You probably know the concept of Infrastructure As Code which enable teams to automatically manage and provision resources through code instead of doing so with a manual approch. If you work in a SOC team (e.g Security Operation Center), you could use this concept to manage the SOC platform, and especially Microsoft Sentinel. Microsoft Sentinel is Microsoft’s cloud-native SIEM (security information and event management) and SOAR (security orchestration automated response solution all in one.
Considering Microsoft Sentinel and Infrastructure As Code, we can easily merge both to imagine the best way to leverage the power of you SOC team. You must focus your SOC team on the security and not how to maintain the SOC platform.
In my case, I exported my playbook named « Create-JiraTickets » which is a LogicApp that creates a ticket in Jira for each Microsoft Sentinel incident. The LogicApp has been created in a specific Azure subscription, and I want to redeploy it in all my customers subscriptions. To export the LogicApp, we can use the following PowerShell script to create a template with the « LogiAppTemplate » module :
Set-ExecutionPolicy -ExecutionPolicy Unrestricted
Install-Module Az.Accounts -Force
Install-Module LogicAppTemplate -Force
$token = Get-AzAccessToken -ResourceUrl "https://management.azure.com" | Select-Object -ExpandProperty Token
Get-LogicAppTemplate -LogicApp Sync-Incidents -ResourceGroup RG_Sentinel -SubscriptionId <subscription_ID> -Token $token -Verbose | Out-File <path_to_json>
This open-source module first evaluates your logic app and any connections that the logic app uses. The module then generates template resources with the necessary parameters for deployment. Below is the exported JSON file.
Now, let’s move in Azure DevOps to configure the automation. We will use Azure DevOps pipeline to deploy the JSON file in Azure subscription.
First, go to the Repository tab, and import the JSON file.
Then, go to the Pipelines section and Releases tab. Click New to create a blank release pipeline:
You must select the source type, in this case I selected Azure Repo because my JSON file has been uploaded in my Azure repository.
Go to the Tasks tab, click « + » to add a new task and then search for ARM deployment :
You must configure the task by selecting:
- the Resource Group,
- the location,
- and the template path (the JSON file in the Azure Repo)
Save the pipeline and then click Create release to run the pipeline for the first time
Go to the Logs tab, and open the ARM deployment task
We can confirm the ployment success.
Let’s switch to the Azure Portal to confirm the playbook has been created. Open the Resource Group, and click Deployment. Here, I can confirm a new deployment.
The lastest thing to do is just to map the playbook on your analytics rule in the Automated response tab.
More than deploying automatically your Playbooks, you can update your playbooks and redeploy them with one click in all your subscriptions.