Let's have a look how we can automate an Azure Sentinel deployment.
In this post I will show how you can automate the deployment of the following components using PowerShell and ARM templates:
- Resource Group
- Log Analytics workspace
- Azure Sentinel
- Alert Rules
- Workbooks
- Runbooks
In the end, as a bonus, I will show how you can put all together as part of an Azure DevOps pipeline.
OK, let's get started. First thing we have to do is to create the Resource Group where we are deploying the Sentinel workspace and all Sentinel related resources.
| Note: all scripts and templates used in this post can be found here in my GitHub. From now on I will assume you have cloned it to your computer and your PowerShell window is set to the Sentinel directory. |
New-AzResourceGroup -Name Workspaces -Location australiaeast
And the following is the output.
Next, let's deploy the Log Analytics workspace.
New-AzResourceGroupDeployment -Name SentinelWorkspace -ResourceGroupName Workspaces -TemplateFile .\Onboard\law-Sentinel.json -TemplateParameterObject @{workspaceName='SentinelWorkspaceAzureGear'}
If successful, you should see something similar to the figure below.
Once we have an Azure Log Analytics workspace with the Azure Sentinel solution deployed, we can start deploying Sentinel artifacts such as alert rules, workbooks and runbooks.
Let's start by deploying Alert Rules. If you have already manually imported Alert Rules you know how tedious it can be. Execute the command below which will install the AzSentinel module created by Pouyan Khabazi and will import all Alert Rules inside the AlertRules folder to the nominated workspace.
.\Scripts\ImportAlerts.ps1 -workspaceName SentinelWorkspaceAzureGear -folderName .\AlertRules\
Once the command completes, you can count your Alert Rules and you should see something like in the figure below.
Now it is time to import the workbooks. Run the PowerShell command below.
.\Scripts\ImportWorkbooks.ps1 -ResourceGroup workspaces -WorkbooksFolder .\Workbooks\ -WorkbookSourceId /subscriptionId/4858bb33-d8c5-4a26-86dd-d85c9cf73bda/resourceGroup/workspaces/workspaceName/sentinelworkspaceazuregear
| Note: to retrieve the workspaceId you can navigate to the Azure Sentinel workspace, click on Workbooks and copy the URL starting at /subscriptionId/… |
Once all workbooks are imported you will see something like the figure below.
And last but not least, let's import the Playbooks. Run the PowerShell command below.
.\Scripts\ImportPlaybooks.ps1 -ResourceGroup workspaces -PlaybooksFolder .\Playbooks\
| Note: we are just importing the playbooks but you will still need to connect some of the steps with the required services such as Azure AD and Office 365. |
The output should look like the figure below.
That's it. You have just shorten an Azure Sentinel deployment from a couple hours to just a few minutes.
Now to the bonus part. Let's consolidate all this steps in an Azure Pipeline so that we can do smart things such as:
- Require approval for deploying all or any of the steps
- Automatically deploy new artifacts based on new code committed to the repository
- Create dependencies between the tasks
- Track changes and document changes
- Redeploy to any environment
| Note: in this post I will not cover how you can achieve any of the above as it is beyond the scope of what I want to cover. Perhaps in a future post. |
First step is to create a repository in your Azure DevOps project based on what is available in my GitHub like displayed below.
Next create a new Release Pipeline and create new stages in a way they are setup like the below.
For the Create Resource Group stage, add an ARM template deployment task and configure it with the following arguments.
For the Create Sentinel stage, add an ARM template deployment task and configure it with the following arguments.
For the Import Alert Rules, add an Azure PowerShell script task and configure it with the following arguments. Make sure you set it to use PowerShell Core.
For the Import Workbooks, add an Azure PowerShell script task and configure it with the following arguments. Make sure you set it to use PowerShell Core.
For the Import Runbooks, add an Azure PowerShell script task and configure it with the following arguments. Make sure you set it to use PowerShell Core.
Last step is to create a Variable Group with the variables like in the Figure below. Once created, don't forget to link it to the pipeline. And we are done!
Create a new Release for your pipeline and you should get the same results as when you run the scripts but now you can start adding the smarts :)
No comments:
Post a Comment