Microsoft Sentinel is inherently designed as a portal application, providing Security Operations staff with the ability to swiftly create new detections using the data sets they manage.
Most enterprise organisations have faced challenges in establishing a backup solution for Sentinel. Many have resorted to restricting Security staff from using Sentinel's built-in features, insisting that all changes be made exclusively through CI/CD pipelines. This approach has often proved to be as impractical as drafting Word documents via code. Nonetheless, having ongoing backups of Sentinel and its associated services remains crucial.
I strongly advocate for using Git repositories for daily subscription backups, particularly when working with Sentinel and Security subscriptions in Azure. For the past four years, I have been using a nightly backup, and I am pleased to share this code in a public repository:
https://github.com/LaurieRhodes/PUBLIC-Subscription-Backup
This project utilises GitHub secrets with Reader permissions to my subscription, allowing it to recursively download and sanitise my Azure objects into cleaned JSON. Many of these objects can be redeployed as REST payloads if needed, but from a Security team's perspective, the primary value lies in the ability to review previous versions of Detection Rules, Workbooks, and Playbooks in case a manual edit causes issues later on. Impressively, my commit history still allows me to go back to 2021 when I started this process, providing a comprehensive audit trail of all changes made over time.
By using a GitHub pipeline, I can schedule a nightly backup that recursively discovers the objects within my subscription. An additional aspect of this pipeline is a bespoke and extensible reporting structure that generates up-to-date Markdown report menus and YAML copies of KQL data.
As an example, my focus is on security, so I generate reports specifically against security-related objects.
The Markdown structure provides a drill-down menu system for the various Sentinel-related objects I back up.
This allows for clear, readable versions of my KQL.
This project was an excellent way to gain a deeper understanding of how Microsoft manages objects within Azure.
The GitHub repository includes documentation on setting up the project, and the entire solution is built using pure PowerShell, without relying on external modules.
- Log in to post comments