Hello Robert Smith
Yes, it is possible. Microsoft Sentinel (built on Azure Monitor Logs) supports exporting logs outside of Microsoft Azure, which is crucial for disaster recovery and compromise scenarios.
Outside of azure (store logs externally):
Azure Event Hub → External SIEM/S3/Storage
Use diagnostic settings to stream logs to Azure Event Hub.
From Event Hub, forward logs to external systems (e.g., Splunk, Elastic, AWS S3, on-prem storage).
Azure Logic Apps or Functions → External API
Set up workflows to export logs in near real-time to external systems or storage locations.
Log Analytics REST API
Periodically extract logs via API and store them externally (e.g., backup to a secure location outside Azure).
Export to Azure Storage (Blob or ADLS)
You can export logs to Azure Storage for long-term retention and then periodically back up that storage to an external environment (e.g., AWS, Google Cloud, or on-prem).
How can I restore certain components?
When restoring Sentinel from a backup, the components are not automatically backed up as part of Sentinel. Restore archived logs from search
| Component |
Backup Method |
Restore Notes |
| Log Data |
Stream to external SIEM or storage |
Can be re-ingested via API or scripts |
| Log Data |
Stream to external SIEM or storage |
Can be re-ingested via API or scripts |
| Analytics Rules (UCs) |
Use ARM templates, Azure CLI, or Sentinel as Code |
Can be redeployed in new instance |
| Workbooks |
Export to JSON or ARM templates |
Import into new Sentinel |
| Hunting Queries |
Save to GitHub or external repo |
Redeploy manually |
| Watchlists |
Export to CSV/JSON |
Reimport manually |
| User Access & RBAC |
Export using Azure PowerShell / Graph API |
Recreate RBAC assignments manually or via script |
| Playbooks (Logic Apps) |
Export Logic Apps definition (ARM) |
Redeploy in new region/subscription |
| Custom Connectors |
Save connector definitions |
Recreate in new instance |
Does it have to be an MS environment?
No, not necessarily. While Sentinel itself is Microsoft-native, your log backup and DR strategy does not have to remain in Microsoft Azure.
You can:
Store logs in AWS S3, Google Cloud Storage, on-prem, or any secure location.
Use third-party SIEMs or log archiving tools as a fallback or "cold" DR storage.
Maintain templates/configs in a GitOps approach (store Sentinel configs in GitHub/GitLab, etc.)
Check these articles for more details:
Business continuity and disaster recovery for Microsoft Sentinel
Recommendations for designing a disaster recovery strategy
Export data from a Log Analytics workspace to a storage account by using Logic Apps
Log Analytics workspace data export in Azure Monitor
I hope this clarifies things.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 22%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)