Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Accelerate your Azure Sentinel Deployment with this Azure DevOps Boards Template
Published Aug 11 2020 07:23 AM 19.4K Views

This installment is part of a broader series to keep you up to date with the latest enhancements to the Azure Sentinel Devops template.

 

This blog is a collaboration between @Cristhofer Munoz  & @Matt_Lowe.

 

Huge shoutout to Vandy Rodrigues for this amazing idea! :smile:

Introduction

 

Threats are evolving just as quickly as data-volume growth, with bad actors exploiting every possibility and technique to gain access to the corporate network. At the same time, the risk surface has widened as companies shift to hybrid-cloud environments, adopt DevOps and Internet of Things (IoT) technologies, and expand their remote workforces.

 

Amid this landscape, organizations require a bird’s-eye view of security posture across the enterprise, hence a security information and event management (SIEM) system is a critical element.

Frankly, deploying a SIEM is not a trivial task. Organizations struggle with the number of tasks to adopt a SIEM due to the lack of an agile methodology to plan, execute, and validate its initial success and deploy into production.

 

To help alleviate this challenge, we’ve developed an Azure Sentinel DevOps Board Template which serves as a blueprint to understand the tasks and activities to deploy Azure Sentinel following recommended practices. By leveraging the Azure Sentinel DevOps Boards one can quickly start tracking user stories, backlog items, task, features, and bugs associated with your Azure Sentinel deployment. The Azure Sentinel DevOps Board is not a static template, it can be modified to reflect your distinctive needs. You will have the ability to quickly add and update the status of work using the Kanban board. You can also assign work to team members and tag with labels to support queries and filtering. 

 

For additional information on Azure Boards, please refer the public documentation.

 

In this template we provide prescriptive guidance for the following Azure Sentinel use cases:

 

  1. Define Use Cases
  2. Get Started with Azure Sentinel | Tutorials
  3. Onboard Azure Sentinel | Prerequisites
  4. Azure Sentinel Architecture
  5. Setup Azure Sentinel
  6. Data Collection
  7. Visualize your security data with Workbooks
  8. Enabling Analytics
  9. Respond to threats
  10. Proactive threat hunting
  11. Advanced Topics

 

2020-08-05_11-31-26.jpg

 

 

Getting Access | Azure DevOps Generator

 

The purpose of this initiative is to simplify the process and provide tactical guidance to deploy Azure Sentinel by providing an Azure Sentinel DevOps board template that provides the prescriptive guidance you need to get going with your deployment. To populate the Azure Sentinel board, we utilized the Azure DevOps Demo generator service to create pre-populated content. 

 

To get started:

 

1. Browse to the Azure DevOps Demo Generator site by selecting the link, or copy https://azuredevopsdemogenerator.azurewebsites.net/ into your browser's URL field.

 

2. Click Sign In and provide the Microsoft or Azure AD account credentials associated with an             organization in Azure DevOps Services. If you don't have an organization, click on Get Started for Free to create one and then log in with your credentials.

 

3. After signing in, you will arrive at the "Create New Project" page.

 

 

devopsgenerator.gif

 

 

4. Provide a name for your project (such as "AzSentinelDeployment") that you and other contributors can use to identify the project.

 

5.  Next, Select the organization you will use to host the project created by the Azure DevOps Demo Generator. (You may have multiple accounts of which you are a member, and which are associated with your login, so choose carefully.)

 

6. Lastly, select the demo project template you want to provision by clicking ... (Choose Template) button.

 

devopsgenerator2.gif

 

7.  A new pane will populate providing you the ability to select a pre-populated template. Click on the Azure Community tab, there you will find the Azure Sentinel Devops template.

 

choosetemplate.jpg

 

8. Select the Azure Sentinel Devops template and create the project. Your project may take a couple of minutes for the Demo Generator to provision. When it completes, you will be provided with a link to the demo project.

 

devopsgenerator3.gif

 

9. Select the link to go to the new demo Azure DevOps Services project and confirm it was successfully provisioned. You should arrive at the following page:

 

success.jpg

 

 

10. To access the Azure Sentinel backlog where you will find the features, user stories, and tasks to deploy Azure Sentinel, hover over Boards, and select Backlogs.  Make sure that you are viewing the Features hierarchy. The backlog page will be the main page you will visit to consume the recommended practices and detailed steps to deploy Azure Sentinel.

