Share your Microsoft security ideas with the community.
In Microsoft Sentinel, the features that are used to help with incident management can be customized so that they can be used for any situation that an analyst can think of. The customizability of the Microsoft Sentinel features has resulted in 1,000s of uploads to GitHub from the Microsoft Sentinel community.
In this blog, we show how someone can turn their Microsoft Sentinel features into a file that they can share with the community. We will also discuss ways you can improve the usability of the Microsoft Sentinel features that you post on GitHub.
Share Analytic Rules
Analytic rules are commonly shared because they are used to detect all kinds of potentially malicious activity. There is not a button that you can press to get an ARM template for an analytic rule, so instead you will have to copy the query and other settings into an analytic rule ARM template. You can get an analytic rule ARM template by downloading any shared analytic rule JSON file.
Share Hunting Queries
Shared hunting queries are useful for helping others find information that would have been inaccessible without advanced querying knowledge. Hunting queries have the same issue as analytic rules where they cannot be easily exported. To make a sharable ARM template version of a hunting query, download an existing hunting rule JSON file and replace the value pairs.
Share Playbooks
By sharing playbook automations, analysts can share the response actions that they use during incident management. Playbook automations has a code view menu that you can use to get the JSON code needed to make the playbook ARM template. Copy this code into a text editor and save the file as a JSON file.
Share Workbooks
Shared workbooks allow analysts to share new ways of viewing data about security in their environments. Workbooks also have a code view, but if you want to share your workbook be sure to move the slider in the code view over to the “ARM Template” setting to get a sharable version.
Share All Other Microsoft Sentinel Features
There are many other Sentinel features that use files other than ARM templates for practical reasons. Features that use other file types like data connectors, watchlists, and notebooks can still all be shared, but they require a different deployment method based on the type of file that is used to create each of those features.
GitHub Read Me Usability Updates
The “read me” file associated with your files in GitHub is used to help make understanding and using your shared features easier. The read me file should have a detailed description of what the feature does and other deployment steps if any.
There is also a “Deploy to Azure” button that you can put into your read me file that allows anyone using your feature to deploy it directly to Microsoft Sentinel instead of having to mess around with raw files from the GitHub. To add one of these buttons, follow the instructions in the GitHub Deployment Button Docs article.
We will continue to share best practices and lessons learned in future posts on shared Microsoft Sentinel features. The features available now are just the beginning, anyone sharing Microsoft Sentinel features now will be viewed as a pioneer in a few years.
In closing, consider these three questions when creating shared Microsoft Sentinel features in your organization:
- Do we have any Microsoft Sentinel features that the community would benefit from having available?
- Would allowing others to make changes to the features you post make them more effective?
- Is it worth the extra time to make usability updates to the read me file associated with our Microsoft Sentinel features?