ff28078e40
|
||
|---|---|---|
| .. | ||
| Box | ||
| Check Point | ||
| Cisco ISE | ||
| CiscoACI | ||
| CiscoASA/Playbooks | ||
| CiscoDuoSecurity | ||
| CiscoSEG | ||
| CiscoUmbrella | ||
| CiscoWSA | ||
| Cloudflare | ||
| Contrast Security | ||
| Corelight | ||
| CrowdStrike Falcon Endpoint Protection | ||
| DigitalGuardianDLP | ||
| Dynamics 365 | ||
| ESETPROTECT | ||
| FalconFriday/Analytic Rules | ||
| FireEyeNX | ||
| FlareSystemsFirework | ||
| Forescout | ||
| Fortinet-FortiGate | ||
| GoogleCloudPlatformDNS | ||
| GoogleCloudPlatformIAM | ||
| GoogleCloudPlatformMonitor | ||
| Group-IB/Playbooks | ||
| HYAS | ||
| IPQualityScore/Playbooks | ||
| Illusive Active Defense | ||
| Images | ||
| ImpervaCloudWAF | ||
| Infoblox Cloud Data Connector | ||
| InsiderRiskManagement | ||
| IronNet IronDefense | ||
| JuniperIDP | ||
| Lookout | ||
| MITREATT&CK | ||
| McAfee Network Security Platform | ||
| McAfeeePO | ||
| NucleusCyber | ||
| OracleDatabaseAudit | ||
| PaloAlto-PAN-OS | ||
| PaloAltoPrismaCloud | ||
| PingFederate | ||
| ProofPointTap | ||
| Rapid7InsightVM | ||
| ReversingLabs | ||
| RiskIQ | ||
| SAP | ||
| SecurID | ||
| SemperisDirectoryServicesProtector | ||
| SenservaPro | ||
| SlackAudit | ||
| SophosEP | ||
| Symantec Endpoint Protection | ||
| Templates | ||
| TenableIO | ||
| Training/Azure-Sentinel-Training-Lab | ||
| Trend Micro Apex One | ||
| Ubiquiti | ||
| Vectra | ||
| ZeroTrust(TIC3.0) | ||
| vArmour | ||
| README.md | ||
| known_issues.md | ||
README.md
Guide to Building Azure Sentinel Solutions
This guide provides an overview of Azure Sentinel Solutions and how one can build and publish a solution for Azure Sentinel.
Azure Sentinel Solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product and/or domain and/or vertical scenarios in Azure Sentinel. This experience is powered by Azure Marketplace for Solutions’ discoverability, deployment and enablement and Microsoft Partner Center for Solutions’ authoring and publishing. Providers or partners can deliver combined product or domain or vertical value via solutions in Azure Sentinel and be able to productize investments. More details are covered in Azure Sentinel documentation and review the catalog for complete list of Azure Sentinel solutions.
Azure Sentinel Solutions include packaged content or integrations or service offerings for Azure Sentinel. This guide focuses on building packages content type solutions that includes combination of one or many data connectors, workbooks, analytic rules, playbooks, hunting queries, parsers, watchlists, and more for Azure Sentinel. Reach out to Azure Sentinel Solutions Onboarding Team if you plan to build an integration type or service offering type or want to build any other type of Solution not covered above.
Step 1 – Create Content for Azure Sentinel
Start with the Get started documentation on the Azure Sentinel GitHub Wiki to identify the content types you plan to include in your Solution package. This includes data connectors, workbooks, analytic rules, playbooks, hunting queries, and more. Each of the content type has its own contribution guidance which you can follow to develop and validate the content.
Hold off on submitting the content to the respective folders as pointed to in the contribution guidance for each contribution. Instead, have your content in the Solutions folder of the GitHub repo.
- Create a folder with your Solution name under Solutions folder.
- Within that create a folder structure within your Solutions folder as follows to submit your content developed above. See example.
- Data Connectors – the data connector json files or Azure Functions, etc. goes in this folder.
- Workbooks – workbook json files and black and white preview images of the workbook goes here.
