Set up Automated Deployment of Microsoft Sentinel

Jason Smyth

Cloud Infrastructure Architect

Software Architect

Cybersecurity Specialist

Azure

Azure DevOps

Visual Studio Code

Other

This consultation project involved setting up and optimising Microsoft Sentinel in the client Tenant, and managing the Microsoft Sentinel instance in the Customer Tenant using Azure Lighthouse for this organisation.

It started with understanding how to deploy and configure Microsoft Sentinel to 'Onboard customers to Sentinel' using automated deployment through the use of ARM/BICEP templates and PowerShell. Practical solutions, including documentation, were provided to show the deployment of Content Types such as Content Hub Solutions, Data Connectors and Analytics Rules. There was a focus on deploying the Content Hub Solutions for Azure Activity, Microsoft Defender XDR and Microsoft Entra ID.

Concerning Azure Lighthouse, this part of the project involved managing subscriptions and resource groups in different Client tenants while maintaining scalability, automation, and governance. Acting as a service provider, meant delivering managed services to the Customers’ tenants while the customer is still in control of who has access to their tenant.

All work completed is fully documented for training purposes. I include an example image of the training documentation that shows how to use Azure BICEP for the Automated Deployment of core Microsoft Sentinel components.

An example BICEP template is included to demonstrate the file used to deploy the Content Hub Solution for Microsoft Entra ID with its Data Connector Content type.

// Define the parameters for the deployment
param dataState string = 'Enabled'
param _solutionId string = 'azuresentinel.azure-sentinel-solution-azureactivedirectory'
param _solutionVersion string = '3.2.9'
param _solutionSufix string = '${_solutionId}-Solution-${_solutionId}-${_solutionVersion}'

// Reference existing Log Analytics Workspace instance
resource law 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
  name: 'law-SOC-${resourceGroup().location}'
}

// Reference existing Microsoft Sentinel instance
resource sentinel 'Microsoft.SecurityInsights/onboardingStates@2024-09-01' existing = {
  name: 'default'
  scope: law
}
// Deploy Content Package for Azure Active Directory
resource ContentHub_AzureActiveDirectory 'Microsoft.SecurityInsights/contentPackages@2024-09-01' = {
  name: 'Microsoft Entra ID'
  scope: law
  properties: {
   contentSchemaVersion: '3.0.0'
   contentId: _solutionId
   contentProductId: '${take(_solutionId,50)}-sl-${uniqueString(_solutionSufix)}'
   contentKind: 'Solution'
   displayName: 'Microsoft Entra ID'
   version: _solutionVersion
   }
  dependsOn: [
   sentinel
 ]
 }
 resource azureADDataConnector 'Microsoft.SecurityInsights/dataConnectors@2024-09-01' = {
  name: 'Microsoft Entra ID'
  kind: 'AzureActiveDirectory'
  scope: law
  properties: {
    dataTypes: {
      alerts: {
        state: dataState
      }
    }
    tenantId: subscription().tenantId
  }
  dependsOn: [
    ContentHub_AzureActiveDirectory
  ]
}

As this project is under NDA (Non-Disclosure Agreement), I am unable to share full details due to confidentiality reasons. Verification for this work can be confirmed by the project sponsor who has provided a recommendation/review:

https://contra.com/jason_smyth_cyber/reviews (Arvid, Goodfellows)

Like this project

Posted Feb 18, 2025

A consultation assignment for setting up and optimising Microsoft Sentinel through automation using ARM Templates, BICEP and PowerShell.

Likes

Views

Timeline

Oct 28, 2024 - Ongoing

Clients

Goodfellows