Export and import analytics rules to and from ARM templates

Important

  • Exporting and importing rules is in PREVIEW. See the Supplemental Terms of Use for Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Introduction

You can now export your analytics rules to Azure Resource Manager (ARM) template files, and import rules from these files, as part of managing and controlling your Microsoft Sentinel deployments as code. The export action will create a JSON file (named Azure_Sentinel_analytic_rule.json) in your browser's downloads location, that you can then rename, move, and otherwise handle like any other file.

The exported JSON file is workspace-independent, so it can be imported to other workspaces and even other tenants. As code, it can also be version-controlled, updated, and deployed in a managed CI/CD framework.

The file includes all the parameters defined in the analytics rule, so for Scheduled rules it includes the underlying query and its accompanying scheduling settings, the severity, incident creation, event- and alert-grouping settings, assigned MITRE ATT&CK tactics, and more. Any type of analytics rule - not just Scheduled - can be exported to a JSON file.

Export rules

  1. From the Microsoft Sentinel navigation menu, select Analytics.

  2. Select the rule you want to export and click Export from the bar at the top of the screen.

    Export analytics rule

    Note

    • You can select multiple analytics rules at once for export by marking the check boxes next to the rules and clicking Export at the end.

    • You can export all the rules on a single page of the display grid at once, by marking the check box in the header row (next to SEVERITY) before clicking Export. You can't export more than one page's worth of rules at a time, though.

    • Be aware that in this scenario, a single file (named Azure_Sentinel_analytic_rules.json) will be created, and will contain JSON code for all the exported rules.

Import rules

  1. Have an analytics rule ARM template JSON file ready.

  2. From the Microsoft Sentinel navigation menu, select Analytics.

  3. Click Import from the bar at the top of the screen. In the resulting dialog box, navigate to and select the JSON file representing the rule you want to import, and select Open.

    Import analytics rule

    Note

    You can import up to 50 analytics rules from a single ARM template file.

Next steps

In this document, you learned how to export and import analytics rules to and from ARM templates.