Inspired by Charbel Nemnon’s recent post about backing up and restoring Microsoft Sentinel Watchlists, I decided to see if I could automate the process using existing Azure resources. In this post you’ll see how you can automate regular backups of your Sentinel Watchlists using a Logic App and send the backups to a Storage Account.
Overview Link to heading
I’ll be deploying 3 Azure resources to support the automated backup process:
- Logic App - this will be a logic app with a recurring trigger which retrieves all Watchlists from Sentinel, converts to CSV, then sends to blob storage in a Storage Account
- Storage Account - this is where I’ll place the watchlist backup files
- Key Vault - the logic app uses the HTTP step to talk to the Azure API, and as such I’ll be storing the client secret for an AAD application
Prerequisites Link to heading
As previously mentioned, I’ll be using an HTTP step in my Logic App that needs to talk to the Azure API, and I’ll be using the Azure OAuth authentication method for this step. To facilitate this, I created a new app registration. The app registration doesn’t need any given any special permissions.
Logic App details Link to heading
Here’s what the playbook looks like in the designer view:
Brief walkthrough:
- Trigger: Timer connector and the Recurrence action
- I initialize an array variable that will be used to hold the Watchlist items
- Retrieve the app registration client secret from a Key Vault
- Get a list of all Watchlists in my Sentinel workspace by sending an HTTP GET request (reference)
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists?api-version=2022-07-01-preview
- For each Watchlist in the response, get all items in the Watchlist then:
- For each item in the Watchlist, append to the array variable that was initialized earlier
- Transform the array variable into a CSV table
- Upload the CSV table to blob storage
- Clear the array variable for the next iteration
If everything works, you’ll see CSV files for each watchlist in the storage account:
Future improvements Link to heading
This is a quick a simple workflow to backup Microsoft Sentinel Watchlists to blob storage. In order to reduce storage footprint over time, especially if you decide to run the backup workflow more frequently, the Logic App could be updated to include steps to remove older backups, e.g. delete all backups older than ’n’ days.
ARM template Link to heading
I’ve created an ARM template that will deploy all of the resources listed above if you want to try this out yourself. Check it out here: https://github.com/h0ffayyy/MicrosoftSentinelStuff/tree/main/Playbooks/Watchlist-Backup