Merge pull request #1431 from javiersoriano/javier-arm

Added ARM templates for AzureAD and Azure Activity

Tools/ARM-Templates/AnalyticsRules/README.md

@@ -1,6 +1,10 @@
 # Azure Sentinel Analytics Rules sample ARM templates
 
-The templates in this folder allow you to create analytics rules in Azure Sentinel. You can try them with the following links:
+The templates in this folder allow you to create analytics rules in Azure Sentinel. 
+
+***DISCLAIMER:*** *as of today, these templates can be used only for first time deployment and not for updates. We are working to add update support soon.*
+
+You can try them with the following links:
 
 | Rule Type | Deploy |
 | :---| :---|

Tools/ARM-Templates/DataConnectors/AzureAD/AzureAD.json

@@ -0,0 +1,37 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "workspaceResourceId": {
+            "type": "string",
+            "defaultValue": "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.operationalinsights/workspaces/{workspaceName}",
+            "metadata": {
+                "description": "Resource ID for Log Analytics workspace. Format expected is /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.operationalinsights/workspaces/{workspaceName}"
+            }
+        }
+    },
+    "variables": {
+        "aadDiagnosticsName": "[concat('AzSentinel-',uniqueString(parameters('workspaceResourceId')))]"
+    },
+    "resources": [
+        {
+            "type": "microsoft.aadiam/diagnosticSettings",
+            "apiVersion": "2017-04-01",
+            "name": "[variables('aadDiagnosticsName')]",
+            "properties": {
+                "workspaceId": "[parameters('workspaceResourceId')]",
+                "logs": [
+                    {
+                        "category": "SignInLogs",
+                        "enabled": true
+                    },
+                    {
+                        "category": "AuditLogs",
+                        "enabled": true
+                    }
+                ],
+                 "metrics": []
+            }
+        }
+    ]
+}

Tools/ARM-Templates/DataConnectors/AzureAD/README.md

@@ -0,0 +1,17 @@
+# Azure Active Directory connector template
+
+Author: Javier Soriano
+
+This template enables the Azure AD connector on your Sentinel workspace. 
+
+Azure Active Directory Audit/SignIn logs requires permissions to deploy at tenant scope. Assign Owner or Contributor to the principal that needs to deploy the templates (details [here](https://docs.microsoft.com/azure/azure-resource-manager/templates/deploy-to-tenant?tabs=azure-cli#required-access)):
+
+`az role assignment create --role Owner --scope "/" --assignee {user object ID}`
+
+Required template parameter is workspaceResourceId in format: 
+
+`/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.operationalinsights/workspaces/{workspaceName}`
+
+Try it with the link below:
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FAzureAD%2FAzureAD.json)

Tools/ARM-Templates/DataConnectors/AzureActivity/AzureActivity.json

@@ -0,0 +1,41 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "workspaceName": {
+            "type": "string",
+            "metadata": {
+                "description": "Workspace name for Log Analytics where Sentinel is setup"
+            }
+        },
+        "subscriptionId": {
+            "type": "string",
+            "defaultValue": "[subscription().subscriptionId]",
+            "metadata": {
+                "description": "Subscription ID to monitor"
+            }
+        },
+         "location": {
+            "type": "string",
+            "defaultValue": "[resourceGroup().location]",
+            "metadata": {
+                "description": "Location for all resources."
+            }
+        }
+    },
+    "functions": [],
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.OperationalInsights/workspaces/dataSources",
+            "apiVersion": "2020-03-01-preview",
+            "location": "[parameters('location')]",
+            "name": "[concat(parameters('workspaceName'), '/', replace(parameters('subscriptionId'),'-', ''))]",
+            "kind": "AzureActivityLog",
+            "properties": {
+                "linkedResourceId": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/microsoft.insights/eventtypes/management')]"
+            }
+        }        
+    ],
+    "outputs": {}
+}

Tools/ARM-Templates/DataConnectors/AzureActivity/README.md

@@ -0,0 +1,7 @@
+# Azure Activity connector template
+
+Author: Javier Soriano
+
+This template enables the Azure Activity connector on your Sentinel workspace.
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FAzureActivity%2FAzureActivity.json)

Tools/ARM-Templates/DataConnectors/README.md

@@ -1,6 +1,10 @@
 # Azure Sentinel Data Connector sample ARM templates
 
-The templates in this folder allow you to onboard data connectors in Azure Sentinel. You can try them with the following links:
+The templates in this folder allow you to onboard data connectors in Azure Sentinel. 
+
+***DISCLAIMER:*** *as of today, these templates can be used only for first time deployment and not for updates. We are working to add update support soon.*
+
+You can try them with the following links:
 
 | Data Connector | Deploy |
 | :---| :---|
@@ -9,3 +13,5 @@ The templates in this folder allow you to onboard data connectors in Azure Senti
 | [Azure Security Center](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/ARM-Templates/DataConnectors/AzureSecurityCenter/AzureSecurityCenter.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FAzureSecurityCenter%2FAzureSecurityCenter.json) |
 | [MCAS](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/ARM-Templates/DataConnectors/MCAS/MCAS.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FMCAS%2FMCAS.json) |
 | [Microsoft Defender ATP](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/ARM-Templates/DataConnectors/MDATP/MDATP.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FMDATP%2FMDATP.json) |
+| [Azure Activity](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/ARM-Templates/DataConnectors/AzureActivity/AzureActivity.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FAzureActivity%2FAzureActivity.json) |
+| [Azure AD](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/ARM-Templates/DataConnectors/AzureAD/AzureAD.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FAzureAD%2FAzureAD.json) |

Tools/ARM-Templates/README.md

@@ -0,0 +1 @@
+# Azure Sentinel Quickstart ARM Templates