SOLVED

Creating Sentinel instances with code

Respected Contributor

I would like to use an infrastructure as code approach to create multiple Azure Sentinel instances consistently. Can anyone point me to some resources that would provide some recommendations about how this can be done?

8 Replies
best response confirmed by Dean Gross (Respected Contributor)
Thanks for the comprehensive list of resources. Looks like I need to do some reading so that we can make some good decisions

@Dean Gross I would also add: https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Sentinel-All-In-One   is it has 90% of what needs to be done already done.  There is also a sub-folder, MSSPVersion, that sets up Azure Lighthouse as well.

Thanks, obviously we already have some things :grinning_face: . I just want to become more knowledgeable about the options
I think you will be able to get most of the deployment done automatically but some of the data connectors will still need to be done manually.
How can we determine which connectors can be automatically configured?
Our stable API has the list of things that can be deployed programatically: https://docs.microsoft.com/en-us/rest/api/securityinsights/dataconnectors/createorupdate

There's other connectors outside of that list that are based on diagnostics settings or solutions on top of the Log Analytics workspace, that can also be enabled programatically.

Regards
I am not sure which kind of IaC you are searching for, but Terraform each week releases resources for Sentinel :)