💪Using Infrastructure-As-Code to deploy Azure Sentinel + Watchlists to lower IP false positives | by Dave R – Microsoft Azure MVP☁️ | CodeX | Oct, 2021

This article intends to show you how to deploy the resources needed to deploy Azure Sentinel and a Watchlist using Infrastructure-As-Code so that you can investigate threats and respond to incidents.

Azure Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise and collects data from multiple sources. It supports open standard formats like CEF and Syslog.

Azure Sentinal is a PaaS solution deployed in Azure; you can collect data from multiple sources, including on-premises data sources or multiple cloud providers.

To deploy this solution, you need to have a Log Analytics Workspace. Then, you enable Azure Sentinel on that Workspace.

Once Azure Sentinel is enabled, you can start connecting multiple data sources using some connectors provided by Azure or perform a manual integration.

Now we will discuss a bit about Watchlists.

Think of a Watchlist as a component that will help you collect data from external data sources for correlation with the events in your Azure Sentinel environment.

Through Watchlists, you can build your own data from external sources that you can import in Azure Sentinel and then use it for correlation with analytics or hunting rules.

Watchlists can contain a list of details that are then transformed into a log format used in Azure Sentinel.

In the following example, we will perform the following:

  1. Deploy a new Log Analytics Workspace and Azure Sentinel using Bicep.
  2. Deploy an Azure Sentinel Watchlist that contains a list of the Azure Public IPs.

Pre-requisites

  • An Azure Subscription and a Resource Group
  • A user that has the owner/contributor permissions on the Resource Group
  • Bicep installed in your local machine
  • Azure PowerShell
  • Visual Studio Code

Now let’s deploy a new Log Analytics Workspace and Azure Sentinel using Bicep.

We will use the Bicep file below to deploy a new Log Analytics Workspace and enable Azure Sentinel:

We will use the code below to deploy the above Bicep file:

$date = Get-Date -Format "MM-dd-yyyy"
$deploymentName = "AzInsiderDeployment"+"$date"
New-AzResourceGroupDeployment -Name $deploymentName -ResourceGroupName sentinel -TemplateFile .sentinel.bicep

Once the deployment is complete, you should see the Log Analytics Workspace and Sentinel in your resource group, as shown below:

Azure Log Analytics Workspace and Sentinel

The next step is to deploy an Azure Sentinel Watchlist that contains a list of the Azure Public IPs.

We will perform the deployment of the Azure Sentinel Watchlist using the following ARM template.

The above ARM template contains Watchlists that list the Azure Public IPs. You can find the Azure IP Ranges and Service Tags in the following URL:

Now we will deploy the ARM template using the command below and target the same resource group where Azure Sentinel is located:

New-AzResourceGroupDeployment -Name $deploymentName -ResourceGroupName sentinel -TemplateFile .listIP.json

During deployment time, you will need to pass on the name of the workspace. The image below shows the deployment output:

Deployment output

Now you can navigate to the Azure Portal, and in the Azure Sentinel solution, you will see the Watchlists. Select the Watchlists option, and you will see the new Watchlist recently deployed. Now you can view it in Log Analytics.

Azure Sentinel Watchlist

If you select the View in Log Analytics option, you will query all the lists, and results will be shown in the workspace as shown below:

Azure Public IP List

You can now use this Watchlist to lower false positives for detections that pick up the Azure IP Addresses or for enrichment data to investigate activities within your environment.

Join the AzInsider email list here.

-Dave R.