Who are we, and what inspired us?
We are transitioning U.S. Military service members currently enrolled in the Microsoft Software and Systems Academy (MSSA). MSSA is a program that Microsoft has developed to help service members transition out of the military.
One of our MSSA technical mentors, Andrew Blumhardt, shared this opportunity with our cohort. As inspired learners, our team came together to contribute to a solution that could improve Azure Sentinel.
We are passionate about helping people through the means of technology, and Microsoft has given us that opportunity.
What does our project do?
Our project enables optimized deployment and modification of Azure Sentinel Analytics Rules.
We have developed a GitHub repository of Azure Resource Manager (ARM) templates containing numerous Azure Sentinel built-in Analytics Rules. The ARM templates can be imported into Azure Sentinel for bulk deployment of the Analytics Rules. This solution provides a way for Azure Sentinel users to rapidly onboard Azure Sentinel built-in Analytics Rules.
In addition to optimized deployment, we have developed a Python 3 script that enables optimized modification of Azure Sentinel Analytics Rules. The Python 3 script is capable of simultaneously modifying multiple properties of any number of Azure Sentinel Analytics Rules contained within any number of ARM templates. This solution provides a way for Azure Sentinel users to rapidly update multiple Azure Sentinel Analytics Rules.
How did we build it?
In order to achieve our objective of optimizing the deployment of Azure Sentinel Analytics Rules, we used the Azure Sentinel user-interface to export ARM templates for sets of built-in Scheduled Analytics Rules. Each set contained no more than 50 Analytics Rules due to the established constraints for Azure Sentinel. The exported ARM templates were then saved into the GitHub repository, which is now available for optimized deployment of Azure Sentinel Analytics Rules.
The Python 3 script began as a short script (approximately eight lines) capable of modifying a single ARM template, using hard-coded values. From there, the script grew with an increasing curiosity of how to enable greater compatibility, scalability, and convenience. Visual Studio Code was used for editing and testing the script, Microsoft Learn was referenced for setting up the coding environment, and SoloLearn and multiple other online sources were referenced for troubleshooting.
What challenges did we run into?
Learning how to use the Azure Sentinel, GitHub, and Visual Studio Code interfaces was somewhat of a challenge, but the biggest challenge we faced was exporting and consolidating the Azure Sentinel Analytics Rules. Many rules will not validate without additional resources, so we had to filter out those rules from our consolidation on GitHub. Troubleshooting the Python 3 script during development was also full of enjoyable challenges.
What accomplishments are we proud of?
We are proud of the knowledge and understanding we have gained while working on this project, we are proud of the impact that we might have on different people and organizations through this project, and most importantly, we are proud to have come together as a group of individuals from different IT backgrounds to develop solutions.
What did we learn?
Through the development of our solutions, we have learned several new capabilities of GitHub, Azure Sentinel, Azure Portal, Python 3, and Visual Studio Code. The user-interface for Azure Sentinel - Analytics Rules in Azure Portal is definitely much more familiar now than it was at the start of this project. In addition to Azure Sentinel, the user-interfaces for Visual Studio Code and GitHub are now much more familiar. We did not have much, if any, experience with many of the tools and applications we used to develop our solutions, so the process was definitely an enjoyable learning experience.
What is next for MSSA - PSCA1?
We plan on taking what we have learned and combining it with our passion for technology to make an impact in our future endeavors.