Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Adding Sentinel All-In-One

This commit is contained in:
Javier Soriano 2021-01-28 14:17:00 +01:00
Родитель 9058eadc59
Коммит 7c7e18ae9b
14 изменённых файлов: 1906 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

60
Tools/Sentinel-All-In-One/ARMTemplates/AzCreateUiDef.ps1 Normal file
Просмотреть файл

@ -0,0 +1,60 @@
#Requires -Version 3.0
#Requires -Module Az.Resources
#Requires -Module Az.Storage
#use this script to side-load a createUIDefinition.json file in the Azure portal
[cmdletbinding()]
param(
[string] $ArtifactsStagingDirectory = ".",
[string] $createUIDefFile='createUIDefinition.json',
[string] $storageContainerName='createuidef',
[string] $StorageResourceGroupLocation, # this must be specified only when the staging resource group needs to be created - first run or if the account has been deleted
[switch] $Gov
)
try {
$StorageAccountName = 'stage' + ((Get-AzContext).Subscription.Id).Replace('-', '').substring(0, 19)
$StorageAccount = (Get-AzStorageAccount | Where-Object{$_.StorageAccountName -eq $StorageAccountName})
# Create the storage account if it doesn't already exist
if ($StorageAccount -eq $null) {
if ($StorageResourceGroupLocation -eq "") { throw "The StorageResourceGroupLocation parameter is required on first run in a subscription." }
$StorageResourceGroupName = 'ARM_Deploy_Staging'
New-AzResourceGroup -Location "$StorageResourceGroupLocation" -Name $StorageResourceGroupName -Force
$StorageAccount = New-AzStorageAccount -StorageAccountName $StorageAccountName -Type 'Standard_LRS' -ResourceGroupName $StorageResourceGroupName -Location "$StorageResourceGroupLocation"
}
New-AzStorageContainer -Name $StorageContainerName -Context $StorageAccount.Context -ErrorAction SilentlyContinue *>&1
Set-AzStorageBlobContent -Container $StorageContainerName -File "$ArtifactsStagingDirectory\$createUIDefFile" -Context $storageAccount.Context -Force
$uidefurl = New-AzStorageBlobSASToken -Container $StorageContainerName -Blob (Split-Path $createUIDefFile -leaf) -Context $storageAccount.Context -FullUri -Permission r
$encodedurl = [uri]::EscapeDataString($uidefurl)
if ($Gov) {
$target=@"
https://portal.azure.us/#blade/Microsoft_Azure_Compute/CreateMultiVmWizardBlade/internal_bladeCallId/anything/internal_bladeCallerParams/{"providerConfig":{"createUiDefinition":"$encodedurl"}}
"@
}
else {
$target=@"
https://portal.azure.com/#blade/Microsoft_Azure_Compute/CreateMultiVmWizardBlade/internal_bladeCallId/anything/internal_bladeCallerParams/{"providerConfig":{"createUiDefinition":"$encodedurl"}}
"@
}
Write-Host `n"File: "$uidefurl `n
Write-Host "Target URL: "$target
# launching the default browser doesn't work if the default is Chrome - so force edge here
Start-Process "microsoft-edge:$target"
}
catch {
throw $_
}

186
Tools/Sentinel-All-In-One/ARMTemplates/LinkedTemplates/alertRules.json Normal file
Просмотреть файл

@ -0,0 +1,186 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Resource group to deploy solution resources"
}
},
"workspaceName": {
"defaultValue": "<Enter Log Analytics Workspace name>",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"dataConnectorsKind": {
"type": "array",
"defaultValue": [],
"metadata": {
"description": "The kind of data connectors to enable"
}
},
"ruleGuid": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "The unique guid for this scheduled alert rule"
}
},
"enableFusionAlert": {
"type": "bool",
"defaultValue": false
},
"enableMicrosoftAlerts": {
"type": "bool",
"defaultValue": false
},
"enableMLAlerts": {
"type": "bool",
"defaultValue": false
}
},
"functions": [],
"variables": {
"ascRuleId": "[concat('asc', uniqueString(parameters('ruleGuid')))]",
"mcasRuleId": "[concat('mcas', uniqueString(parameters('ruleGuid')))]",
"aatpRuleId": "[concat('aatp', uniqueString(parameters('ruleGuid')))]",
"mdatpRuleId": "[concat('mdatp', uniqueString(parameters('ruleGuid')))]",
"aadipRuleId": "[concat('aadip', uniqueString(parameters('ruleGuid')))]",
"fusionRuleId": "[concat('fusion', uniqueString('Fusion'))]",
"mlbaSsh": "[concat('mlba',uniqueString('SSH'))]",
"mlbaRdp": "[concat('mlba',uniqueString('RDP'))]"
},
"resources": [
{
"condition": "[and(contains(parameters('dataConnectorsKind'), 'AzureActiveDirectory'),parameters('enableMicrosoftAlerts'))]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('aadipRuleId'))]",
"apiVersion": "2020-01-01",
"kind": "MicrosoftSecurityIncidentCreation",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
// https://docs.microsoft.com/en-us/rest/api/securityinsights/alertrules/createorupdate#scheduledalertrule
"description": "Create incidents based on Azure Active Directory Identity Protection alerts",
"displayName": "Create incidents based on all alerts generated in Azure Active Directory Identity Protection",
"enabled": true,
"productFilter": "Azure Active Directory Identity Protection"
}
},
{
"condition": "[and(contains(parameters('dataConnectorsKind'), 'AzureSecurityCenter'),parameters('enableMicrosoftAlerts'))]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('ascRuleId'))]",
"apiVersion": "2020-01-01",
"kind": "MicrosoftSecurityIncidentCreation",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
// https://docs.microsoft.com/en-us/rest/api/securityinsights/alertrules/createorupdate#scheduledalertrule
"description": "Create incidents based on Azure Security Center alerts",
"displayName": "Create incidents based on all alerts generated in Azure Security Center",
"enabled": true,
"productFilter": "Azure Security Center"
}
},
{
"condition": "[and(contains(parameters('dataConnectorsKind'), 'AzureAdvancedThreatProtection'),parameters('enableMicrosoftAlerts'))]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('aatpRuleId'))]",
"apiVersion": "2020-01-01",
"kind": "MicrosoftSecurityIncidentCreation",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
// https://docs.microsoft.com/en-us/rest/api/securityinsights/alertrules/createorupdate#scheduledalertrule
"description": "Create incidents based on Azure Advanced Threat Protection alerts",
"displayName": "Create incidents based on all alerts generated in Azure Advanced Threat Protection",
"enabled": true,
"productFilter": "Azure Advanced Threat Protection"
}
},
{
"condition": "[and(contains(parameters('dataConnectorsKind'), 'MicrosoftCloudAppSecurity'),parameters('enableMicrosoftAlerts'))]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('mcasRuleId'))]",
"apiVersion": "2020-01-01",
"kind": "MicrosoftSecurityIncidentCreation",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
// https://docs.microsoft.com/en-us/rest/api/securityinsights/alertrules/createorupdate#scheduledalertrule
"description": "Create incidents based on Microsoft Cloud App Security alerts",
"displayName": "Create incidents based on all alerts generated in Microsoft Cloud App Security",
"enabled": true,
"productFilter": "Microsoft Cloud App Security"
}
},
{
"condition": "[and(contains(parameters('dataConnectorsKind'), 'MicrosoftDefenderAdvancedThreatProtection'),parameters('enableMicrosoftAlerts'))]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('mdatpRuleId'))]",
"apiVersion": "2020-01-01",
"kind": "MicrosoftSecurityIncidentCreation",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
// https://docs.microsoft.com/en-us/rest/api/securityinsights/alertrules/createorupdate#scheduledalertrule
"description": "Create incidents based on Microsoft Defender Advanced Threat Protection alerts",
"displayName": "Create incidents based on all alerts generated in Microsoft Defender Advanced Threat Protection",
"enabled": true,
"productFilter": "Microsoft Defender Advanced Threat Protection"
}
},
{
"condition": "[and(contains(parameters('dataConnectorsKind'), 'Syslog'),parameters('enableMLAlerts'))]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('mlbaSsh'))]",
"apiVersion": "2020-01-01",
"kind": "MLBehaviorAnalytics",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
"enabled": true,
"alertRuleTemplateName": "fa118b98-de46-4e94-87f9-8e6d5060b60b"
}
},
{
"condition": "[and(contains(parameters('dataConnectorsKind'), 'SecurityEvents'),parameters('enableMLAlerts'))]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('mlbaRdp'))]",
"apiVersion": "2020-01-01",
"kind": "MLBehaviorAnalytics",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
"enabled": true,
"alertRuleTemplateName": "737a2ce1-70a3-4968-9e90-3e6aca836abf"
}
},
{
"condition": "[parameters('enableFusionAlert')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('fusionRuleId'))]",
"apiVersion": "2020-01-01",
"kind": "Fusion",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
"enabled": true,
"alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8"
}
}
],
"outputs": {
"ruleId": {
"type": "string",
"value": "[parameters('ruleGUID')]"
}
}
}

232
Tools/Sentinel-All-In-One/ARMTemplates/LinkedTemplates/dataConnectors.json Normal file
Просмотреть файл

@ -0,0 +1,232 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"dataConnectorsKind": {
"type": "array",
"defaultValue": [],
"metadata": {
"description": "The kind of data connectors to enable"
}
},
"workspaceName": {
"type": "string",
"metadata": {
"description": "Name for the Log Analytics workspace used to aggregate data"
}
},
"securityCollectionTier": {
"type": "string",
"defaultValue": "Recommended",
"metadata": {
"description": "SecurityEvent logging level"
}
},
"tenantId": {
"type": "string",
"metadata": {
"description": "Azure AD tenant ID"
}
},
"subscriptionId": {
"type": "string",
"defaultValue": "[subscription().subscriptionId]",
"metadata": {
"description": "Sbscription Id to monitor"
}
},
"mcasDiscoveryLogs": {
"type": "bool"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"o365Name": "[concat('o365', uniqueString(resourceGroup().id))]",
"mdatpName": "[concat('mdatp', uniqueString(resourceGroup().id))]",
"aatpName": "[concat('aatp', uniqueString(resourceGroup().id))]",
"ascName": "[concat('asc', uniqueString(resourceGroup().id))]",
"mcasName": "[concat('mcas', uniqueString(resourceGroup().id))]",
"aadipName": "[concat('aadip', uniqueString(resourceGroup().id))]"
},
"resources": [
{
"condition": "[contains(parameters('dataConnectorsKind'), 'Office365')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"apiVersion": "2020-01-01",
"location": "[parameters('location')]",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('o365Name'))]",
"kind": "Office365",
"properties": {
"tenantId": "[parameters('tenantId')]",
"dataTypes": {
"exchange": {
"state": "enabled"
},
"sharePoint": {
"state": "enabled"
},
"teams": {
"state": "enabled"
}
}
}
},
{
"condition": "[contains(parameters('dataConnectorsKind'), 'MicrosoftDefenderAdvancedThreatProtection')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"apiVersion": "2020-01-01",
"location": "[parameters('location')]",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('mdatpName'))]",
"kind": "MicrosoftDefenderAdvancedThreatProtection",
"properties": {
"tenantId": "[parameters('tenantId')]",
"dataTypes": {
"alerts": {
"state": "enabled"
}
}
}
},
{
"condition": "[contains(parameters('dataConnectorsKind'), 'MicrosoftCloudAppSecurity')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"apiVersion": "2020-01-01",
"location": "[parameters('location')]",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('mcasName'))]",
"kind": "MicrosoftCloudAppSecurity",
"properties": {
"tenantId": "[parameters('tenantId')]",
"dataTypes": {
"alerts": {
"state": "enabled"
},
"discoveryLogs": {
"state": "[if(parameters('mcasDiscoveryLogs'),'enabled','disabled')]"
}
}
}
},
{
"condition": "[contains(parameters('dataConnectorsKind'), 'AzureSecurityCenter')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"apiVersion": "2020-01-01",
"location": "[parameters('location')]",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('ascName'))]",
"kind": "AzureSecurityCenter",
"properties": {
"subscriptionId": "[parameters('subscriptionId')]",
"dataTypes": {
"alerts": {
"state": "enabled"
}
}
}
},
{
"condition": "[contains(parameters('dataConnectorsKind'), 'AzureAdvancedThreatProtection')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"apiVersion": "2020-01-01",
"location": "[parameters('location')]",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('aatpName'))]",
"kind": "AzureAdvancedThreatProtection",
"properties": {
"tenantId": "[parameters('tenantId')]",
"dataTypes": {
"alerts": {
"state": "enabled"
}
}
}
},
{
"condition": "[contains(parameters('dataConnectorsKind'), 'AzureActiveDirectory')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"apiVersion": "2020-01-01",
"location": "[parameters('location')]",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('aadipName'))]",
"kind": "AzureActiveDirectory",
"properties": {
"tenantId": "[parameters('tenantId')]",
"dataTypes": {
"alerts": {
"state": "enabled"
}
}
}
},
{
"condition": "[contains(parameters('dataConnectorsKind'), 'AzureActivity')]",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"apiVersion": "2020-03-01-preview",
"location": "[parameters('location')]",
"name": "[concat(parameters('workspaceName'), '/', replace(parameters('subscriptionId'),'-', ''))]",
"kind": "AzureActivityLog",
"properties": {
"linkedResourceId": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/microsoft.insights/eventtypes/management')]"
}
},
{
"condition": "[contains(parameters('dataConnectorsKind'), 'SecurityEvents')]",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"apiVersion": "2020-03-01-preview",
"location": "[parameters('location')]",
"name": "[concat(parameters('workspaceName'), '/SecurityInsightsSecurityEventCollectionConfiguration')]",
"kind": "SecurityInsightsSecurityEventCollectionConfiguration",
"properties": {
"tier": "[parameters('securityCollectionTier')]",
"tierSetMethod": "Custom"
}
},
{
"condition": "[contains(parameters('dataConnectorsKind'), 'WindowsFirewall')]",
"type": "Microsoft.OperationsManagement/solutions",
"apiVersion": "2015-11-01-preview",
"name": "[concat('WindowsFirewall','(', parameters('workspaceName'),')')]",
"location": "[parameters('location')]",
"plan": {
"name": "[concat('WindowsFirewall','(', parameters('workspaceName'),')')]",
"promotionCode": "",
"product": "OMSGallery/WindowsFirewall",
"publisher": "Microsoft"
},
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces',parameters('workspaceName'))]",
"containedResources": []
}
},
{
"condition": "[contains(parameters('dataConnectorsKind'), 'DNS')]",
"type": "Microsoft.OperationsManagement/solutions",
"apiVersion": "2015-11-01-preview",
"name": "[concat('DnsAnalytics','(', parameters('workspaceName'),')')]",
"location": "[parameters('location')]",
"plan": {
"name": "[concat('DnsAnalytics','(', parameters('workspaceName'),')')]",
"promotionCode": "",
"product": "OMSGallery/DnsAnalytics",
"publisher": "Microsoft"
},
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces',parameters('workspaceName'))]",
"containedResources": []
}
},
{
"condition": "[contains(parameters('dataConnectorsKind'), 'Syslog')]",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"apiVersion": "2020-03-01-preview",
"location": "[parameters('location')]",
"name": "[concat(parameters('workspaceName'), '/syslogCollection')]",
"kind": "LinuxSyslogCollection",
"properties": {
"state": "Enabled"
}
}
]
}

