In this blog I will be going through a tool which you can use to turn the analytic rules which exist into your environment into a ARM template which you can then deploy. (Please note this only currently supports scheduled analytic rules).

This means, if you have an analytic rule which exists only in your Sentinel instance, you can actually deploy it into another instance. I’ve made this process simple, and it’s done via a web app built with Flask, which you can deploy to Azure App Service.

To get started, you’ll need to have Python 3 installed, and you’ll need to install the repository from here: https://github.com/mjensen-gh/download-analytic-rules-as-ARM

Once installed and extracted, you will need to do pip install -r requirements.txt. It will install the following modules

Flask
requests
azure-identity
azure-mgmt-resource

Once installed, you will need to login to Azure using the following command ‘az login’.

Once logged in, you’ll then need to edit the views.py to match the subscription, resource group & subscription ID of your workspace.

Once done, run the app.py and you should see a page like this:

From here, you should see a list of different analytic rules which exist in your environment, here you can click the ‘Download Template’ button which will download a JSON file to your browser (And will store locally).

From Azure, you can go to ‘Deploy a custom template’

Then click ‘Build your own template in the editor’

You can then paste in the JSON template and click ‘Save’

Change the Subscription and Resource group to the one you are deploying your template to, and set the ‘Workspace’ as the workspace name for Sentinel (It’s the name of the Sentinel instance’

Then click ‘Review + Create’ and ‘Create’

This application can also be deployed to an Azure App Service, you can use the instructions here, you will need to create a system-assigned managed identity which has access to the Sentinel instance you are getting the rules from.

You could edit the code to upload the templates to a storage account, then maybe build a logic app which deploys Sentinel rules based on the files in that storage account, it’s entirely up to you!