Automation capabilities of Azure Sentinel Automation and DevOps in security processes

Imagine – Security monitoring 24/7 365 days a year using a fully automated incident response solution that can react on its own, based on the learned patterns and users’ behaviors with real experts on top of it. All of that in 40 minutes.

Yes, you read correctly. 40 minutes. Not a month, not even a week. Just a handful of minutes to get you fully protected.

Nowadays it takes weeks or months to set up a security center in mid to large-size organizations. We found a way to set up such a center called Managed Security Operations Center (SOC) in a matter of 40 minutes. For those of you who are not familiar with this term, a Managed SOC means you’ll have 24/7/365 security monitoring, as well as access to a team of fully trained security analysts and engineers. If you’d like to learn more about the Managed SOC itself, go visit this website.

What is DevOps?

Before we go into the process, let’s uncover one important term – DevOps. You’ve probably heard of DevOps before. For those of you who don’t know it – DevOps is a set of practices to follow to reach the planned result in the shortest time possible.

At Predica we use well-established best practices to ensure fast responses for ourselves and our clients. This, in terms of cybersecurity, is crucial not only at the implementation stage but throughout the entire process.

How does it work? Let me show you.

Azure Sentinel: security rules and automated response

This is Azure Sentinel – the beating heart of our Security Operations Center, where we deploy our security rules, customized for a particular client. They are developed in the tool called Azure DevOps according to our Scrum-based process. 

Azure Sentinel – security rules

This is the backlog in Azure DevOps, where we can add new types of security rules. 

An example of such a rule could be a query that detects any attempt of non-authorized file encryption, which may be the first indicator of ransomware.

These rules are written down as a User Story, with a set of tasks to complete to make it production-ready.

Azure DevOps – backlog

When a certain, undesired event in the customer’s system coincides with a security rule, we receive an incident alert.

The great advantage of Azure Sentinel as a Microsoft solution is that if any information about a new vulnerability is found, we immediately get access to Microsoft’s templates and ways to detect attempts to exploit this weakness.

After our finetuning and upgrades, we can deploy this rule to all our clients simultaneously, including automatic incident response playbooks.

Azure Sentinel - incident alerts

Azure Sentinel – incident alerts

These are pre-defined incident scenarios that Sentinel can run by itself if the threat meets certain criteria.

An example of such a scenario is automatically blocking the user, that is marked as compromised by one of the security rules, before any malicious activity can be performed. 

Azure Sentinel - pre-defined incident scenarios

Azure Sentinel – pre-defined incident scenarios

Security as a code approach

This is our code repository. We use Security Operations Center as a code approach, which enables fast implementation in a new system and a rapid response in the event of deletion.

We can recover all Azure Sentinel assets in around 10 minutes.

Additionally, using Git – the version control system – we can manage changes at the code level, so if something doesn’t work as it should, we can roll it back immediately.

Security Operations Center code repository

Quality Assurance

We can prevent accidental mistakes through Quality Assurance at each stage.

Every new feature or change to a security rule must go through a set of automatic code analyzers  – if anything seems off, uploading the change will be blocked.

Also, at least 2 other people must approve the change. So, we make sure that every change is validated from many different angles.

The most important security rules are deployed automatically to all customers. However, since not all security rules fit every environment, we configure and customize them according to the customer’s needs. 

Security deployment pipeline

Now, the main key to all automation is our Security Operations Center deployment pipeline, a generic set of steps that fit every client’s infrastructure.

Thanks to this, we can implement SOC in any business in about 40 minutes, guaranteeing an instant and fully secure environment. And that is how we use DevOps practices in our Managed SOC service.

Security Operations Center deployment pipeline

Security Operations Center deployment pipeline

Azure Lighthouse

Finally, I would like to mention Azure Lighthouse – the service we use to manage our client’s infrastructure.

Azure Lighthouse makes it possible to get access to the client’s tenant without creating new accounts. That provides an additional security layer to our service because every new account is a new attack vector for bad actors.

Azure Lighthouse

Azure Lighthouse

To sum up: Azure Sentinel, Azure DevOps, and Azure Lighthouse – the three cloud technologies that make our Managed SOC ready to implement in 40 minutes.

I hope that now you have a clearer understanding of how our service works.

If you’d like to talk to us about it, or even just ask some questions, email us at [email protected]. We’ll be happy to help! 

Sign up for Predica Newsletter

A weekly, ad-free newsletter that helps cutomer stay in the know. Take a look.


Want more updates like this? Join thousands of specialists who already follow our newsletter.

Stay up to date with the latest cloud insights from our CTO