90
Tools/Sentinel-All-In-One/ARMTemplates/LinkedTemplates/scheduledAlerts.json Normal file
Просмотреть файл

@ -0,0 +1,90 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string",
"metadata": {
"description": "Name for the Log Analytics workspace"
}
},
"dataConnectorsList": {
"type": "string",
"metadata": {
"description": "Comma separated enabled connectors: AzureActivityLog,SecurityEvents,WindowsFirewall,DnsAnalytics. Reference: https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/2020-03-01-preview/workspaces/datasources#microsoftoperationalinsightsworkspacesdatasources-object"
}
},
"roleGuid": {
"type": "string",
"defaultValue": "[newGuid()]"
}
},
"functions": [],
"variables": {
"identityName": "[concat('userIdentity',uniqueString(resourceGroup().id))]"
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[variables('identityName')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]"
},
{
"dependsOn": ["[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('identityName'))]"],
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2020-10-01",
"name": "sleep",
"location": "[resourceGroup().location]",
"kind": "AzurePowerShell",
"properties": {
"forceUpdateTag": "1",
"azPowerShellVersion": "3.0",
"arguments": "",
"scriptContent": "Start-Sleep -Seconds 120",
"supportingScriptUris": [],
"timeout": "PT30M",
"cleanupPreference": "Always",
"retentionInterval": "P1D"
}
},
{
"apiVersion": "2017-09-01",
"type": "Microsoft.Authorization/roleAssignments",
"name": "[parameters('roleGuid')]",
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName')), '2018-11-30', 'Full').properties.principalId]",
"scope": "[resourceGroup().id]"
},
"dependsOn": [
"[concat('Microsoft.Resources/deploymentScripts/', 'sleep')]"
]
},
{
"dependsOn": ["[concat('Microsoft.Authorization/roleAssignments/', parameters('roleGuid'))]"],
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2020-10-01",
"name": "runPowerShellInline",
"location": "[resourceGroup().location]",
"kind": "AzurePowerShell",
"identity": {
"type": "userAssigned",
"userAssignedIdentities": {
"[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('identityName'))]": {}
}
},
"properties": {
"forceUpdateTag": "1",
"azPowerShellVersion": "3.0",
"arguments": "[concat('-Workspace ', parameters('workspaceName'), ' -ResourceGroup ', resourceGroup().name, ' -Connectors ', parameters('dataConnectorsList'))]",
"primaryScriptUri": "https://raw.githubusercontent.com/javiersoriano/sentinel-all-in-one/master/ARMTemplates/Scripts/EnableRules.ps1",
"supportingScriptUris": [],
"timeout": "PT30M",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
}
}
],
"outputs": {}
}

27
Tools/Sentinel-All-In-One/ARMTemplates/README.md Normal file
Просмотреть файл

@ -0,0 +1,27 @@
# ARM template version
The ARM template in this folder allows you to delploy your Azure Sentinel environments in a few clicks. The template is very easy to use as it comes with a wizard interface that guides you through the setup steps.
The template performs the following tasks:
- Creates resource group (if given resource group doesn't exist yet)
- Creates Log Analytics workspace (if given workspace doesn't exist yet)
- Installs Azure Sentinel on top of the workspace (if not installed yet)
- Enables the following Data Connectors:
+ Azure Activity
+ Azure Security Center
+ Azure Active Directory Identity Protection
+ Office 365 (Sharepoint, Exchange and Teams)
+ Microsoft Cloud App Security
+ Azure Advanced Threat Protection
+ Microsoft Defender Advanced Threat Protection
+ Security Events
+ Linux Syslog
+ DNS (Preview)
+ Windows Firewall
- Enables analytics rules for selected Microsoft 1st party products
- Enables Fusion rule and ML Behavior Analytics rules for RDP or SSH (if selected)
- Enables Scheduled analytics rules that apply to all the enabled connectors
[![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FSentinel-All-In-One%2FARMTemplates%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSentinel-All-In-One%2FARMTemplates%2FcreateUiDefinition.json)

77
Tools/Sentinel-All-In-One/ARMTemplates/Scripts/EnableRules.ps1 Normal file
Просмотреть файл

@ -0,0 +1,77 @@
param(
[Parameter(Mandatory=$true)][string]$ResourceGroup,
[Parameter(Mandatory=$true)][string]$Workspace,
[Parameter(Mandatory=$true)][string[]]$Connectors
)
$context = Get-AzContext
if(!$context){
Connect-AzAccount
$context = Get-AzContext
}
$SubscriptionId = $context.Subscription.Id
Write-Host "Connected to Azure with subscription: " + $context.Subscription
$baseUri = "/subscriptions/${SubscriptionId}/resourceGroups/${ResourceGroup}/providers/Microsoft.OperationalInsights/workspaces/${Workspace}"
$templatesUri = "$baseUri/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2019-01-01-preview"
$alertUri = "$baseUri/providers/Microsoft.SecurityInsights/alertRules/"
try {
$alertRulesTemplates = ((Invoke-AzRestMethod -Path $templatesUri -Method GET).Content | ConvertFrom-Json).value
}
catch {
Write-Verbose $_
Write-Error "Unable to get alert rules with error code: $($_.Exception.Message)" -ErrorAction Stop
}
$return = @()
if ($Connectors){
foreach ($item in $alertRulesTemplates) {
if ($item.kind -eq "Scheduled"){
foreach ($connector in $item.properties.requiredDataConnectors) {
if ($connector.connectorId -in $Connectors){
#$return += $item.properties
$guid = New-Guid
$alertUriGuid = $alertUri + $guid + '?api-version=2020-01-01'
$properties = @{
displayName = $item.properties.displayName
enabled = $true
suppressionDuration = "PT5H"
suppressionEnabled = $false
alertRuleTemplateName = $item.name
description = $item.properties.description
query = $item.properties.query
queryFrequency = $item.properties.queryFrequency
queryPeriod = $item.properties.queryPeriod
severity = $item.properties.severity
tactics = $item.properties.tactics
triggerOperator = $item.properties.triggerOperator
triggerThreshold = $item.properties.triggerThreshold
}
$alertBody = @{}
$alertBody | Add-Member -NotePropertyName kind -NotePropertyValue $item.kind -Force
$alertBody | Add-Member -NotePropertyName properties -NotePropertyValue $properties
try{
Invoke-AzRestMethod -Path $alertUriGuid -Method PUT -Payload ($alertBody | ConvertTo-Json -Depth 3)
}
catch {
Write-Verbose $_
Write-Error "Unable to create alert rule with error code: $($_.Exception.Message)" -ErrorAction Stop
}
break
}
}
}
}
}
return $return

