Sentinel Playground - Bicep Edition

Posted on Edited on In , ,

Sentinel Playground is a project that aims to speed up deployment and configuration tasks of a Sentinel Lab/Demo environment, including sample content and Bicep Templates. This project seeks to use Bicep only.

Overview

The following components can be deployed/configured:

  • resource group
  • Log Analytics workspace + Sentinel solution
  • Log Analytics workspace config (retention, daily cap)
  • Sentinel config (UEBA, Anomalies)
  • Sentinel data connectors
    • Azure Activity
    • Azure Active Directory
    • Defender 365 incidents
  • demo playbook (with a user-assigned Managed Identity + required permissions)
  • Sentinel permissions to trigger playbooks
  • Sentinel Content (including Bicep templates)
    • analytics rule
    • automation rule
    • log query (in a query pack)
    • watchlist (with CSV-support)
  • all analytics rules for Azure Activity and Azure Active Directory are enabled

You can find the ReadMe including Deployment Instructions in my public repository here.

I will explain some of the key elements in seperate Blog Posts:

  • Deployment Scripts + user-assigned Managed Identities
  • Modules and reusablitly
  • API Connections + Logic Apps
  • Watchlists + CSV Files
  • UI Wizard
  • Outputs and Conditions