Member-only story
Getting Started with Azure DevOps CI/CD for Microsoft Sentinel
Automate deployment of Security content in Sentinel
Introduction
Those who love creating security content for Microsoft Sentinel would greatly appreciate the CI/CD (Continuous Integration / Continuous Deployment) for it, as this dramatically improves deployment efficiency and enable sharing security content across multiple workspaces in a matter of minutes. Especially in MSSP — CI/CD would save tremendous hours of valuable time that can be spent elsewhere like developing more security content! such as: custom detections, automation, threat hunting queries and more.
I spent a considerable amount of time researching, testing and failing in these tasks but finally got a hang of it and made it work! Therefore, I like to share what we can all achieve while working with Azure DevOps to devlop CI/CD for Microsoft Sentinel. I must admit I still have a lot to learn, as the DevOps itself is a humungous topic with virtually unlimited new tools and technologies making lives easier or should I say complex for the teams. Anyway, I will cover basic definitions first, and then elaborate on a CI/CD demontration for a Parser and a detection rule for Microsoft Sentinel using various methods.
What is CI/CD?
After scratching my head for a few days, I now have enough confidence to say that I now fully understand CI/CD. First, let’s break CI and CD into two stages as they are:
CI: Continuous Integration
It refers to the practice of code merge. Developers throughout the development process write and merge code multiple times with a central code repository. A central code repository usually resides in a Source Control like Azure Dev Repo or Github, using the most popular source control system — Git. This approach allows for the early detection of integration issues and conflicts, as the code is continually tested and integrated with the main codebase. This process may include static code analysis for security reasons of course.
