Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Automate Microsoft Sentinel Playbook Deployment using Azure DevOps

  • February 15, 2022
  • 6 min read
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.


You probably know the concept of Infrastructure As Code which enable teams to automatically manage and provision resources through code instead of doing so with a manual approch. If you work in a SOC team (e.g Security Operation Center), you could use this concept to manage the SOC platform, and especially Microsoft Sentinel. Microsoft Sentinel is Microsoft’s cloud-native SIEM (security information and event management) and SOAR (security orchestration automated response solution all in one.

Considering Microsoft Sentinel and Infrastructure As Code, we can easily merge both to imagine the best way to leverage the power of you SOC team. You must focus your SOC team on the security and not how to maintain the SOC platform.

Getting started

In my case, I exported my playbook named « Create-JiraTickets » which is a LogicApp that creates a ticket in Jira for each Microsoft Sentinel incident. The LogicApp has been created in a specific Azure subscription, and I want to redeploy it in all my customers subscriptions. To export the LogicApp, we can use the following PowerShell script to create a template with the « LogiAppTemplate » module :

This open-source module first evaluates your logic app and any connections that the logic app uses. The module then generates template resources with the necessary parameters for deployment. Below is the exported JSON file.

JSON file

Now, let’s move in Azure DevOps to configure the automation. We will use Azure DevOps pipeline to deploy the JSON file in Azure subscription.

First, go to the Repository tab, and import the JSON file.

Repository tab

Then, go to the Pipelines section and Releases tab. Click New to create a blank release pipeline:

Pipelines section

You must select the source type, in this case I selected Azure Repo because my JSON file has been uploaded in my Azure repository.

Azure Repo

Go to the Tasks tab, click « + » to add a new task and then search for ARM deployment :

ARM deployment

You must configure the task by selecting:

  • the Resource Group,
  • the location,
  • and the template path (the JSON file in the Azure Repo)

Configure the task

Save the pipeline and then click Create release to run the pipeline for the first time

Create release

Go to the Logs tab, and open the ARM deployment task

ARM deployment

We can confirm the ployment success.

Create JiraTickets

Let’s switch to the Azure Portal to confirm the playbook has been created. Open the Resource Group, and click Deployment. Here, I can confirm a new deployment.

Open the Resource Group

The lastest thing to do is just to map the playbook on your analytics rule in the Automated response tab.

Automated response tab

More than deploying automatically your Playbooks, you can update your playbooks and redeploy them with one click in all your subscriptions.

Found Nicolas’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!