This post is part of an ongoing series to provide ideas for enhancing security operations through automation. Microsoft Sentinel has built-in SOAR capability, so the prescriptive guidance provided here can be implemented immediately and without much effort.
Microsoft Sentinel is updated constantly, and many customers would like better ways to know when things are updated and when new things are on the cusp of releasing and then when they are available. For the longest time, I have simply monitored the RSS feed for the official Microsoft Sentinel GitHub repository – which is where all updates come from after they have been vetted and approved. You can monitor this, too.
It takes some effort to sift through all the updates, but it’s worth it.
But wouldn’t it be cool to deliver just the updates to a centralized location for your entire SOC team? Here is another way to utilize this feed.
Recently, I started pushing just the original feed item link, the update date, and the updated item information to my SOC’s Microsoft Teams channel, called Microsoft Sentinel GitHub Feed. See the image just below for an example that tells me that there’s work been done on ASIM and then there’s a Cisco Playbook that has had content updated along with its deployment. Pretty useful stuff.
(click any of the images to view larger versions)
And, because this in Microsoft Teams, there’s other mechanisms and bots you can create and utilize to fine tune what your SOC gets alerted to. For example, you can alert your team only when new Analytics Rules are available. That’s just one example. You can use your imagination for what makes most sense to your operations.
This is accomplished through a simple Logic App.
See the steps in the image, but it essentially does the following:
- At 7am each morning, the Logic App kicks off.
- It then retrieves the full contents of the RSS feed.
- Lastly it splits out just the item link, update time/date, and the updated item and posts it to my Microsoft Teams SOC channel.
As shown, the trigger for my Logic App is Recurrence, i.e., every morning at 7am EST. However, the RSS Logic App connector has its own Trigger that actually sits and watches for the feed to be updated. If you choose to use this Trigger method instead, this will sit idle, checking the feed constantly, and retrieve Microsoft Sentinel updates as they are posted. I wouldn’t recommend this method as it could incur additional Logic App costs, but it’s nice to know this capability is possible.
This is early days for this solution as I’m still testing and tuning it. If you take this idea and do something extra cool with it, let me know (@rodtrent).
Once I get this to a more complete state, I’ll supply the full deployment in my Sentinel Playbooks GitHub repo.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]