278
Tools/Sentinel-All-In-One/ARMTemplates/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,278 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string",
"metadata": {
"description": "Name for the Log Analytics workspace"
}
},
"pricingTier": {
"type": "string",
"metadata": {
"description": "Pricing tier: pergb2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers."
},
"allowedValues": [
"PerGB2018",
"Free",
"Standalone",
"PerNode",
"Standard",
"Premium"
],
"defaultValue": "PerGB2018"
},
"dailyQuota": {
"type": "int",
"metadata": {
"description": "Daily ingestion limit in GBs. This limit doesn't apply to the following tables: SecurityAlert, SecurityBaseline, SecurityBaselineSummary, SecurityDetection, SecurityEvent, WindowsFirewall, MaliciousIPCommunication, LinuxAuditLog, SysmonEvent, ProtectionStatus, WindowsEvent"
}
},
"dataRetention": {
"type": "int",
"minValue": 7,
"maxValue": 730,
"metadata": {
"description": "Number of days of retention. Workspaces in the legacy Free pricing tier can only have 7 days."
},
"defaultValue": 30
},
"immediatePurgeDataOn30Days": {
"type": "bool",
"metadata": {
"description": "If set to true when changing retention to 30 days, older data will be immediately deleted. Use this with extreme caution. This only applies when retention is being set to 30 days."
},
"defaultValue": true
},
"securityCollectionTier": {
"type": "string",
"defaultValue": "Recommended",
"allowedValues": [
"All",
"Recommended",
"Minimal",
"None"
],
"metadata": {
"description": "Tier for gathering Windows Security Events."
}
},
"enableDataConnectorsKind": {
"type": "array",
"metadata": {
"description": "The kind of data connectors that can be deployed via ARM templates are the following: [\"AzureActivityLog\",\"SecurityInsightsSecurityEventCollectionConfiguration\",\"WindowsFirewall\",\"DnsAnalytics\"], Reference: https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/2020-03-01-preview/workspaces/datasources#microsoftoperationalinsightsworkspacesdatasources-object"
},
"defaultValue": []
},
"enableFusionAlert": {
"type": "bool",
"metadata": {
"description": "Enable Fusion analytics rules"
}
},
"enableMicrosoftAlerts": {
"type": "bool",
"metadata": {
"description": "Enable Microsoft analytics rules"
}
},
"enableMLAlerts": {
"type": "bool",
"metadata": {
"description": "Enable ML Behavior Analytics rules"
}
},
"enableScheduledAlerts": {
"type": "bool",
"metadata": {
"description": "Enable Scheduled analytics rules"
}
},
"mcasDiscoveryLogs": {
"type": "bool",
"metadata": {
"description": "Enable MCAS Discovery Logs"
}
},
"_artifactsLocation": {
"type": "string",
"metadata": {
"description": "The location of resources"
},
"defaultValue": "https://raw.githubusercontent.com/javiersoriano/sentinel-all-in-one/master/"
},
"_artifactsLocationSasToken": {
"type": "securestring",
"metadata": {
"description": "Auto-generated token to access _artifactsLocation. Leave it blank unless you need to provide your own value."
},
"defaultValue": ""
},
"location": {
"type": "string",
"metadata": {
"description": "Location for all resources."
},
"defaultValue": "[resourceGroup().location]"
}
},
"variables": {
"quoatSetting": {
"dailyQuotaGb": "[parameters('dailyQuota')]"
}
},
"resources": [
{
"name": "[parameters('workspaceName')]",
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2015-11-01-preview",
"location": "[parameters('location')]",
"properties": {
"retentionInDays": "[parameters('dataRetention')]",
"workspaceCapping": "[if(equals(parameters('dailyQuota'),0), json('null'), variables('quoatSetting'))]",
"features": {
"immediatePurgeDataOn30Days": "[parameters('immediatePurgeDataOn30Days')]"
},
"sku": {
"name": "[parameters('pricingTier')]"
}
}
},
{
"name": "[concat('SecurityInsights','(', parameters('workspaceName'),')')]",
"type": "Microsoft.OperationsManagement/solutions",
"apiVersion": "2015-11-01-preview",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
},
"plan": {
"name": "[concat('SecurityInsights','(', parameters('workspaceName'),')')]",
"product": "OMSGallery/SecurityInsights",
"publisher": "Microsoft",
"promotionCode": ""
}
},
{
"condition": "[not(empty(parameters('enableDataConnectorsKind')))]",
"name": "enableDataConnectorsKind",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-05-01",
"dependsOn": [
"[resourceId('Microsoft.OperationsManagement/solutions/', concat('SecurityInsights','(', parameters('workspaceName'),')'))]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[uri(parameters('_artifactsLocation'), concat('ARMTemplates/LinkedTemplates/dataConnectors.json', parameters('_artifactsLocationSasToken')))]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"dataConnectorsKind": {
"value": "[parameters('enableDataConnectorsKind')]"
},
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"tenantId": {
"value": "[subscription().tenantId]"
},
"subscriptionId": {
"value": "[subscription().subscriptionId]"
},
"securityCollectionTier": {
"value": "[parameters('securityCollectionTier')]"
},
"mcasDiscoveryLogs": {
"value": "[parameters('mcasDiscoveryLogs')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"condition": "[or(parameters('enableFusionAlert'),parameters('enableMicrosoftAlerts'),parameters('enableMLAlerts'))]",
"name": "enableAlerts",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-05-01",
"dependsOn": [
"[resourceId('Microsoft.OperationsManagement/solutions/', concat('SecurityInsights','(', parameters('workspaceName'),')'))]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[uri(parameters('_artifactsLocation'), concat('ARMTemplates/LinkedTemplates/alertRules.json', parameters('_artifactsLocationSasToken')))]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"dataConnectorsKind": {
"value": "[parameters('enableDataConnectorsKind')]"
},
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
},
"enableFusionAlert":{
"value": "[parameters('enableFusionAlert')]"
},
"enableMicrosoftAlerts":{
"value": "[parameters('enableMicrosoftAlerts')]"
},
"enableMLAlerts":{
"value": "[parameters('enableMLAlerts')]"
}
}
}
},
{
"condition": "[parameters('enableScheduledAlerts')]",
"name": "enableScheduledAlerts",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-05-01",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments/', 'enableAlerts')]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[uri(parameters('_artifactsLocation'), concat('ARMTemplates/LinkedTemplates/scheduledAlerts.json', parameters('_artifactsLocationSasToken')))]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"dataConnectorsList":{
"value": "[replace(replace(string(parameters('enableDataConnectorsKind')),'\"',''),'[','')]"
}
}
}
}
],
"outputs": {
"workspaceName": {
"type": "string",
"value": "[parameters('workspaceName')]"
},
"workspaceIdOutput": {
"type": "string",
"value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')), '2015-11-01-preview').customerId]"
},
"workspaceKeyOutput": {
"type": "string",
"value": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')), '2015-11-01-preview').primarySharedKey]"
},
"dataConnectorsList": {
"type": "string",
"value": "[replace(replace(string(parameters('enableDataConnectorsKind')),'\"',''),'[','')]"
}
}
}

