Backing up Sentinel and the Security subscription
A lot of people ask about how Security Operations can effectively back up all of the Sentinel related objects. One option is to use GitHub or Azure DevOps pipelines to get a daily backup. I've been doing this for a very long time and it seems like a good forum to share that code. The trick behind it has been to use PowerShell to derive the current API versions for Azure objects. Once you do that, you can recursively download the whole subscription to a repo and then scripts can renerate reports using markdown and yaml. I've been backing up my subscription reliably since 2021. The default project creates reports for all the Sentinel related elements. Markdown lets the object reports be drilled down into... And KQL is presented as YAML for readability. It's actually easy to deploy all the backedup JSON files through REST if needed but for most of us, being able to have readable KQL and Git History of changes in files is probably all we need. This project is completely written in PowerShell with no compiled modules & anyone is freely welcome to it. I've written more about it here: https://www.laurierhodes.info/node/168 ... and the source code and install documentation can be found here: https://github.com/LaurieRhodes/PUBLIC-Subscription-Backup I hope this is of use to the community! 🙂 Best Regards LaurieEssential solutions
There are currently 10 different solutions with Essentials in their title and many of them have very similar titles, e.g. DNS, Network Session and Network Threat Protection. Do other firms typically recommend/install all of these? Does Microsoft consider this to be the recommended "starter set"?
ASIM built-in functions in Sentinel, are they updated automatically?
Are the ASIM built-in functions in Sentinel automatically updated? For example, the built-in parsers such for DNS, NetworkSession, and WebSession. Do the built-in ones receive automatic updates or will the workspace-deployed versions of these parsers be the most up-to-date? And if true, would it be recommended to use workspace-deployed version of parsers that already come built-in?
Unified SecOps XDR
Hi, I am reaching out to community to seek understanding regarding Unified SecOps XDR portal for Multi-tenant Multi-workspace. Our organization already has a Azure lighthouse setup. My question is if M365 lighthouse license also required for the Multi-tenant Multi-workspace in unified SecOps XDR portal?
Fetching alerts from Sentinel using logic apps
Hello everyone, I have a requirement to archive alerts from sentinel. To do that I need to do the following: Retrieve the alerts from Sentinel Send the data to an external file share As a solution, I decided to proceed with using logic apps where I will be running a script to automate this process. My questions are the following: -> Which API endpoints in sentinel are relevant to retrieve alerts or to run kql queries to get the needed data. -> I know that I will need some sort of permissions to interact with the API endpoint. What type of service account inside azure should I create and what permissions should I provision to it ? -> Is there any existing examples of logic apps interacting with ms sentinel ? That would be helpful for me as I am new to Azure. Any help is much appreciated !
Can we deploy Bicep through Sentinel repo
Hi there, Im new here, but 😅.... With the problem statement being "Deploying and managing sentinel infrastructure through git repository. I had looked into Sentinel Repository feature which is still in Preview. With added limitations of not being able to deploy watchlists or custom log analytical functions ( custom parsers ). There is also a limitation of deploying only ARM content My guess would be that the product folks at msft are working on this 😋 My hypothesized (just started the rnd, as of writing this) options would be to Fully go above and beyond with Bicep; Create bicep deployment files for both the rules as well as their dependencies like LAW functions, watchlists and the whole nine yards. Need to write pipelines for the deployment. The CI/CD would also need extra work to implement Hit that sweet spot; Deploy the currently supported resources using sentinel repo and write a pipeline to deploy the watchlists using Bicep. But not sure if this will be relevant to solutions to clients. When the whole shtick is that we are updating now so we dont have to later. Go back to the dark ages: Stick to the currently supported sentinel content through ARM & repo. And deploy the watchlists and dependencies using GUI 🙃 I will soon confirm the first two methods, but may take some time. As you know, I may or may not be new to sentinel...or devops.. But wanted to kick off the conversation, to see how close to being utterly wrong I am. 😎 Thanks, mal_secGITHUB - AI Sentinel attack simulation
The recent support for Model Context Protocol (MCP) with Claude Desktop has opened the door for some really useful testing capability with Sentinel and emerging threats. I'm happy to share with the community a GitHub project that demonstrates the use of MCP against current exploits to generate simulated attack data that can be used with testing migrated ASIM alert rules. MCP allows for up-to-date exploits to be queried... ... and with AI prompting, simulated attack events can be created against our Sentinel test environments. Which results in a simulated attack based on the exploit being referenced. This is really useful for testing the migration of our Sentinel alert rules to ASIM! The full code and details about the project are available here: https://laurierhodes.info/node/175Working around the "Analytics rule start time" for mass deploying using Workspace Manager
Hi! What are some of your thoughts/experiences of working around the "The Analytics rule start time must be between 10 minutes and 30 days from now" for mass deploying using Workspace Manager? Lets say I have 100 Analytic rules that I want to deploy to current customer using Workspace manager. This goes fine, but when a new customer arrives 1 month later, I have to redo the start time of all the Analytic rules that hasn't been changed in the last month. Doing this manually is just not an option. What I can see as a possible solution, is to use Repositories at the same time, where I would use a script to mass update the start time for all rules I need. Then sync back to Analytic rules and deploy again to new customer.Sentinel Solution Deployment via GitHub
Over the past couple years I have been working exclusively with LogRhythm and while I have deployed Sentinel a few times in the past, I have never attempted to do so using GitHub Actions. I seem to be relatively close to getting it deployed but have been struggling for the last couple days and have been unable to find (or overlooked) documentation to guide me in the right direction, so I thought I'd reach out to find out if anyone can help me out. Goals Central management of Sentinel across multiple tenants using Lighthouse Content such as Analytic Rules, Hunting Queries, Playbooks, Workbooks.. must be centrally managed across each tenant. I will have limited access to tenants and need a simple templated deployment process to handle the majority of the Sentinel deployment in tenants, ideally, I will provide the client with a deployment template and once deployed, it will have the the same content as the central management tenant. I have not yet decided whether to use Workspace manager, however, I will need to protect intellectual property so this will likely be a requirement (MSSP) I have been trying out the GitHub deployment and have mostly been running into issues with the solution deployment since the ARM Templates I have been creating don't seem to work. I get "Failed to check valid resource type." errors followed by "The file contains resources for content that was not selected for deployment. Please add content type to connection if you want this file to be deployed." warnings for most content. I have been able to get some working, specifically the Analytic Rules and Playbooks, and have not spent time on the Hunting Queries or Workbooks yet since I have rather been focused on the Solutions and while I make a bit of progress each day, I still feel like I am missing something simple, most likely related to the deployment script which Sentinel generates when connected to GitHub? Perhaps I am not deploying the required resources in the correct order? Now I am in the very early stages of planning and may very well not need to deploy solutions via GitHub if using the workspace manager (still to be verified), but it is killing me because I have not been able to figure it out in the last couple days! Does anyone know of a document that explains the process for those of us that don't spend a considerable amount of time using GitHub/DevOps?
