You probably know the concept of Infrastructure As Code which enable teams to automatically manage and provision resources through code instead of doing so with a manual approch. If you work in a SOC team (e.g Security Operation Center), you could use this concept to manage the SOC platform, and especially Microsoft Sentinel. Microsoft Sentinel is Microsoft’s cloud-native SIEM (security information and event management) and SOAR (security orchestration automated response solution all in one.

Considering Microsoft Sentinel and Infrastructure As Code, we can easily merge both to imagine the best way to leverage the power of you SOC team. You must focus your SOC team on the security and not how to maintain the SOC platform.

Getting started

In my case, I exported my playbook named « Create-JiraTickets » which is a LogicApp that creates a ticket in Jira for each Microsoft Sentinel incident. The LogicApp has been created in a specific Azure subscription, and I want to redeploy it in all my customers subscriptions. To export the LogicApp, we can use the following PowerShell script to create a template with the « LogiAppTemplate » module :

This open-source module first evaluates your logic app and any connections that the logic app uses. The module then generates template resources with the necessary parameters for deployment. Below is the exported JSON file.

JSON file

Now, let’s move in Azure DevOps to configure the automation. We will use Azure DevOps pipeline to deploy the JSON file in Azure subscription.

First, go to the Repository tab, and import the JSON file.

Repository tab

Then, go to the Pipelines section and Releases tab. Click New to create a blank release pipeline:

Pipelines section

You must select the source type, in this case I selected Azure Repo because my JSON file has been uploaded in my Azure repository.

Azure Repo

Go to the Tasks tab, click « + » to add a new task and then search for ARM deployment :

ARM deployment

You must configure the task by selecting:

  • the Resource Group,
  • the location,
  • and the template path (the JSON file in the Azure Repo)

Configure the task

Save the pipeline and then click Create release to run the pipeline for the first time

Create release

Go to the Logs tab, and open the ARM deployment task

ARM deployment

We can confirm the ployment success.

Create JiraTickets

Let’s switch to the Azure Portal to confirm the playbook has been created. Open the Resource Group, and click Deployment. Here, I can confirm a new deployment.

Open the Resource Group

The lastest thing to do is just to map the playbook on your analytics rule in the Automated response tab.

Automated response tab

More than deploying automatically your Playbooks, you can update your playbooks and redeploy them with one click in all your subscriptions.

VSAN from StarWind is software-defined storage (SDS) solution created with restricted budgets and maximum output in mind. It pulls close to 100% of IOPS from existing hardware, ensures high uptime and fault tolerance starting with just two nodes. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment (ROI) and enjoy Enterprise-grade virtualization features and benefits at SMB price today!

Back to blog