Backing up Sentinel and the Security subscription
A lot of people ask about how Security Operations can effectively back up all of the Sentinel related objects. One option is to use GitHub or Azure DevOps pipelines to get a daily backup. I’ve been doing this for a very long time and it seems like a good forum to share that code.
The trick behind it has been to use PowerShell to derive the current API versions for Azure objects. Once you do that, you can recursively download the whole subscription to a repo and then scripts can renerate reports using markdown and yaml. I’ve been backing up my subscription reliably since 2021.
The default project creates reports for all the Sentinel related elements.
Markdown lets the object reports be drilled down into…
And KQL is presented as YAML for readability.
It’s actually easy to deploy all the backedup JSON files through REST if needed but for most of us, being able to have readable KQL and Git History of changes in files is probably all we need.
This project is completely written in PowerShell with no compiled modules & anyone is freely welcome to it.
I’ve written more about it here:
Daily Azure / Sentinel Backup (and Reporting) with GitHub
… and the source code and install documentation can be found here:
https://github.com/LaurieRhodes/PUBLIC-Subscription-Backup
I hope this is of use to the community! 🙂
Best Regards
Laurie
A lot of people ask about how Security Operations can effectively back up all of the Sentinel related objects. One option is to use GitHub or Azure DevOps pipelines to get a daily backup. I’ve been doing this for a very long time and it seems like a good forum to share that code.The trick behind it has been to use PowerShell to derive the current API versions for Azure objects. Once you do that, you can recursively download the whole subscription to a repo and then scripts can renerate reports using markdown and yaml. I’ve been backing up my subscription reliably since 2021. The default project creates reports for all the Sentinel related elements.Markdown lets the object reports be drilled down into… And KQL is presented as YAML for readability. It’s actually easy to deploy all the backedup JSON files through REST if needed but for most of us, being able to have readable KQL and Git History of changes in files is probably all we need.This project is completely written in PowerShell with no compiled modules & anyone is freely welcome to it. I’ve written more about it here:Daily Azure / Sentinel Backup (and Reporting) with GitHub… and the source code and install documentation can be found here:https://github.com/LaurieRhodes/PUBLIC-Subscription-BackupI hope this is of use to the community! 🙂Best RegardsLaurie Read More
