ways of extracting/exporting Sentinel Analytics rules for whatever purpose you might need them, including but not limited to re-use, storage, redundancy, converting to code, etc, etc.
1 — The common and simpler way — but with limitations
Generally, you can see an Export button on the Sentinel Analytics rules tab — this will export the (max 50) rules visible on that page to a JSON file, which is a problem if you have more than 50 rules, and you want all of them exported.
Log in to Azure Sentinel and head to your workspace.
- Go to the Analytics tab and select any rule(s)
- You will see an Export option on the top of the page, click it and you should have a JSON output of the rule according to the ARM template as shown below
Output
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/<rule-id-here>')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/<rule-id-here>')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "<Rule Name Here>",
"description": "<The custom description that you set>",
"severity": "Medium",
"enabled": true,
"query": "<The Rule KQL Query>",
"queryFrequency": "PT5M",
"queryPeriod": "PT15M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 5,
"suppressionDuration": "PT10M",
"suppressionEnabled": true,
"startTimeUtc": null,
"tactics": [],
"techniques": [],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AnyAlert",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [],
"sentinelEntitiesMappings": null,
"templateVersion": null
}
}
]
}2 — Through Azure REST API
To overcome the limitation of the number of rules being exported at once, you can use the Azure REST API to list all the rules. For this, you need
- an authorization token
- the subscription id
- the resource group name
- the workspace name
You can then use GET request as follows with the authorization token using any API request tool like Postman
- Method: GET
- URL:
https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.OperationalInsights/workspaces/<workspace>/providers/Microsoft.SecurityInsights/alertRules?api-version=2023-02-01- Authorization:
Bearer <token-here>Output
Or you can use the Azure REST API website to authenticate with your Azure account and make the API call
Output
3 — Extract rules in bulk — from the Workbook
For a simpler UI-based approach and to add more customization to the output, such as the fields or any filters etc, you can use the Workbook: Workspace Usage Report built-in to Sentinel. Here’s how you can do it:
- Log in to Azure Sentinel and Head to Workbooks
- Search for the “Workspace Usage Report” workbook
- Select your desired Workspace and Time-frame (e.g. 30 days should be enough)
- Go to the Regular Checks (D/W/M) tab, select Weekly, and click on the Rules
- Scroll down and you can see different categories, we will be focusing on the Azure Sentinel Analytics Active Rules
- Click on Edit and reach the particular box/section that contains the analytics rules — Active Rules via Rest API
- In the Active rules section, there is a download button that will export and download the data for all the active rules to an Excel sheet
- For customizing the output column, you can use the name of the desired property from the JSON file and add/remove by clicking the Edit option (this is at the bottom of sections and you might need to click multiple times as the sections are nested) for this specific portion.
Thank You …
… for reading this post, hope it was helpful. If there is anything that you want to let me know — suggestions, any corrections or mistakes in the post, please leave a comment for me.