236
Tools/Sentinel-All-In-One/ARMTemplates/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,236 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": true,
"basics": {
"description": "**Azure Sentinel All-In-One** deployment, see more information about this project [here](https://github.com/javiersoriano/sentinel-all-in-one/tree/armtemplate)."
}
},
"basics": [
{
"name": "workspaceName",
"type": "Microsoft.Common.TextBox",
"label": "Workspace Name",
"placeholder": "",
"defaultValue": "",
"toolTip": "The workspace name should include 4-63 letters, digits or '-'. The '-' shouldn't be the first or the last symbol.",
"constraints": {
"required": true,
"regex": "^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$",
"validationMessage": "Only alphanumeric characters are allowed, and the value must be 1-30 characters long."
},
"visible": true
},
{
"name": "dailyQuota",
"type": "Microsoft.Common.TextBox",
"label": "Daily ingestion limit in GBs. Enter 0 for no limit.",
"placeholder": "",
"defaultValue": "0",
"toolTip": "This limit doesn't apply to the following tables: SecurityAlert, SecurityBaseline, SecurityBaselineSummary, SecurityDetection, SecurityEvent, WindowsFirewall, MaliciousIPCommunication, LinuxAuditLog, SysmonEvent, ProtectionStatus, WindowsEvent",
"constraints": {
"required": true,
"regex": "^[0-9]{1,4}$",
"validationMessage": "Only numbers allowed, and the value must be 1-4 characters long."
},
"visible": true
},
{
"name": "dataRetention",
"type": "Microsoft.Common.TextBox",
"label": "Number of days of retention",
"placeholder": "",
"defaultValue": "90",
"toolTip": "Only numbers allowed",
"constraints": {
"required": true,
"regex": "([3-8][0-9]|9[0-9]|[1-6][0-9]{2}|7[0-2][0-9]|730)",
"validationMessage": "Retention must be between 30 and 730 days."
},
"visible": true
}
],
"steps": [
{
"name": "dataConnectors",
"label": "Data connectors",
"elements": [
{
"name": "textBlock1",
"type": "Microsoft.Common.TextBlock",
"visible": true,
"options": {
"text": "Please select which connectors you want to onboard into your Azure Sentinel environment",
"link": {
"label": "Learn more",
"uri": "https://www.microsoft.com"
}
}
},
{
"name": "enableDataConnectorsKind",
"type": "Microsoft.Common.DropDown",
"label": "Select data connectors to onboard",
"placeholder": "",
"multiselect": true,
"defaultValue": "o365",
"toolTip": "Select the data connectors that you would like to enable",
"constraints": {
"allowedValues": [
{
"label": "Office365",
"value": "Office365"
},
{
"label": "Azure ATP",
"value": "AzureAdvancedThreatProtection"
},
{
"label": "Azure AD Identity Protection",
"value": "AzureActiveDirectory"
},
{
"label": "Microsoft Defender ATP",
"value": "MicrosoftDefenderAdvancedThreatProtection"
},
{
"label": "Azure Security Center",
"value": "AzureSecurityCenter"
},
{
"label": "Microsoft Cloud App Security",
"value": "MicrosoftCloudAppSecurity"
},
{
"label": "Azure Activity",
"value": "AzureActivity"
},
{
"label": "Security Events",
"value": "SecurityEvents"
},
{
"label": "Windows Firewall",
"value": "WindowsFirewall"
},
{
"label": "DNS Analytics",
"value": "DNS"
},
{
"label": "Linux Syslog",
"value": "Syslog"
}
],
"required": true
},
"visible": true
},
{
"name": "mcasDiscoveryLogs",
"type": "Microsoft.Common.CheckBox",
"label": "Enable MCAS Discovery Logs?",
"toolTip": "Select to bring MCAS discovery logs into Sentinel. These logs are billed.",
"constraints": {
"required": false,
"validationMessage": "Please select"
},
"visible": "[if(contains(steps('dataConnectors').enableDataConnectorsKind,'MicrosoftCloudAppSecurity'), true, false)]"
},
{
"name": "securityCollectionTier",
"type": "Microsoft.Common.OptionsGroup",
"label": "Security Events to stream into Sentinel ",
"defaultValue": "Recommended",
"toolTip": "",
"constraints": {
"allowedValues": [
{
"label": "All",
"value": "All"
},
{
"label": "Common",
"value": "Recommended"
},
{
"label": "Minimal",
"value": "Minimal"
}
],
"required": true
},
"visible": "[if(contains(steps('dataConnectors').enableDataConnectorsKind,'SecurityEvents'), true, false)]"
}
]
},
{
"name": "analyticsRules",
"label": "Analytics Rules",
"elements": [
{
"name": "enableFusionAlert",
"type": "Microsoft.Common.CheckBox",
"label": "Enable Fusion alert rule?",
"toolTip": "Select to enable Fusion analyttic rule. Details here: https://docs.microsoft.com/en-us/azure/sentinel/fusion",
"constraints": {
"required": false,
"validationMessage": "Please select"
},
"visible": true
},
{
"name": "enableMicrosoftAlerts",
"type": "Microsoft.Common.CheckBox",
"label": "Enable Microsoft alert rules for selected connectors?",
"toolTip": "Select to enable Microsoft rules for the connectors you selected in the previous step.",
"constraints": {
"required": false,
"validationMessage": "Enables rules coming from selected Microsoft security products"
},
"visible": "[if(or(contains(steps('dataConnectors').enableDataConnectorsKind,'AzureAdvancedThreatProtection'),contains(steps('dataConnectors').enableDataConnectorsKind,'AzureActiveDirectoryIdentityProtection'),contains(steps('dataConnectors').enableDataConnectorsKind,'MicrosoftDefenderAdvancedThreatProtection'),contains(steps('dataConnectors').enableDataConnectorsKind,'AzureSecurityCenter'),contains(steps('dataConnectors').enableDataConnectorsKind,'MicrosoftCloudAppSecurity')), true, false)]"
},
{
"name": "enableMLAlerts",
"type": "Microsoft.Common.CheckBox",
"label": "Enable ML Behavior Analytics alert rules?",
"toolTip": "Select to enable ML Behavior Analytics rules for selected connectors (SecurityEvents and/or Syslog)",
"constraints": {
"required": false,
"validationMessage": "Enables SSH and/or RDP anomalous login alerts"
},
"visible": "[if(or(contains(steps('dataConnectors').enableDataConnectorsKind,'Syslog'),contains(steps('dataConnectors').enableDataConnectorsKind,'SecurityEvents')), true, false)]"
},
{
"name": "enableScheduledAlerts",
"type": "Microsoft.Common.CheckBox",
"label": "Enable Scheduled alert rules for selected connectors?",
"toolTip": "Select to enable scheduled analytics rules for selected connectors",
"constraints": {
"required": false,
"validationMessage": "Enables Scheduled rules matching any of the selected connectors"
},
"visible": true
}
]
}
],
"outputs": {
"workspaceName": "[basics('workspaceName')]",
"dailyQuota": "[basics('dailyQuota')]",
"dataRetention": "[basics('dataRetention')]",
"enableDataConnectorsKind": "[steps('dataConnectors').enableDataConnectorsKind]",
"securityCollectionTier": "[steps('dataConnectors').securityCollectionTier]",
"mcasDiscoveryLogs": "[steps('dataConnectors').mcasDiscoveryLogs]",
"location": "[location()]",
"tagsByResource": "[steps('tags').tagsByResource]",
"enableFusionAlert": "[steps('analyticsRules').enableFusionAlert]",
"enableMicrosoftAlerts": "[steps('analyticsRules').enableMicrosoftAlerts]",
"enableMLAlerts": "[steps('analyticsRules').enableMLAlerts]",
"enableScheduledAlerts": "[steps('analyticsRules').enableScheduledAlerts]"
}
}
}

104
Tools/Sentinel-All-In-One/Powershell/DeleteConnectors.ps1 Normal file
Просмотреть файл

@ -0,0 +1,104 @@
param(
[Parameter(Mandatory=$true)]$ResourceGroup,
[Parameter(Mandatory=$true)]$Workspace,
[Parameter(Mandatory=$true)]$ConnectorsFile,
[Parameter(Mandatory=$true)]$Location
)
function CheckModules($module) {
$service = Get-Module -ListAvailable -Name $module
if (-Not $service) {
Install-Module -Name $module -Scope CurrentUser -Force
}
}
function DeleteDataConnector ($dataConnector, $dataConUri) {
#Enable or Update AzureActivityLog Connector with http put method
try {
$deleteResponse = Invoke-AzRestMethod -Path $dataConUri -Method DELETE
if ($deleteResponse.StatusCode -eq 200) {
Write-Host "Successfully deleted Data connector: $($dataConnector)" -ForegroundColor Green
}
else {
Write-Host "Unable to delete Data connector $($dataConnector) with error: $($deleteResponse.message)"
}
}
catch {
$errorReturn = $_
Write-Verbose $_.Exception.Message
Write-Error "Unable to invoke webrequest with error message: $errorReturn" -ErrorAction Stop
}
}
CheckModules("Az.Resources")
CheckModules("Az.OperationalInsights")
CheckModules("AzSentinel")
Write-Host "`r`nYou will now be asked to log in to your Azure environment. `nFor this script to work correctly, you need to provide credentials of a Global Admin or Security Admin for your organization. `nThis will allow the script to enable all required connectors.`r`n" -BackgroundColor Magenta
Read-Host -Prompt "Press enter to continue or CTRL+C to quit the script"
Connect-AzAccount
$context = Get-AzContext
$SubscriptionId = $context.Subscription.Id
#Check Resource Group Existing or not
Get-AzResourceGroup -Name $ResourceGroup -ErrorVariable notPresent -ErrorAction SilentlyContinue
if ($notPresent){
Write-Host "ResourceGroup $($ResourceGroup) associated to Log Analytics Workspace - not found"
Write-Host "Exiting.................." -ForegroundColor Red
break
}
#Check Log Analytics workspace Existing or not
try {
$WorkspaceObject = Get-AzOperationalInsightsWorkspace -Name $Workspace -ResourceGroupName $ResourceGroup -ErrorAction Stop
$ExistingLocation = $WorkspaceObject.Location
Write-Output "Workspace $Workspace in region $ExistingLocation exists."
} catch {
Write-Output "Provided Log Analytics Workspace $Workspace not found"
Write-Host "Exiting.................." -ForegroundColor Red
break
}
#Urls to be used for Sentinel API calls
$baseUri = "/subscriptions/${SubscriptionId}/resourceGroups/${ResourceGroup}/providers/Microsoft.OperationalInsights/workspaces/${Workspace}"
#Getting all data connectors connector to workspace
try{
$connectorsUri = "$baseUri/providers/Microsoft.SecurityInsights/dataConnectors/?api-version=2020-01-01"
$connectedDataConnectors = (Invoke-AzRestMethod -Path $connectorsUri -Method GET).Content | ConvertFrom-Json
if ($connectedDataConnectors.value.Length -eq 0)
{
Write-Host "There were no Data connectors enabled on your Workspace $($Workspace)"
Write-Host "Exiting.................." -ForegroundColor Red
break
}
}
catch {
$errorReturn = $_
Write-Error "Unable to invoke webrequest with error message: $errorReturn" -ErrorAction Stop
}
#Getting all rules from file
$connectorsToDelete = Get-Content -Raw -Path $ConnectorsFile | ConvertFrom-Json
foreach ($toBeDeletedConnector in $connectorsToDelete.connectors) {
foreach ($dataConnector in $connectedDataConnectors.value){
# Check if ASC is already enabled (assuming there will be only one ASC per workspace)
if ($dataConnector.kind -eq $toBeDeletedConnector.kind) {
Write-Host "`r`nProcessing connector: " -NoNewline
Write-Host "$($dataConnector.kind)" -ForegroundColor Blue
Write-Host "Data connector $($dataConnector.kind) - enabled"
Write-Verbose $dataConnector
$guid = $dataConnector.name
$dataConnectorUri = "${baseUri}/providers/Microsoft.SecurityInsights/dataConnectors/${guid}?api-version=2020-01-01"
DeleteDataConnector $dataConnector.kind $dataConnectorUri
break
}
}
}

