Powershell : Special thanks to Wortell for writing the AzSentinel module, which greatly facilitates many of the tasks.Here is a table that summarizes what can be used for each: These components can be managed easily through the Azure Portal, but what can I use to modify all these programmatically? But how do we programmatically make these changes into Sentinel?Īs you probably know, there are different components inside Microsoft Sentinel…we have Connectors, Analytics Rules, Workbooks, Playbooks, Hunting Queries, Notebooks, and so on. Every time there is a change in the files that define this Sentinel environment, this change will trigger a pipeline that will verify the changes and deploys them into your Sentinel environment. The whole idea is to codify your Microsoft Sentinel deployment in the Sentinel context and put it in a code repository. This post will use Azure DevOps as our DevOps tool, but the concepts are the same for any other tool. This is also referred to as Continuous Integration/Continuous Delivery (CICD). Please take a look at this article if you want to know more. You can use any source control platform, but in this article, we will use Github.īesides treating your infrastructure as code, you can also use DevOps tooling to test that code and deploy that infrastructure into your environment, all in a programmatic way. Have you heard about the Azure Resource Manager, Terraform, or AWS Cloud Formation? Well, they are all ways to describe your infrastructure as code so that you can treat it as such…put it under source control (e.g., git, svn), so you can track changes to your infrastructure the same way you track changes in your code. You might be familiar with the Infrastructure as Code concept. We recommend you go one by one in order to fully understand how it works. Building your Sentinel as Code in Azure DevOps.Automating the deployment of specific Microsoft Sentinel components.In this post, we will try to answer all these questions, not only describing how to do it but also giving you some of the work done with a repository that contains a minimum viable product (MVP) around how to build a full Sentinel as Code environment. These are some of the typical questions: How can I automate customer onboarding into Sentinel? How can I programmatically configure connectors? As a partner, how do I push to my new customer all the custom analytics rules/workbooks/playbooks that I have created for other customers? In the last few months working on Microsoft Sentinel, we have talked to many partners and customers about ways to automate Microsoft Sentinel deployment and operations. The new recommended way to manage content as code in Microsoft Sentinel is Repositories. The content of this blog is not up to date anymore. Philippe Zenhaeusern and Javier Soriano co-author this blog post.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |