It would be really nice to have a similar write up like this for STATv2, which uses functions for the modules and not logic apps (which more Sentinel admins are used to).
STAT seems great but I guess the logic app based approach seems to be being deprecated and now it is using functions, and the github docs do not even describe how to add the additional function modules.
After some playing with it, I do see they seem to be loaded as an action in the "sample" stat triage logic app, which I almost did not install since it is optional.
Overall, this is the sort of thing that seemed cool but now there is a major shift in how to actually use it and it is not explained in something like this (or elsewhere I can find in a google search), or in the github docs.
I honestly think even my smarter admin clients will fail on the various parts of this. This is just not ready for someone who does not want to have another research task and some pet to water and feed.
Switching to functions and abandoning the logic app approach (which, again, is what Sentinel uses primarily for basic automations and admins are used to) is also indicative to me that there was an initial lack of planning and I worry that this is just stuff I will be deleting 2 years from now.
How can I tell a client to use this when I cannot even explain how to add a new function module? Recommending this, would put me in a place what I am telling my clients that they need admins for their Sentinel deployment that can understand:
- logic apps (not a ton of windows admins have exp with this but can learn over time)
- kql (again not that many admins have a lot of this and I have to spend a lot of time on growing this area)
- all of the sentinel portal (what happens where and why)
- the XDR (defender portal, (don't get me started on name changes), more and more it seems the investigations are being shifted to XDR portal)
- Notebooks (This is essentially app dev and almost none of my clients have an embedded SME programmer for this to do much.)
- functions? so now I need to tell my clients that they need to have one of their people know how to plan for, add, and secure functions, app plans, deployment slots, etc?
It is just a lot to ask for the quoted reason for v2 changes "performance gains". So now, if I put this in an environment, I need to be able to explain the choices and maintenance and the github docs do not really even do that.
I cannot recommend this at this time, and people should really think about whether they should rely on this solution and putting this into prod.
Also, the script should check the psversion and add a note to the installer. This area was clunky too.