.

devopsgenerator4.gif

 

 

Adding Team Members 

 

1. Open your project, and then select Project settings > Teams. Then, select your project.

 

open-project-settings.png

 

2. Select Add to invite members to your project.

 

 

add-member-to-project.png

 

3. Add users or groups, and then choose Save.

 

add-user-or-group-to-project.png

 

Enter the email addresses of the new users, separated by semicolons, or enter the display names of existing users. Add them one at a time or all at once.

 

How to Use

 

The template is comprised of features, user stories, and tasks providing guidance and recommended practices for your Azure Sentinel deployment. The template should help your team to discuss, agree on acceptance criteria, delegate ownership, create iterations, track the progress and efficiently deploy Azure Sentinel.

 

Note: Please remember that the template is not static, it can be modified to your reflect distinctive needs. You have the ability to add your own features, user stories, and tasks to reflect your custom use cases.

 

In this template we provide prescriptive guidance for the following Azure Sentinel use cases:

 

  1. Define Use Cases
  2. Get Started with Azure Sentinel | Tutorials
  3. Onboard Azure Sentinel | Prerequisites
  4. Azure Sentinel Architecture
  5. Setup Azure Sentinel
  6. Data Collection
  7. Visualize your security data with Workbooks
  8. Enabling Analytics
  9. Respond to threats
  10. Proactive threat hunting
  11. Advanced Topics

 

The use cases above are listed as Features, comprised of user stories and tasks providing detailed steps to satisfy the use case. The user stories and tasks are nested within each feature. Each task under the user stories includes important information such as links to public documentation, blogs, and webinars that provide you the necessary information complete the task.

 

 

devopsgenerator5.gif

 

In total, there are 11 features that have been listed above. Features 1 through 4 cover any initial steps and pre-requisites for preparing your Azure Sentinel deployment. Features 5 through 11 cover the actual steps for setting up and exploring features with Azure Sentinel.

 

Feature 1: Define Use Cases

 

Defining use cases is the most important step for this entire process. There must be a need and use when pursuing the deployment of a product. To provide some ideas or guidance, Gartner has created an article that covers how to determine and build great use cases when deploying a SIEM.

 

Feature 2: Get Started with Azure Sentinel | Tutorials

 

To help introduce and prepare you for the deployment of Azure Sentinel, this feature includes the well put together Azure Sentinel Ninja Training with additional Kusto training to assist. This training is to help introduce the concepts and features of the product with materials to help educate and prepare your users for day to day usage of Azure Sentinel.

 

Feature 3: Onboard Azure Sentinel | Prerequisites

 

It is important to identify and understand what the prerequisites are for deploying and using Azure Sentinel. To assist with this, this feature in the template provides a list of prerequisites as well as any associated documents that provide additional information that will help with addressed them.

 

Feature 4: Azure Sentinel Architecture

 

The design of a SIEM is as important as the SIEM itself. When deploying, it is essential to anticipate design, architecture, and best practices. To provide some guidance and advice, a blog that covers the best practices for implementing Azure Sentinel and Azure Security Center is included.

 

Along with the best practices for implementing Azure Sentinel, it is essential to understand the costs associated with using the product. Azure Sentinel as a service is mostly free but it is important to understand where the costs are coming from and how you can project costs when reviewing data ingestion options and volume. The Azure Calculator is an invaluable tool that assists with this process and can provide insight into how much it will cost to ingest data that is not free.

 

Feature 5: Setup Azure Sentinel

 

The use cases have been determined. The learning material has been reviewed. The prerequisites are understood. The architecture is set and the costs are projected. It is time to begin to take action and deploy the resources to set up Azure Sentinel. As covered in the Ninja training, Azure Sentinel is built on top of the Azure Log Analytics service. This service will serve as the main point for ingestion and log retention. The Azure Log Analytics is where one will collect, process, and store data at cloud scale. For reference, documentation for creating a new workspace is listed in this feature. Once the workspace is ready to go, it is time to onboard it to Azure Sentinel. The documentation for onboarding the workspace is also included in the feature.

 

Once the service is set up, it is time to determine the permissions that are needed for the users that will be using it. Azure Sentinel has 3 different roles backed by Azure role-based access control (Azure RBAC) to provide built-in roles that can be assigned to users, groups, and services in Azure. The document with the roles is listed in the feature. Additionally, permissions can be assigned on the table level for data in order to prevent users from seeing certain data types if desired. 

 

Feature 6: Data Collection

 

Data ingestion is the oxygen of Azure Sentinel. Azure Sentinel improves the ability to collect and use data from a variety of sources to unblock customer deployments and unlock full
SIEM value.

