Deploying ARM templates to deploy content to sentinel uing Azure DevOps

Question

Is it possible to deploy multiple analytics / hunting queries / any other Sentinel content by grabing the ARM template of a content pack from the content hub and then uploading the code to my Azure DevOps repo?

Currently, I do this by installing the Content pack on a development Sentinel environment and then push to other instances by exporting the files through a GUI and then adding this code to my Azure Devops instance. Azure DevOps then pushes out the content automatically to Sentinel instances through connected repositories.

I would like to cut out the middle step if possible. I have noticed there is an option to download the ARM template in the content hub, but the format is slightly off for the content deployment in repos. Is there a script out there which pulls out the relevant content types into their own files?

Answer 1

Hi @Liam Jones

Two things to consider here.

1. We have a feature in preview for the deployment of Sentinel content, which deploys a pipeline for Azure DevOps or GitHub. You do not need to use this feature if you are comfortable with building your own pipelines, but it does simplify things if you are not. https://learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-content
2. All the content in the content hub is already in GitHub, ready for you to consume. Just check out the Solutions directory https://github.com/Azure/Azure-Sentinel/tree/master/Solutions. In the solutions there should be a directory for each content type. Admittedly these are in YAML so you would need to convert to ARM JSON if you are deploying ARM templates, but you can cut out the need to go through the deployment wizard and get the code directly from source

I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.

Kind regards

Alistair