Learning Path 7 - Lab 1 - Exercise 11 - Use Repositories in Microsoft Sentinel
Lab scenario
You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You already created Scheduled and Microsoft Security Analytics rules. You need to centralize analytical rules in an Azure DevOps repository. Then connect Sentinel to the Azure DevOps repository and import the content.
Note: An interactive lab simulation is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
Task 1: Create and export an analytical rule
In this task, you will enable Entity behavior analytics in Microsoft Sentinel.
-
Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.
-
In the Sign in dialog box, copy and paste in the Tenant Email account provided by your lab hosting provider and then select Next.
-
In the Enter password dialog box, copy and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.
-
In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.
-
Select your Microsoft Sentinel Workspace.
-
Select Analytics under the Configuration area from the left blade.
-
Select the Startup RegKey rule that you created earlier.
-
Select the Export from the toolbar. Hint: You might need to select the ellipsis icon (…) to see it.
-
The rule is exported to a text file named Azure_Sentinel_analytic_rule.json.
-
Select Open file below the name of the downloaded file and then select More apps.
-
Select Notepad and then select OK.
-
Review the Azure Resource Manager template and the close it when done.
Task 2: Create our Azure DevOps environment
In this task, you will create an Azure DevOps repository.
-
Open another tab in the browser and navigate to https://aexprodcus1.vsaex.visualstudio.com/me?mkt=en-US.
-
On the We need a few more details page, select Continue.
-
On the Get started with Azure DevOps page, select Create new organization and then select Continue.
-
On the Almost done… page, enter a name for your DevOps organization that you would not want to use in the future, like for example, your tenant prefix. Hint: It can be found in the Resources tab of your lab (WWLx…).
-
Enter characters you see, then Continue.
-
On the Create a project to get started page, enter My Sentinel Content and then select Create project.
-
Navigate to Repos on the left pane.
-
At the bottom of the page in the area Initialize main branch with a README or gitignore, select Initialize.
-
The page should show the Files for the Repo. the only file is README.me.
-
On the Files (right side of the page) blade, the toolbar include options Set up build, Clone, … Select the colon icon (:) to show more options.
-
Select Upload Files.
-
Select Browse and select the file Azure_Sentinel_analytic_rule.json from your Downloads directory.
-
Select Commit.
-
Select Azure DevOps on the top left corner of the page. This display your organization and projects.
-
Select Organization settings from the bottom left of the page.
-
Select Policies under the Security area of the left blade.
-
Toggle On Third-party application access via OAuth under the Application connection policies area.
Task 3: Connect Sentinel to Azure DevOps.
-
Select the Azure Portal/Microsoft Sentinel tab in your browser.
-
In Microsoft Sentinel, select Repositories (Preview) in the Content Management section.
-
Select + Add new button from the toolbar.
-
For the name enter My Content.
-
For Source control, select Azure DevOps.
-
Select Authorize. Scroll down the permissions request and then select Accept.
-
Select the Organization your created earlier (e.g. WWLx…).
-
Select the Project you created earlier, My Sentinel Content.
-
Select the Repository you created earlier, My Sentinel Content. Hint: You might need to scroll down within the drop-down to see the repository.
-
Select the Branch main. Hint: You might need to scroll down within the drop-down to see the branch.
-
Select all content types.
-
Then select Create.
-
Go back to Microsoft Sentinel workspace if needed
-
Go to the Repositories (Preview) page, select Refresh. Wait until Last deployment status is Failed.
Note: The Failed status is due to limitations in the hosted lab environment. You would normally see Succeeded. Then you can see in the Analytics the imported rule Rule from Azure DevOps.