Blogpost: Sentinel repositories(preview)


Sentinel repositories(preview)

Main Content

In that Blogpost, I’m describing the new “preview” feature Azure Sentinel Repositories in detail.

I also show what I’ve changed in my demo environment because I normally structure the Microsoft Sentinel architecture a bit differently. Feel free and give me feedback or download the changed script for your environment.


The new feature

IaC is one of the most important steps in the Cloud journey. In each process step from the CAF (Cloud Adoption Framework) think about, implementing an IaC architecture later on.

There are different options available to implement IaC in Azure like

  • PowerShell
  • ARM
  • Bicep
  • Terraform
  • Ansible

In that Blogpost, I’m focusing on ARM and Bicep, and you can download those templates from my Github Repo.

Okay, let’s go to the feature itself. Microsoft implements the feature “Repositories” for Github and Azure DevOps as Source control for Microsoft Sentinel. You can find that feature when you open the sentinel view.

The configuration is pretty simple, click on “Add new”, define the Repository name and the Source control (GitHub or Azure DevOps), then click on Authorize and select your Repository.

Add new Repository
Define the Name, Source control, and Authorize
Select the repository, define the Branch, define the content types and click on create

That’s all :), but what happens in the background?

Adding an Azure App registration starting with “Azure Sentinel Content Deployment App”
Assign RBAC permission “Microsoft Sentinel Contributor” and “Log Analytics Contributor” to the App
Create a GitHub Actions secret with the information from the Azure App
Add a GitHub Action to the repository with a custom PowerShell script

Really simple, but not enough for my environment, because I always split the SIEM and SOAR services into different Azure resource groups. The reason for that is, I can handle better the RBAC permissions and have a better overview, of the resources that I have. So what I’ve changed in the deployment process.

I’ve added the Automation resource group to the YML file
I’ve added the ability to sort the templates into the functionality

Create folders inside the GitHub repository to split into the functionality

Add/Update section in the deployment script “azure-sentinel-deploy.ps1”

Add the automation resource group variable

Add a hashtable, to define the right resource group for the services

Update the function “AttemptDeployment” parameters

Update the deployment process inside the “AttemptDeployment” function

Update the “main” function

That’s it, now you can separate all your templates into different folders based on their functionality and also provides the playbooks into another resource group. The next step is to bring all my ARM templates into bicep modules because it’s much easier to read and write.


Finally

I love the new feature to add Repositories to Microsoft Sentinel but for my and my customer environments there is room for improvement.

Get more information’s on my channels

Feel free to write me an E-Mail or ping me on the social channels listed below.


Similar Posts