Today we are announcing Microsoft Sentinel Repositories, a new capability that allows users to manage their Microsoft Sentinel content as code from a source control repository. Repositories provides a central experience for deployment and management of Microsoft Sentinel content and removes the burden of having to manage manual processes to update and deploy your custom content across your workspaces.
Why Repositories?
Some of the most shared questions and requests we hear in the Microsoft Sentinel community have revolved around the ability to simplify the custom content management and deployment process through automation or code. There are existing setups shared by our community members that have tackled this question, but none are natively supported within Microsoft Sentinel.
Repositories came as a direct result of many customer and stakeholder conversations. These conversations allowed us to learn more about the needs and requirements of our users and helped us understand more about their outlook for a solution that lives within the product and requires less configuration and onboarding than the currently existing approaches, while offering a level of flexibility that can satisfy various user scenarios. With Repositories, you can natively connect your Microsoft Sentinel workspace(s) to one of the supported source control repositories and centrally manage your content.
Getting Started
To leverage this new capability, simply store your custom content ARM templates in a central repository and connect your Microsoft Sentinel workspace(s) to your repository for a more automated content management and deployment experience. Repositories allows you to choose from two supported Source Controls to store your custom content: Azure DevOps using Azure Pipelines, and GitHub using GitHub Actions. Visit Prerequisites and Scope to learn more about the required permissions and prerequisites for creating a connection to a source control.
We are starting with support for the deployment of the following Microsoft Sentinel content types:
- Analytic rules
- Automation rules
- Hunting queries
- Parsers
- Playbooks
- Workbooks
Head over to Microsoft Sentinel and connect a repository to try out this capability and automate the deployment of your custom content!
Flexible deployment approach
The default repositories workflow triggers a deployment for any push to the branch of your repository, and it deploys all the content from the connected branch based on your content type(s) selection from the connection creation page. However, you can easily customize the provided deployment script to adjust the trigger and paths for your deployments to fit your needs. For example, you can choose to only trigger deployments if pushes are made to specific folders or subfolders, or you can choose to schedule your deployments for a specific time every day as opposed to only running when changes are pushed. It is important to note that the deployment will still deploy all applicable content types from the entire branch, not just the folders that triggered the deployment.
This approach provides users with an experience that can be tailored to their specific needs and can help save you hours of manual work once it is set up.
Best Practices
If you choose to use Microsoft Sentinel repositories to deploy custom content in your production Microsoft Sentinel workspace(s), the repository that you connect to will now be your “single source of truth” for custom content in the connected workspaces. This means that the content from your repository will overwrite any changes you make to that content through the Microsoft Sentinel portal. If you make changes outside of the repository, is important to ensure that the content in your repository is updated accordingly and that your deployments are happening as you expect them to. More details about editing and deleting content can be found here.
If you are looking to get started on your Microsoft Sentinel-as-code learning journey, we recommend that you connect one or two of your workspaces to a single content repository and branch that has some supported custom content in ARM format. You can find the status of your deployments in Azure Pipelines/GitHub Actions depending on you source control. After you create your connection and content is deployed to your Microsoft Sentinel workspace, you can make a simple change in the repository to any of the content that you deployed and watch it trigger another deployment that deploys those changes in the workspaces you connected. Once you are ready to deploy more content types from the connected branch, you edit your connection from the repositories page to include more content types. Please note that you cannot create more than one connection per repository branch to avoid deployment conflicts. However, there is no limit on the number of workspaces you can connect to a content repository, meaning all those manual content deployments to different workspaces can now be automated from a single repository!
In Summary
Repositories simplifies the process of managing content for one or more workspaces deployed from a content repositories. It does so by automating the process of deploying the content and allowing users to manage it from a central repository instead of manually updating content in the desired Microsoft Sentinel workspaces, saving you considerable time and effort.
Please refer to Microsoft Sentinel Repositories for our full documentation.
What’s Next?
We are working on more capabilities for Repositories to enhance the content management and deployment process. Please share your feedback through our feedback form and share your thoughts and what you’d like to see next through the Microsoft Sentinel Community.
Microsoft Sentinel Repositories is just one of several exciting announcements we’ve made for Microsoft Ignite 2021. Learn more about other new Microsoft Sentinel innovations in our announcements blogpost.
Posted at https://sl.advdat.com/3ETHAsH