- Analytic Rules – yaml file templates of analytic rules goes in this folder.
- Hunting queries – yaml file templates of hunting queries goes in this folder.
- Playbooks – json playbook and Azure Logic Apps custom connectors can go in this folder.
- Parser – txt file for Ksuto Functions or Parsers can go in this folder.
- Logo – SVG format logo can go to the central Logos folder.
- Sample data – Check this into the sample data folder within the respective folder depending on data connector type.
- Submit a PR with all of your Solution content.
- The PR will go through automated GitHub validation and address potential errors as needed.
- Upon successful content validation, the Azure Sentinel team will review your PR and get back with feedback (as needed). Expect an initial response within 5 business days.
- The PR gets approved and merged upon successful review/feedback incorporation process.
Step 2 – Package Content
The Solutions content package is called a Solution template and has two files listed as follows. Refer to the Solution template documentation (deployment package) for details on these ARM (Azure Resource Manager) files.
- mainTemplate.json - ARM template of the resources the Solution offer includes.
- createUIDefinition.json – Deployment experience definition that the customer installing a Solution goes through - this is a step-by-step wizard experience. All the content you plan to package needs to be converted to ARM format and the mainTemplate file is the overall ARM template file combining these individual ARM content files. After you create the two json files for your Solution, validate these. Finally, package these two json files in a .zip file that you can upload as part of the publish process (Step 3).
Use the package creation tool to help you create and validate the package - follow the solutions packaging tool guidance to use the tool and package your content.
- If you already have an Azure Sentinel solution and want to update the package, use the tool with updated content to create a new version of the package using the tool.
- Versioning format of package - Always use {Major}.{Minor}.{Revision} schematic versioning format (for e.g. 1.0.1) for solutions that aligns with Azure Marketplace recommendation and versioning support.
- Version for updates - If you update you package, please always remmeber to increment the version value, irrespective of how trivial the change is (could be just fixing a typo in a content or solution definition file).
For e.g. If original package version is 1.0.1 and you make a:
- Major update, new version can be 2.0.0
- Minor update like changes applying to a few content in the package, new version can be 1.1.0
- Very minor revisions scoped to one content, new version can be 1.0.2
- Since solutions use ARM template, you can customize the solution text as well as tabs if needed for catering to specific scenarios.
Step 3 – Publish Solution
Azure Sentinel Solutions publish experience is powered by Microsoft Partner Center.
Registration (one-time)
If you/your company are a first-time app publisher on Azure Marketplace, follow the steps to register and create a Commercial Marketplace account in Partner Center. This process will give you a unique Publisher ID and access to the Commercial Marketplace authoring and publishing experience on Partner Center to create, certify and publish a Solution offer.
Author and Publish Solutions Offer
For the following steps we’ll rely on Partner Center’s detailed documentation.
- Create an Azure application type offer and configure the offer setup details per guidance.
- Configure the Offer properties.
- Configure the Offer listing details – this includes the title, description, pictures, videos, support information, etc. aspects. Enter one of the search keywords value as f1de974b-f438-4719-b423-8bf704ba2aef – to display your Solution in the Azure Sentinel Solutions gallery.
- Add a preview audience (including test subscriptions for your validation) as needed.
- Create a plan and select plan type as Solution Template.
- Configure the Solutions template plan. This is where you’ll upload the Solutions zip created in Step 2 and set a version for the package. Folow versioning guidance mentioned in Step 2.
- Review and publish the offer once done. This will initiate the certification process.
- The Azure Sentinel team will need to make a change so that your Solution shows up in the Azure Sentinel Solutions gallery, hence before going live, email Azure Sentinel Solutions Onboarding Team with your Solutions offer ID and Publisher ID so that we can make the necessary changes.
- Once certified and you’ve validated the offer in Preview mode, publish the offer live.
Note: Making the offer public is very important for it to show up in the Azure Sentinel Solutions gallery.
Feedback
Email Azure Sentinel Solutions Onboarding Team with any feedback on this process or for new scenarios not covered in this guide or with any constraints you may encounter.