This repository provides a complete CI/CD solution for deploying Microsoft Sentinel environments using Azure DevOps pipelines. It combines infrastructure-as-code (Bicep) for resource provisioning with PowerShell automation for deploying Sentinel solutions, analytics rules, and workbooks.
├── Bicep/ # Bicep templates for infrastructure
│ ├── main.bicep # Main deployment template
│ └── sentinel.bicep # Sentinel-specific resources
├── Scripts/ # PowerShell automation scripts
│ ├── README.md # Documentation for Set-SentinelContent.ps1
│ └── Set-SentinelContent.ps1 # Sentinel content deployment script
├── README.md # This file
└── azure-pipelines.yml # Azure DevOps pipeline definition
- Complete Sentinel Deployment: Automate end-to-end deployment from infrastructure to content
- Infrastructure as Code: Bicep templates for consistent infrastructure provisioning
- Content Automation: PowerShell scripts for deploying Sentinel solutions, rules, and workbooks
- Resource Verification: Checks for existing resources to prevent duplicate deployments
- CI/CD Integration: Ready-to-use Azure DevOps pipeline configuration
The pipeline consists of three main stages:
- Check Existing Resources: Verifies if Sentinel resources already exist in the target environment
- Deploy Bicep: Provisions infrastructure (skipped if resources already exist)
- Enable Sentinel Content: Deploys solutions, analytics rules, and workbooks
| Variable Name | Description |
|---|---|
resourceGroup |
Azure Resource Group name |
workspaceName |
Log Analytics workspace name |
region |
Azure region (e.g., uksouth) |
dailyQuota |
Daily data ingestion quota in GB |
sentinelSolutions |
Comma-separated list of Sentinel solutions to deploy |
arSeverities |
Severity levels for analytics rules (High, Medium, Low, Informational) |
- Azure subscription
- Azure DevOps organization and project
- Service Principal with contributor permissions
Required Subscription Resource Providers
To deploy this solution, you must enable the following Resource Providers in your subscription:
- Microsoft.OperationsManagement
- Microsoft.SecurityInsights
-
Import Repository
- Clone or import this repository into your Azure DevOps project
-
Configure Pipeline Variables
- Create a pipeline with the following variables:
resourceGroup: "YourResourceGroupName" workspaceName: "YourWorkspaceName" region: "YourAzureRegion" dailyQuota: "10" sentinelSolutions: "Azure Activity","Microsoft 365","Threat Intelligence" arSeverities: "High","Medium","Low"
- Create a pipeline with the following variables:
-
Set Up Service Connection
- Create an Azure service connection named "DevelopmentDeployments"
- Or update the
azureSubscriptionvariable in the pipeline YAML
-
Run the Pipeline
- The pipeline will automatically:
- Check for existing resources
- Deploy infrastructure if needed
- Deploy Sentinel solutions and content
- The pipeline will automatically:
The Set-SentinelContent.ps1 script handles the deployment of Microsoft Sentinel content including solutions, analytics rules, and workbooks. For detailed information about the script's capabilities, parameters, and examples, refer to the script README.
Contributions are welcome! Please follow these steps:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
If you've found Sentinel-As-Code useful, consider buying me a coffee! Your support helps maintain this project and develop new features.
While donations are appreciated, they're entirely optional. The best way to contribute is by submitting issues, suggesting improvements, or contributing code! Note: All donations will be reinvested into development time and improving this project.
This project is licensed under the MIT License.