379
Tools/Sentinel-All-In-One/Powershell/SentinelallInOne.ps1 Normal file
Просмотреть файл

@ -0,0 +1,379 @@
param(
[Parameter(Mandatory=$true)]$ResourceGroup,
[Parameter(Mandatory=$true)]$Workspace,
[Parameter(Mandatory=$true)]$Location
)
function CheckModules($module) {
if($module -eq "AzSentinel"){
$moduleVer = @{ModuleName="AzSentinel";ModuleVersion="0.6.13"}
$service = Get-Module $moduleVer
}
else{
$service = Get-Module -ListAvailable -Name $module
}
if (-Not $service) {
if($module -eq "AzSentinel"){
Install-Module -Name $module -MinimumVersion 0.6.13 -Scope CurrentUser -Force
}
else {
Install-Module -Name $module -Scope CurrentUser -Force
}
}
}
CheckModules("Az.Resources")
CheckModules("Az.OperationalInsights")
CheckModules("AzSentinel")
Write-Host "`r`nIf not logged in to Azure already, you will now be asked to log in to your Azure environment. `nFor this script to work correctly, you need to provide credentials of a Global Admin or Security Admin for your organization. `nThis will allow the script to enable all required connectors.`r`n" -BackgroundColor Magenta
Read-Host -Prompt "Press enter to continue or CTRL+C to quit the script"
$context = Get-AzContext
if(!$context){
Connect-AzAccount
$context = Get-AzContext
}
$SubscriptionId = $context.Subscription.Id
$ConnectorsFile = ".\connectors.json"
#Create Resource Group
Get-AzResourceGroup -Name $ResourceGroup -ErrorVariable notPresent -ErrorAction SilentlyContinue
if ($notPresent){
Write-Host "Creating resource group $ResourceGroup in region $Location..."
New-AzResourceGroup -Name $ResourceGroup -Location $Location
}
else{
Write-Host "Resource Group $ResourceGroup already exists. Skipping..."
}
#Create Log Analytics workspace
try {
$WorkspaceObject = Get-AzOperationalInsightsWorkspace -Name $Workspace -ResourceGroupName $ResourceGroup -ErrorAction Stop
$ExistingLocation = $WorkspaceObject.Location
Write-Output "Workspace named $Workspace in region $ExistingLocation already exists. Skipping..."
} catch {
Write-Output "Creating new workspace named $Workspace in region $Location..."
# Create the new workspace for the given name, region, and resource group
New-AzOperationalInsightsWorkspace -Location $Location -Name $Workspace -Sku Standard -ResourceGroupName $ResourceGroup
}
$solutions = Get-AzOperationalInsightsIntelligencePack -resourcegroupname $ResourceGroup -WorkspaceName $Workspace -WarningAction:SilentlyContinue
if (($solutions | Where-Object Name -eq 'SecurityInsights').Enabled) {
Write-Host "Azure Sentinel is already installed on workspace $($Workspace)"
}
else {
Set-AzSentinel -WorkspaceName $Workspace -Confirm:$false
}
$msTemplates = Get-AzSentinelAlertRuleTemplates -workspace $Workspace -Kind MicrosoftSecurityIncidentCreation
#Resource URL to authentincate against
$Resource = "https://management.azure.com/"
#Urls to be used for Sentinel API calls
$baseUri = "/subscriptions/${SubscriptionId}/resourceGroups/${ResourceGroup}/providers/Microsoft.OperationalInsights/workspaces/${Workspace}"
$connectedDataConnectorsUri = "$baseUri/providers/Microsoft.SecurityInsights/dataConnectors/?api-version=2020-01-01"
function Get-ConnectedDataconnectors{
try {
$allConnectedDataconnectors = (Invoke-AzRestMethod -Path $connectedDataConnectorsUri -Method GET).Content | ConvertFrom-Json
}
catch {
$errorReturn = $_
Write-Error "Unable to invoke webrequest with error message: $errorReturn" -ErrorAction Stop
}
return $allConnectedDataconnectors
}
function checkDataConnector($dataConnector){
$currentDataconnector = "" | Select-Object -Property guid,etag,isEnabled
if ($allConnectedDataconnectors.value.Length -ne 0){
foreach ($value in $allConnectedDataconnectors.value){
if ($value.kind -eq $dataConnector) {
Write-Host "Successfully queried data connector $($value.kind) - already enabled"
Write-Verbose $value
$currentDataconnector.guid = $value.name
$currentDataconnector.etag = $value.etag
$currentDataconnector.isEnabled = $true
break
}
}
if ($currentDataconnector.isEnabled -ne $true)
{
$currentDataconnector.guid = (New-Guid).Guid
$currentDataconnector.etag = $null
$currentDataconnector.isEnabled = $false
}
}
else{
$currentDataconnector.guid = (New-Guid).Guid
$currentDataconnector.etag = $null
$currentDataconnector.isEnabled = $false
}
return $currentDataconnector
}
function BuildDataconnectorPayload($dataConnector, $guid, $etag, $isEnabled){
if ($dataConnector.kind -ne "AzureSecurityCenter")
{
$connectorProperties = $dataConnector.properties
$connectorProperties | Add-Member -NotePropertyName tenantId -NotePropertyValue ${context}.Tenant.Id
}
else {
$connectorProperties = $dataConnector.properties
$connectorProperties | Add-Member -NotePropertyName subscriptionId -NotePropertyValue ${context}.Subscription.Id
}
if ($isEnabled) {
# Compose body for connector update scenario
Write-Host "Updating data connector $($dataConnector.kind)"
Write-Verbose "Name: $guid"
Write-Verbose "Etag: $etag"
$connectorBody = @{}
$connectorBody | Add-Member -NotePropertyName kind -NotePropertyValue $dataConnector.kind -Force
$connectorBody | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force
$connectorBody | Add-Member -NotePropertyName etag -NotePropertyValue $etag -Force
$connectorBody | Add-Member -NotePropertyName properties -NotePropertyValue $connectorProperties
}
else {
# Compose body for connector enable scenario
Write-Host "$($dataConnector.kind) data connector is not enabled yet"
Write-Host "Enabling data connector $($dataConnector.kind)"
Write-Verbose "Name: $guid"
$connectorBody = @{}
$connectorBody | Add-Member -NotePropertyName kind -NotePropertyValue $dataConnector.kind -Force
$connectorBody | Add-Member -NotePropertyName properties -NotePropertyValue $connectorProperties
}
return $connectorBody
}
function EnableOrUpdateDataconnector($baseUri, $guid, $connectorBody, $isEnabled){
$uri = "${baseUri}/providers/Microsoft.SecurityInsights/dataConnectors/${guid}?api-version=2020-01-01"
try {
$result = Invoke-AzRestMethod -Path $uri -Method PUT -Payload ($connectorBody | ConvertTo-Json -Depth 3)
if ($result.StatusCode -eq 200) {
if ($isEnabled){
Write-Host "Successfully updated data connector: $($connector.kind)" -ForegroundColor Green
}
else {
Write-Host "Successfully enabled data connector: $($connector.kind)" -ForegroundColor Green
}
}
else {
Write-Error "Unable to enable data connector $($connector.kind) with error: $($result.Content)"
}
Write-Host ($body.Properties | Format-List | Format-Table | Out-String)
}
catch {
$errorReturn = $_
Write-Verbose $_
Write-Error "Unable to invoke webrequest with error message: $errorReturn" -ErrorAction Stop
}
}
function EnableMSAnalyticsRule($msProduct){
try {
foreach ($rule in $msTemplates){
if ($rule.productFilter -eq $msProduct) {
New-AzSentinelAlertRule -WorkspaceName $Workspace -Kind MicrosoftSecurityIncidentCreation -DisplayName $rule.displayName -Description $rule.description -Enabled $true -ProductFilter $msProduct -DisplayNamesFilter "" |Out-Null
Write-Host "Done!" -ForegroundColor Green
}
}
}
catch {
$errorReturn = $_
Write-Verbose $_
Write-Error "Unable to create analytics rule with error message: $errorReturn" -ErrorAction Stop
}
}
#Getting all rules from file
$connectors = Get-Content -Raw -Path $ConnectorsFile | ConvertFrom-Json
#Getting all connected Data connectors
$allConnectedDataconnectors = Get-ConnectedDataconnectors
foreach ($connector in $connectors.connectors) {
Write-Host "`r`nProcessing connector: " -NoNewline
Write-Host "$($connector.kind)" -ForegroundColor Blue
#AzureActivityLog connector
if ($connector.kind -eq "AzureActivityLog") {
$SubNoHyphens = $SubscriptionId -replace '-',''
$uri = "$baseUri/datasources/${SubNoHyphens}?api-version=2015-11-01-preview"
$connectorBody = ""
$activityEnabled = $false
#Check if AzureActivityLog is already connected (there is no better way yet) [assuming there is only one AzureActivityLog from same subscription connected]
try {
# AzureActivityLog is already connected, compose body with existing etag for update
$result = Invoke-AzRestMethod -Path $uri -Method GET
if ($result.StatusCode -eq 200){
Write-Host "Successfully queried data connector ${connector.kind} - already enabled"
Write-Verbose $result
Write-Host "Updating data connector $($connector.kind)"
$activityEnabled = $true
}
else {
Write-Host "$($connector.kind) data connector is not enabled yet"
Write-Host "Enabling data connector $($connector.kind)"
$activityEnabled = $false
}
}
catch {
$errorReturn = $_
Write-Error "Unable to invoke webrequest with error message: $errorReturn" -ErrorAction Stop
}
$connectorProperties = @{
linkedResourceId = "/subscriptions/${SubscriptionId}/providers/microsoft.insights/eventtypes/management"
}
$connectorBody = @{}
$connectorBody | Add-Member -NotePropertyName kind -NotePropertyValue $connector.kind -Force
$connectorBody | Add-Member -NotePropertyName properties -NotePropertyValue $connectorProperties
#Enable or Update AzureActivityLog Connector with http puth method
try {
$result = Invoke-AzRestMethod -Path $uri -Method PUT -Payload ($connectorBody | ConvertTo-Json -Depth 3)
if ($result.StatusCode -eq 200) {
if ($activityEnabled){
Write-Host "Successfully updated data connector: $($connector.kind)" -ForegroundColor Green
}
else {
Write-Host "Successfully enabled data connector: $($connector.kind)" -ForegroundColor Green
}
}
else {
Write-Host "Unable to enable data connector $($connector.kind) with error: $($result.Content)"
}
Write-Verbose ($body.Properties | Format-List | Format-Table | Out-String)
}
catch {
$errorReturn = $_
Write-Verbose $_.Exception.Message
Write-Error "Unable to invoke webrequest with error message: $errorReturn" -ErrorAction Stop
}
}
#AzureSecurityCenter connector
elseif ($connector.kind -eq "AzureSecurityCenter") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
Write-Host "Adding Analytics Rule for data connector Azure Security Center..." -NoNewline
EnableMSAnalyticsRule "Azure Security Center"
}
#Office365 connector
elseif ($connector.kind -eq "Office365") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
}
#MicrosoftCloudAppSecurity connector
elseif ($connector.kind -eq "MicrosoftCloudAppSecurity") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
Write-Host "Adding Analytics Rule for data connector Microsoft Cloud App Security..." -NoNewline
EnableMSAnalyticsRule "Microsoft Cloud App Security"
}
#AzureAdvancedThreatProtection connector
elseif ($connector.kind -eq "AzureAdvancedThreatProtection") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
Write-Host "Adding Analytics Rule for data connector Azure Advanced Threat Protection..." -NoNewline
EnableMSAnalyticsRule "Azure Advanced Threat Protection"
}
#ThreatIntelligencePlatforms connector
elseif ($connector.kind -eq "ThreatIntelligence") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
}
#MicrosoftDefenderAdvancedThreatProtection connector
elseif ($connector.kind -eq "MicrosoftDefenderAdvancedThreatProtection") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
Write-Host "Adding Analytics Rule for data connector Microsoft Defender Advanced Threat Protection..." -NoNewline
EnableMSAnalyticsRule "Microsoft Defender Advanced Threat Protection"
}
#Azure Active Directory Identity Protection connector
elseif ($connector.kind -eq "AzureActiveDirectory") {
$dataConnectorBody = ""
#query for connected Data connectors
$connectorProperties = checkDataConnector($connector.kind)
$dataConnectorBody = BuildDataconnectorPayload $connector $connectorProperties.guid $connectorProperties.etag $connectorProperties.isEnabled
EnableOrUpdateDataconnector $baseUri $connectorProperties.guid $dataConnectorBody $connectorProperties.isEnabled
Write-Host "Adding Analytics Rule for data connector Azure Active Directory Identity Protection..." -NoNewline
EnableMSAnalyticsRule "Azure Active Directory Identity Protection"
}
#AzureActiveDirectory
elseif ($connector.kind -eq "AzureActiveDirectoryDiagnostics") {
<# Azure Active Directory Audit/SignIn logs - requires special call and is therefore not connectors file
# Be aware that you executing SPN needs Owner rights on tenant scope for this operation, can be added with following CLI
# az role assignment create --role Owner --scope "/" --assignee {13ece749-d0a0-46cf-8000-b2552b520631}#>
$uri = "/providers/microsoft.aadiam/diagnosticSettings/AzureSentinel_${Workspace}?api-version=2017-04-01"
$connectorProperties = $connector.properties
$connectorProperties | Add-Member -NotePropertyName workspaceId -NotePropertyValue "/subscriptions/${SubscriptionId}/resourcegroups/${ResourceGroup}/providers/Microsoft.OperationalInsights/workspaces/${Workspace}"
$connectorBody = @{}
$connectorBody | Add-Member -NotePropertyName name -NotePropertyValue "AzureSentinel_${Workspace}"
$connectorBody.Add("properties",$connectorProperties)
try {
$result = Invoke-AzRestMethod -Path $uri -Method PUT -Payload ($connectorBody | ConvertTo-Json -Depth 3)
if ($result.StatusCode -eq 200) {
Write-Host "Successfully enabled data connector: $($connector.kind)" -ForegroundColor Green
}
else {
Write-Error "Unable to enable data connector $($connector.kind) with error: $($result.Content)"
}
Write-Verbose ($body.Properties | Format-List | Format-Table | Out-String)
}
catch {
$errorReturn = $_
Write-Verbose $_
Write-Error "Unable to invoke webrequest with error message: $errorReturn" -ErrorAction Stop
}
}
}

101
Tools/Sentinel-All-In-One/Powershell/connectors.json Normal file
Просмотреть файл

@ -0,0 +1,101 @@
{
"connectors": [
{
"kind": "AzureActivityLog"
},
{
"kind": "AzureSecurityCenter",
"properties": {
"dataTypes": {
"alerts": {
"state": "enabled"
}
}
}
},
{
"kind": "AzureActiveDirectoryDiagnostics",
"properties": {
"logs": [
{
"category": "SignInLogs",
"enabled": true
},
{
"category": "AuditLogs",
"enabled": true
}
]
}
},
{
"kind": "AzureActiveDirectory",
"properties": {
"dataTypes": {
"alerts": {
"state": "enabled"
}
}
}
},
{
"kind": "Office365",
"properties": {
"dataTypes": {
"sharePoint": {
"state": "enabled"
},
"exchange": {
"state": "enabled"
},
"teams": {
"state": "enabled"
}
}
}
},
{
"kind": "MicrosoftCloudAppSecurity",
"properties": {
"dataTypes": {
"alerts": {
"state": "enabled"
},
"discoveryLogs": {
"state": "enabled"
}
}
}
},
{
"kind": "AzureAdvancedThreatProtection",
"properties": {
"dataTypes": {
"alerts": {
"state": "enabled"
}
}
}
},
{
"kind": "MicrosoftDefenderAdvancedThreatProtection",
"properties": {
"dataTypes": {
"alerts": {
"state": "enabled"
}
}
}
},
{
"kind": "ThreatIntelligence",
"properties": {
"dataTypes": {
"indicators": {
"state": "enabled"
}
}
}
}
]
}