 

Setting up data collection begins not only the data ingestion, but also the machine learning capabilities of Azure Sentinel. When exploring the dozens of connectors that are available out of the box, we recommend to enable the Microsoft security data connectors first.  Once first part connectors are chosen, it is time to explore the 3rd party connectors. Each connector listed in this feature includes a description and a reference to the associated document. 

 

image.png

 

Data collection.gif

 

Feature 7: Visualize your security data with Workbooks

 

Once data begins to be ingested, it is time to visualize the data to monitor trends, identify anomalies, and present useful information within Azure Workbooks. Out of the box, there are dozens of built-in Workbooks to choose from as well as several from the Azure Sentinel GitHub community page. Within the feature for Workbooks are a few sample Workbooks to consider. Not every data source or connector will have a Workbook but there are quite a few that can be useful.

 

Feature 8: Enabling Analytics

 

One of the main features of Sentinel is its ability to detect malicious or suspicious behaviors based on the MITRE attack framework. Out of the box, there are over 100 different detections built in that were made by Microsoft Security Professionals. These are simple to deploy and the feature in the template provides documentation for deploying the template detection rules, as well as the document for creating your own custom detection rules.

 

Feature 9: Respond to threats

 

To compliment its SIEM capabilities, Azure Sentinel also has SOAR capabilities. This feature contains helpful documents for setting up Playbooks for automated response, deploying Playbooks from the GitHub repository, and how to integrate ticket managing services via Playbooks.

 

Feature 10: Proactive threat hunting

 

To go along with the reactive features, Azure Sentinel also provides proactive capabilities that provide you the ability to proactively search, review, and respond to undetected or potentially malicious activities that may indicate a sign of intrusion/compromise. Azure Sentinel offers dozens out of the box hunting queries that identify potentially exploitable or exploited areas and activities within your environment. This feature within the template provides links and information to ignite your proactive threat hunting journey with out the box threat hunting queries, bookmarks, Azure Notebooks, and livestream.

 

Feature 11: Advanced Topics

 

If desired, Azure Sentinel can be deployed and managed as code. To help provide context and guidance, this feature within the template includes a blog post that covers how one can deploy and managed Azure Sentinel as code.

 

Assign work items to a team member

 

You can only assign a work item to one person at a time. The Assigned To field is a person-name field designed to hold an user identity recognizable by the system. Within the work item form, choose the Assigned To field to select a project member. Or, you can begin typing the name of a project member to quickly focus your search to a select few.

 

assign.jpg

 

 

Tracking Progress with Boards

 

Azure DevOps utilizes a progress tracking approach that is similar to Agile project management. Boards lists each task, the state of progress, and the individuals that are assigned to the tasks. As the tasks are worked on, they will move within the Board until they are closed. The tasks can also be clicked and dragged around the Board as desired. This will provide you the blueprint understanding the completed and outstanding tasks for your Azure Sentinel deployment.

 

Board.gif

 

What's Next

 

The current version of the Azure Devops Board template provides you the blueprint to understand the tasks and recommended practices to onboard to Azure Sentinel. The next iteration will incorporate a CI/CD pipeline that will enhance and automate the tasks/phases covered in the Azure Devops Board template. The CI/CD pipeline will automate your Azure Sentinel deployment so you spend less time with the nuts and bolts and more time securing your environment.

 

Get started today!

 

Supercharge your cloud SIEM today!

 

We encourage you to leverage the Azure Sentinel Devops Board template to accelerate your Azure Sentinel deployment following recommended practices.

 

Try it out, and let us know what you think!

 
4 Comments
Brass Contributor

Hi @Cristhofer Munoz 

Thanks for sharing as it is a great starting point for new Azure Sentinel projects.


Is there an option to import the template and/or its components (work items, board, etc) to an existing DevOps Project?

 

I can see on the demo portal that there is the option to build your own template. Though, the files exported can only be used to import to a new project from what I can see.

 

Thanks,
Caio

HI @caiodaruizcorrea ,

 

Hope this message finds you well. Thank you for your comment! At the moment, it can only be used to import to a new project. 

Copper Contributor

This is a really great best practices tool--it would be great to see this extended to 365 Defender and configs there as well. 

Brass Contributor

It would be great to combine this in a single Azure DevOps project with Deploying and Managing Azure Sentinel as Code - Microsoft Tech Community

Version history
Last update:
‎Nov 02 2021 06:08 PM
Updated by: