Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SIEM

How to Automate the Backup of Azure Sentinel Tables to Long-term Storage Using Cloud Shell

Azure Sentinel News Editor by Azure Sentinel News Editor
December 28, 2020
in SIEM
0
Vectra AI and Microsoft partner on security integration
5.5kViews
287 Shares Share on Facebook Share on Twitter

Azure Sentinel customers with specific policies around data retention and the ability to retain data longer than Log Analytics allows, are interested in knowing how to move their Azure Sentinel tables to long-term storage. In a more recent blog post, Matt Lowe talked about how to Move Your Azure Sentinel Logs to Long-Term Storage with Ease. This method utilizes an Azure Playbook to accomplish this task.

I also recently wrote about how to Export and Backup Azure Sentinel Tables locally to a .csv Using PowerShell.

But a more recent functionality addition to the Azure Monitor module allows you to automate the export using Cloud Shell.

The full details around this are located at: Manage data export rules for log analytics workspace.

Here’s how this works…

  • Step 1: Create a Storage Account.
  • Step 2: Run Cloud Shell in Azure and create an Export Rule for the Log Analytics workspace for your Azure Sentinel instance using the following script…
az monitor log-analytics workspace data-export create -g <YourSentinelResourceGroup> --workspace-name <YourSentinelWorkspaceName> -n <GiveYourExportRuleaName> --destination <YourBlobCreatedbytheStorageAccount> --enable -t SecurityEvent

In the Cloud Shell script above, I’m choosing to backup only the SecurityEvent table. If I wanted to backup all tables, I’d replace -t SecurityEvent with –all true

BTW: You need to use the FULL destination in the script value, which means you need to obtain the full destination path from the blob storage – which is essentially the Storage Account Resource ID. It can be located in the Properties of the Storage Account you created in Step 1. Just copy the path to the clipboard to put into the Cloud Shell script.

Getting the Storage Account Resource ID

By creating and enabling this Export Rule, it automates the process so that it causes the SecurityEvent table (or other tables you choose) to perform a backup to the Blob storage container every hour after the Export Rule creation. Note that the first time the new Export Rule runs, it backs-up the entire Sentinel table (or tables). Each subsequent time it runs, it does an incremental backup (just the new stuff).

Hourly backups of the SecurityEvent table

The SecurityEvent table will continue to be backed up to Blob storage until you issue another command to delete the Export Rule:

az monitor log-analytics workspace data-export delete --name <YourExportRuleName> --resource-group <YourSentinelResourceGroup> --workspace-name <YourSentinelWorkspaceName>
Delete the Export Rule

NOTE: Deleting the Export Rule does not delete the backups.

Additionally, make sure you check out some of the other capabilities on the az monitor log-analytics workspace data-export page. You can quickly update your original Export Rule, too. This saves time when you want to simply make adjustments without needing to delete the original rule first and generated a second, replacement rule.

With the table (or tables) backed up to the Blob Container, you can download the stored data through the Azure portal and open the data in Visual Studio (or other tool you use to read JSON data).

Download JSON
Looking at the backed-up data in Visual Studio

P.S. I’ve chosen in this example to export to Blob storage. But you can use this same method to an Event Hub Namespace or an Event Hub – which lends itself to some additional, automated functionality for exporting Azure Sentinel data to 3rd party SIEMs, if you think about it.

Reference: https://azurecloudai.blog/2020/09/11/how-to-export-azure-sentinel-tables-to-a-blob-container-for-long-term-storage-using-cloud-shell/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
SIEM

Changes in How Running Hunting Queries Works in Azure Sentinel

February 11, 2021
Microsoft suspends 18 Azure accounts tied to China-based hackers
SIEM

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

February 8, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SIEM

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
Next Post
RiskIQ Joins Microsoft Intelligent Security Association

How to Add Geographical Data for IP Addresses to an Azure Sentinel Incident

Microsoft suspends 18 Azure accounts tied to China-based hackers

How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel

Enriching Windows Security Events with Parameterized Function

How to Link to Related Workbooks within the Current Azure Sentinel Workbook

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft brings endpoint & Azure security under Microsoft Defender

Microsoft brings endpoint & Azure security under Microsoft Defender

3 months ago
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Azure Sentinel To-Go (Part1): A Lab w/ Prerecorded Data 😈 & a Custom Logs Pipe via ARM Templates 🚀

3 months ago
Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

4 months ago
Vectra AI and Microsoft partner on security integration

Replay Now Available – Microsoft Security Insights 036: Azure Sentinel with Rod Trent

3 weeks ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News