"Detection as code" out; "SIEM as code" in
SIEM as Code: A Cloud-Native Evolution
In Molière's The Bourgeois Gentleman, the protagonist famously exclaims:
"For more than forty years I have been speaking prose while knowing nothing of it!"
Well, I can relate.
Lately, the world has been buzzing about Detection as Code - and I just realized that we've been practicing it for years!
It all started over six years ago when we introduced the first cloud-native SIEM, Microsoft Sentinel. For many, cloud-native meant cloud-scale or simply running in the cloud. Both are true, but for us, it was about something bigger: adopting the cloud paradigm for SIEM: API-first, DevOps integration, and serverless extensibility.
None of these are lightweight concepts, but together, they radically enhance a SIEM’s core capabilities: integration, automation, and customization.
CI/CD and the Birth of "SIEM as Code"
A key part of this cloud evolution was building a CI/CD pipeline for content management. My friend Javier Soriano pioneered what was likely the first-ever CI/CD-based “Detection as Code” solution. But Javier, quite rightly, called it "Sentinel as Code" instead.
Why?
Recommended by LinkedIn
1️⃣ SIEM is more than just detections. His solution managed other Sentinel artifacts like workbooks and playbooks.
2️⃣ CI/CD goes beyond detections - it can deploy Sentinel itself. Javier later expanded his work with Sentinel All-in-One, a framework for deploying and managing Sentinel via code.
So, instead of Detection as Code, let’s start saying "SIEM as Code"!
Making SIEM CI/CD Even Easier
Setting up CI/CD can be complex - SIEM CI/CD is no exception. The next frontier is simplification.
Enter Sentinel Repositories: a game-changer from Nayef Yassin , Nan Zang , Basel Shaheen , and their teams. It’s probably the simplest way imaginable to implement SIEM CI/CD.
In fact, in my Sentinel Repositories webinar yesterday, I spent more time explaining “content as code” than the actual feature - because it’s that simple!
If you’re curious about Infrastructure as Code and Content as Code, I highly recommend watching the webinar. It’ll help demystify SIEM CI/CD and content as code - and yes, there are lots of demos.
Promise! 😉
Kudus and thank you Ofer Shezaf - SIEM and cyber security Expert ⭐️
Well said!
Oh man this is so rad. I’m watching the webinar now. This might be a big game changer for me and my team. We’ve been using SOPs and ClickOps to enable sentinel for our customers. Doing everything through code is going to make this process so much faster and so much more repeatable.
Insightful 👍
Great French culture. Passion, education, and motivation … the key to professional success