Hopefully, you already know about the methods using PowerShell to import and export Azure Sentinel Analytics Rules. If not, see How to Import One or Multiple Analytics Rules into Azure Sentinel – Azure Cloud & AI Domain Blog (azurecloudai.blog) and Official Azure Sentinel PowerShell Module Released – Azure Cloud & AI Domain Blog (azurecloudai.blog).
But, there’s a recent addition to the UI in Azure Sentinel that allows you to accomplish this directly in the console.
The official documentation around this is here: Import and export Azure Sentinel analytics rules | Microsoft Docs
But, there’s some nuances about this function that you might appreciate.
First off, you can import and export one or multiple Analytics Rules. The resulting JSON-formatted ARM template is saved automatically to the web browser’s Downloads folder on the local PC. It should be noted that you can only export Active Analytics Rules – not Rule Templates.
Files
When you choose to export a single Analytics Rule, the file in the Downloads folder is named Azure_Sentinel_analytic_rule.json. When you choose to export multiple Analytics Rules, all of the ones selected are exported into a single file named Azure_Sentinel_analytics_rules.json.
Slight Tip
The ARM deployment templates are formatted as you’d expect. I suggest that prior to importing the Analytics Rule(s), you make a slight modification to the displayName property for each Analytics Rule. Maybe its just me, but I feel this helps better identify the imported rules, keeps things organized, and ensures there’s no duplicate names in the Analytics blade. You can always adjust the names later in the console.
ID Based
Access
There’s no special access role required for an Azure Sentinel user to perform the export function for this action. Any user with the Azure Sentinel Reader role and above can perform both the export. But, the Azure Sentinel Contributor role is required to perform the import function. And, this makes sense, considering Contributor is essentially the creator role for Azure Sentinel.
Limitation
Lastly, just so you are aware – there’s a limitation in the number of Analytics Rules that can be imported in a single JSON file. That limitation is 50. So, similarly, make sure you don’t export more than 50 at once.
This blog is part of Azure Week. Check it out for more great content!
About the Author:
Cybersecurity PFE/Consultant at Microsoft focused on Azure Sentinel, Azure Security Center, and Azure AD.
Reference:
Trent, R. (2021). How to Import and Export Azure Sentinel Analytics Rules Using the Console. Available at: https://azurecloudai.blog/2021/06/15/how-to-import-and-export-azure-sentinel-analytics-rules-using-the-console/[Accessed: 7th July 2021].
