Skip to main content
Jorge Bernhardt Jorge Bernhardt
  1. Posts/

Bicep - Deploying Microsoft Sentinel with Azure AD Connector

·995 words·5 mins· 100 views · 5 likes ·
Microsoft Sentinel Azure CLI Microsoft Microsoft Azure

Hi there! As you know, Microsoft Sentinel is an advanced SIEM tool that provides a comprehensive view of your organization’s security landscape. One of its superpowers comes from its integration with Azure AD connector. But could automate the process of deployment? The answer is yes. That’s where Azure Bicep comes in. This blog post will show you how to deploy Microsoft Sentinel with an Azure AD connector using Azure Bicep.

Prerequisites>

Prerequisites #

Before you start, you’ll need the following to deploy and manage resources with Bicep:

  • You need Azure CLI version 2.20.0 or later to deploy Bicep files on your local machine.
  • A text editor or IDE of your choice (Visual Studio Code with Bicep extension is my recommendation)
Create the Bicep file>

Create the Bicep file #

The first step in deploying a Bicep template is to create the Bicep file that defines your resources. Create a new file named sentinel.bicep.This file will contain the code needed to define and configure the deployment of your resources.

@description('Specifies the Tenant ID for Azure Active Directory.')
param tenantId string 

@description('Name of the project or solution')
@minLength(3)
@maxLength(37)
param projectName string

@description('Specifies the location for all resources.')
@allowed([
  'westeurope'
  'northeurope'
])
param location string

@description('Specifies the SKU name for the workspace.')
@allowed([
  'PerGB2018'
  'Standard'
])
param skuName string = 'PerGB2018'

@description('Specifies the retention in days.')
@minValue(30)
@maxValue(730)
param retentionInDays int = 90

@description('Specifies the state of the AzureActiveDirectory connector.')
@allowed([
  'Enabled'
  'Disabled'
])
param dataState string = 'Enabled'

@description('The tags to be associated with the resources.')
param tags object = {
  bicep: 'true'
  environment: 'jorgebernhardt.com'
}


@description('Generated the workspace name.')
var workspaceName = 'law-${projectName}-${tags.environment}'


resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
  name: workspaceName
  location: location
  properties: {
    sku: {
      name: skuName
    }
    retentionInDays: retentionInDays
  }
  tags: tags
}

resource sentinel 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = {
  name: 'SecurityInsights(${workspaceName})'
  location: location
  properties: {
    workspaceResourceId: workspace.id
  }
  plan: {
    name: 'SecurityInsights(${workspaceName})'
    product: 'OMSGallery/SecurityInsights'
    promotionCode: ''
    publisher: 'Microsoft'
  }
  tags: tags
}

resource azureADDataConnector 'Microsoft.SecurityInsights/dataConnectors@2023-02-01-preview' = {
  name: '${workspaceName}-AzureActiveDirectory'
  kind: 'AzureActiveDirectory'
  scope: workspace
  dependsOn: [
    sentinel
  ]
  properties: {
    dataTypes: {
      alerts: {
        state: dataState
      }
    }
    tenantId: tenantId
  }
}


output workspaceId string = workspace.id
output workspaceName string = workspace.name
output solutionId string = sentinel.id
output solutionName string = sentinel.name
output dataConnectorId string = azureADDataConnector.id

Workspace: This block creates an Azure Log Analytics workspace, which is required for Microsoft Sentinel. The workspace name is dynamically created based on the provided project name and environment.

Sentinel: This block creates a Microsoft Sentinel solution, which is the primary component of Microsoft Sentinel. The solution is linked to the previously created Log Analytics workspace.

Important: Please pay special attention to the following restrictions or limitations.

  • The name value only supports the following patterns:

    For solutions authored by Microsoft, the name must be in the pattern: SolutionType(WorkspaceName)

    For solutions authored by third parties, the name must be in the pattern: SolutionType[WorkspaceName]

  • The PromotionCode property must be present, but you can leave it empty.

AzureADDataConnector: This block creates a data connector for Azure Active Directory. The data connector collects logs from Azure Active Directory and feeds them into the Sentinel solution. This connector depends on the Sentinel solution, which is why we see the dependsOn statement pointing to sentinel.

Deployment scope>

Deployment scope #

You can target your deployment to a resource group, subscription, management group, or tenant. In this case, when creating the Microsoft Sentinel, an Azure resource group is needed to put all the necessary resources here. By default, when deploying a Bicep template, the scope where the resource should be deployed is a resource group.

You can use an existing Resource Group, or you can create a new Resource Group. If you want to know how to create a Resource Group using Azure CLI, check out this link.

Deploy the Bicep template using the Azure CLI>

Deploy the Bicep template using the Azure CLI #

Once your Bicep template is prepared, and you’ve selected your desired scope, you can proceed to deploy the template through the Azure CLI. To do so, execute the following commands.

Parameters>

Parameters #

Personalization is key to making your template reusable. With the parameters, you can easily tailor the template to your specific needs. You can use either inline parameters or a parameter file to pass parameter values. In my case, I will use a file to pass the parameters; here is an example.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "tenantId": {
      "value": "<Your_Tenant_ID>"
    },
    "projectName": {
      "value": "demo"
    },
    "location": {
      "value": "northeurope"
    },
    "skuName": {
      "value": "PerGB2018"
    },
    "retentionInDays": {
      "value": 90
    },
    "dataState": {
      "value": "Enabled"
    },
    "tags": {
      "value": {
        "environment": "dev",
        "bicep": "true"
      }
    }
  }
}

Important: Please note that the parameter file stores parameter values in plain text format. If you need to include a parameter with sensitive data, it’s recommended to store the value in a secure key vault.

Preview changes>

Preview changes #

Before deploying a Bicep file, you can preview the changes that will occur to your resources. Using what-if operations does not change existing resources; it simply shows you an output that includes color-coded results that allow you to see different changes.

az deployment group what-if \
--resource-group <resource-group-name> \
--template-file <filename>.bicep \
--parameters @<filename>.parameters.json 
Deploy the Azure resource>

Deploy the Azure resource #

Finally, to deploy the template, run the following command.

az deployment group create \
--resource-group <resource-group-name> \
--template-file <filename>.bicep \
--parameters @<filename>.parameters.json 
Validate the deployment>

Validate the deployment #

To verify that the resource was created correctly, you can use the Azure Portal or the Azure CLI to check the created resources and their configurations. For Azure CLI, use the following command.

az sentinel data-connector list \
--workspace-name <log-analytics-workspace-name> \
--resource-group <resource-group-name> \
--query "[].{kind:kind, name:name, tenantId:tenantId, state:dataTypes.alerts.state}" \
--output table

References and useful links #

Thank you for taking the time to read my post. I sincerely hope that you find it helpful.