StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Automate Microsoft Sentinel Playbook Deployment using Azure DevOps

  • February 15, 2022
  • 5 min read
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.

You probably know the concept of Infrastructure As Code which enable teams to automatically manage and provision resources through code instead of doing so with a manual approch. If you work in a SOC team (e.g Security Operation Center), you could use this concept to manage the SOC platform, and especially Microsoft Sentinel. Microsoft Sentinel is Microsoft’s cloud-native SIEM (security information and event management) and SOAR (security orchestration automated response solution all in one.

Considering Microsoft Sentinel and Infrastructure As Code, we can easily merge both to imagine the best way to leverage the power of you SOC team. You must focus your SOC team on the security and not how to maintain the SOC platform.

Getting started

In my case, I exported my playbook named « Create-JiraTickets » which is a LogicApp that creates a ticket in Jira for each Microsoft Sentinel incident. The LogicApp has been created in a specific Azure subscription, and I want to redeploy it in all my customers subscriptions. To export the LogicApp, we can use the following PowerShell script to create a template with the « LogiAppTemplate » module :

This open-source module first evaluates your logic app and any connections that the logic app uses. The module then generates template resources with the necessary parameters for deployment. Below is the exported JSON file.

JSON file

Now, let’s move in Azure DevOps to configure the automation. We will use Azure DevOps pipeline to deploy the JSON file in Azure subscription.

First, go to the Repository tab, and import the JSON file.

Repository tab

Then, go to the Pipelines section and Releases tab. Click New to create a blank release pipeline:

Pipelines section

You must select the source type, in this case I selected Azure Repo because my JSON file has been uploaded in my Azure repository.

Azure Repo

Go to the Tasks tab, click « + » to add a new task and then search for ARM deployment :

ARM deployment

You must configure the task by selecting:

  • the Resource Group,
  • the location,
  • and the template path (the JSON file in the Azure Repo)

Configure the task

Save the pipeline and then click Create release to run the pipeline for the first time

Create release

Go to the Logs tab, and open the ARM deployment task

ARM deployment

We can confirm the ployment success.

Create JiraTickets

Let’s switch to the Azure Portal to confirm the playbook has been created. Open the Resource Group, and click Deployment. Here, I can confirm a new deployment.

Open the Resource Group

The lastest thing to do is just to map the playbook on your analytics rule in the Automated response tab.

Automated response tab

More than deploying automatically your Playbooks, you can update your playbooks and redeploy them with one click in all your subscriptions.

Hey! Found Nicolas’s insights useful? Looking for a cost-effective, high-performance, and easy-to-use hyperconverged platform?
Taras Shved
Taras Shved StarWind HCI Appliance Product Manager
Look no further! StarWind HCI Appliance (HCA) is a plug-and-play solution that combines compute, storage, networking, and virtualization software into a single easy-to-use hyperconverged platform. It's designed to significantly trim your IT costs and save valuable time. Interested in learning more? Book your StarWind HCA demo now to see it in action!