How to Create a Deployable Microsoft Sentinel Playbook

One of the things about Microsoft Sentinel that makes it a great product to build community around is how easy it is to create cool things and then share them. A lot of this capability is due to the query language (KQL) and how easy it is to use and learn.

Not a KQL person yet? Dig into the Must Learn KQL series.

KQL powers Workbooks, Hunting queries, Analytics Rules, etc., etc. But one area, the Playbooks, isn’t powered by KQL. Playbooks are based on Azure Logic Apps, and the logic and connections contained in a Playbook workflow

Unlike Workbooks where you can simply copy and paste the JSON code, you can’t quickly deploy a Microsoft Sentinel Playbook due to the litany of tenant-specific information and Logic App connector dependencies contained in the code.

This has spawned an entire method for sanitizing, or templatizing, a Playbook (see the bottom of the following page for the templatizing instructions: https://cda.ms/3Ry). Even with the detailed instructions, it’s a long and laborious task.

I remember talking about this on the Microsoft Security Insights podcast a few months ago when we had Sreedhar Ande on as a guest. We talked about how difficult the process is and how someone needs to simplify it. At the time Sreedhar eluded that something was coming.

Well, that something is now available. Sreedhar, working with Itai Yankelevsky, have developed a Playbook ARM Template Generator.

The tool is a PowerShell script that walks you through the process by prompting for your Azure Tenant Id, Subscription, Log Analytics Workspace, and then choosing the Playbooks you want to turn into an ARM template for deployment.

The ARM template creation wizard

Once the template has been created, you can share it safely knowing that your organization’s information is stripped from the code and that it will work correctly in the recipient environment.

If you’ve created something spectacular and would love to share it, it’s now much easier to submit it to the official Microsoft Sentinel repository and participate in the annual submission contests.

Official Microsoft Sentinel repository: https://aka.ms/SentinelGitHub

The Playbook ARM Template Generator: https://cda.ms/3RC

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]

Author