export rules from analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-1837893%22%20slang%3D%22en-US%22%3Eexport%20rules%20from%20analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1837893%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20sure%20this%20is%20a%20simple%20issue%20-%20I%20am%20just%20wanting%20to%20export%20all%20the%20rules%20from%20the%20analytics%20workspace%20in%20Sentinel%20(disabled%20%2F%20Enabled)%20into%20a%20platform%20to%20enable%20me%20to%20monitor%20the%20rules%2C%20update%20and%20amend%20accordingly.%26nbsp%3B%20is%20there%20a%20way%20to%20export%20the%20rules%20in%20analytics.%26nbsp%3B%20I%20have%20seen%20a%20few%20examples%20of%20exporting%20a%20rule%20from%20logs%20but%20essentially%20this%20isnt%20going%20to%20work%20for%20me.%26nbsp%3B%20tks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1837975%22%20slang%3D%22en-US%22%3ERe%3A%20export%20rules%20from%20analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1837975%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F688700%22%20target%3D%22_blank%22%3E%40wootts%3C%2FA%3E%26nbsp%3BYou%20can%20do%20so%20using%20the%20Azure%20Sentinel%20REST%20API.%26nbsp%3B%20I%20wrote%20some%20blog%20posts%20about%20how%20to%20do%20that%20at%20%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.garybushey.com%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1838052%22%20slang%3D%22en-US%22%3ERe%3A%20export%20rules%20from%20analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1838052%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F688700%22%20target%3D%22_blank%22%3E%40wootts%3C%2FA%3E%26nbsp%3BThere's%20also%20a%20PowerShell%20module%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%2Ftree%2Fmaster%2FAzSentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%2Ftree%2Fmaster%2FAzSentinel%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All

 

I am sure this is a simple issue - I am just wanting to export all the rules from the analytics workspace in Sentinel (disabled / Enabled) into a platform to enable me to monitor the rules, update and amend accordingly.  is there a way to export the rules in analytics.  I have seen a few examples of exporting a rule from logs but essentially this isnt going to work for me.  tks in advance

2 Replies

@wootts You can do so using the Azure Sentinel REST API.  I wrote some blog posts about how to do that at https://www.garybushey.com