136
Tools/Sentinel-All-In-One/README.md Normal file
Просмотреть файл

@ -0,0 +1,136 @@
# Azure Sentinel All In One
![logo](./media/Sentinel21Logo.PNG)
Azure Sentinel All in One is a project that seeks to speed up deployment and initial configuration tasks of an Azure Sentinel environment. This is ideal for Proof of Concept scenarios and connector onboarding when highly privileged users are needed.
There's two versions of Sentinel All-In-One: **Powershell script** and **ARM template**. There's slight differences on what things get automated with each. We try to summarize them here:
| All-In-One version | Data Connectors | Analytics Rules |
| -------------------------------------------------- | ----------------------- |-------------------|
| Powershell script | Azure Activity, Azure Security Center, Azure Active Directory, Azure Active Directory Identity Protection, Office 365, Microsoft Cloud App Security, Azure Advanced Threat Protection, Microsoft Defender Advanced ThreatProtection, Threat Intelligence Platforms | Microsoft Incident Creation rules |
| ARM template | Azure Activity, Azure Security Center, Azure Active Directory Identity Protection, Office 365, Microsoft Cloud App Security, Azure Advanced Threat Protection, Microsoft Defender Advanced ThreatProtection, Security Events, DNS (Preview), Windows Firewall | Microsoft Incident Creation, Fusion, ML Behavior Analytics, Scheduled |
## Prerequisites
- Azure user account with enough permissions to enable the required connectors. See table below for additional permissions. Write permissions to the workspace are **always** needed.
- Some data connectors also require a license to be present in order to be enabled. See table below.
- [PowerShell Core](https://github.com/PowerShell/PowerShell) needs to be installed ONLY if using Powershell version
- Threat Intelligence Platforms connector requires additional setup documented [here](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence#connect-azure-sentinel-to-your-threat-intelligence-platform)
The following table summarizes permissions, licenses and permissions needed and related cost to enable each Data Connector:
| Data Connector | License | Permissions | Cost |
| ---------------------------------------------- | --------------- |---------------------------------|-----------|
| Azure Activity | None | Subscription Reader | Free |
| Azure Security Center | ASC Standard | Security Reader | Free |
| Azure Active Directory | Any AAD license | Global Admin or Security Admin | Billed |
| Azure Active Directory Identity Protection | AAD Premium 2 | Global Admin or Security Admin | Free |
| Office 365 | None | Global Admin or Security Admin | Free |
| Microsoft Cloud App Security | MCAS | Global Admin or Security Admin | Free |
| Azure Advanced Threat Protection | AATP | Global Admin or Security Admin | Free |
| Microsoft Defender Advanced Threat Protection | MDATP | Global Admin or Security Admin | Free |
| Threat Intelligence Platforms | None | Global Admin or Security Admin | Billed |
| Security Events | None | None | Billed |
| Linux Syslog | None | None | Billed |
| DNS (preview) | None | None | Billed |
| Windows Firewall | None | None | Billed |
## ARM template instructions
The template performs the following tasks:
- Creates resource group (if given resource group doesn't exist yet)
- Creates Log Analytics workspace (if given workspace doesn't exist yet)
- Installs Azure Sentinel on top of the workspace (if not installed yet)
- Enables selected Data Connectors from tihs list:
+ Azure Activity
+ Azure Security Center
+ Azure Active Directory Identity Protection
+ Office 365 (Sharepoint, Exchange and Teams)
+ Microsoft Cloud App Security
+ Azure Advanced Threat Protection
+ Microsoft Defender Advanced Threat Protection
+ Security Events
+ Linux Syslog
+ DNS (Preview)
+ Windows Firewall
- Enables analytics rules for selected Microsoft 1st party products
- Enables Fusion rule and ML Behavior Analytics rules for RDP or SSH (if Security Events or Syslog data sources are selected)
- Enables Scheduled analytics rules that apply to all the enabled connectors
It takes around **10 minutes** to deploy if enabling Scheduled analytics rules is selected. If Scheduled rules are not needed it will complete in less than 1 minute.
In order to create the Scheduled analytics rules, the deployment template uses an [ARM deployment script](https://docs.microsoft.com/azure/azure-resource-manager/templates/deployment-script-template) which requires a [user assigned identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview). You will see this resource in your resource group when the deployment finishes. You can remove after depployment if desired.
### Try it now
[![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FSentinel-All-In-One%2FARMTemplates%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSentinel-All-In-One%2FARMTemplates%2FcreateUiDefinition.json)
## Powershell script Instructions
The Powershell script inside the Powershell folder (*SentinelallInOne.ps1*) takes care of the following steps:
- Creates resource group (if given resource group doesn't exist yet)
- Creates Log Analytics workspace (if given workspace doesn't exist yet)
- Installs Azure Sentinel on top of the workspace (if not installed yet)
- Enables the following Data Connectors:
+ Azure Activity
+ Azure Security Center
+ Azure Active Directory
+ Azure Active Directory Identity Protection
+ Office 365 (Sharepoint, Exchange and Teams)
+ Microsoft Cloud App Security
+ Azure Advanced Threat Protection
+ Microsoft Defender Advanced Threat Protection
+ Threat Intelligence Platforms
- Enables Analytics Rules for enabled Microsoft 1st party products
### Getting started
These instructions will show you what you need to now to use Sentinel All in One.
#### Prerequisites
- [PowerShell Core](https://github.com/PowerShell/PowerShell)
- Azure user account with enough permissions to enable the required connectors. See table below.
- Some data connectors also require a license to be present in order to be enabled. See table below.
- Threat Intelligence Platforms connector requires additional setup documented [here](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence#connect-azure-sentinel-to-your-threat-intelligence-platform)
The following table summarizes permissions, licenses needed and cost to enable each Data Connector:
| Data Connector | License | Permissions | Cost |
| ---------------------------------------------- | --------------- |--------------------------------|-----------|
| Azure Activity | None |Reader | Free |
| Azure Security Center | ASC Standard |Security Reader | Free |
| Azure Active Directory | Any AAD license |Global Admin or Security Admin | Billed |
| Azure Active Directory Identity Protection | AAD Premium 2 |Global Admin or Security Admin | Free |
| Office 365 | None |Global Admin or Security Admin | Free |
| Microsoft Cloud App Security | MCAS |Global Admin or Security Admin | Free |
| Azure Advanced Threat Protection | AATP |Global Admin or Security Admin | Free |
| Microsoft Defender Advanced Threat Protection | MDATP |Global Admin or Security Admin | Free |
| Threat Intelligence Platforms | None |Global Admin or Security Admin | Billed |
#### Usage
Once you have PowerShell Core installed on your machine, you just need two files from this repo:
* *connectors.json* - contains all the connectors that will be enabled. If you don't want some of the connectors to be enabled, just remove them from the your copy of the file.
* *SentinelAllInOne.ps1* - script that automates all the steps outlined above.
The script uses your current Azure context, if you want to change the subscription you want to use, make sure you do that before executing the script. You can use `Connect-AzAccount -SubscriptionId <subscription_id>` to do that
Open a PowerShell core terminal, navigate to the folder where these two files are located and execute *SentinelAllInOne.ps1*. You will be asked to enter the following parameters:
- **Resource Group** - Resource Group that will contain the Azure Sentinel environment. If the provided resource group already exists, the script will skip its creation.
- **Workspace** - Name of the Azure Sentinel workspace. If it already exists, the script will skip its creation.
- **Location** - Location for the resource group and Azure Sentinel workspace.
If not logged in already, the script will ask you to log in to your Azure account. Make sure you have the right permissions to enable the connectors specified in *connectors.json* file.
The script will then iterate through the connectors specified in the *connectors.json* file and enable them. It will also enable the corresponding Microsoft analytics rules.
Here you have a GIF that shows the execution process:
![demo](./media/SentinelAllInOne.gif)

Двоичные данные
Tools/Sentinel-All-In-One/media/Sentinel21Logo.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 25 KiB

Двоичные данные
Tools/Sentinel-All-In-One/media/SentinelAllInOne.gif Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 4.7 MiB