Merge pull request #1431 from javiersoriano/javier-arm
Added ARM templates for AzureAD and Azure Activity
This commit is contained in:
Коммит
c1182a04e7
|
@ -1,6 +1,10 @@
|
|||
# Azure Sentinel Analytics Rules sample ARM templates
|
||||
|
||||
The templates in this folder allow you to create analytics rules in Azure Sentinel. You can try them with the following links:
|
||||
The templates in this folder allow you to create analytics rules in Azure Sentinel.
|
||||
|
||||
***DISCLAIMER:*** *as of today, these templates can be used only for first time deployment and not for updates. We are working to add update support soon.*
|
||||
|
||||
You can try them with the following links:
|
||||
|
||||
| Rule Type | Deploy |
|
||||
| :---| :---|
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceResourceId": {
|
||||
"type": "string",
|
||||
"defaultValue": "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.operationalinsights/workspaces/{workspaceName}",
|
||||
"metadata": {
|
||||
"description": "Resource ID for Log Analytics workspace. Format expected is /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.operationalinsights/workspaces/{workspaceName}"
|
||||
}
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"aadDiagnosticsName": "[concat('AzSentinel-',uniqueString(parameters('workspaceResourceId')))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "microsoft.aadiam/diagnosticSettings",
|
||||
"apiVersion": "2017-04-01",
|
||||
"name": "[variables('aadDiagnosticsName')]",
|
||||
"properties": {
|
||||
"workspaceId": "[parameters('workspaceResourceId')]",
|
||||
"logs": [
|
||||
{
|
||||
"category": "SignInLogs",
|
||||
"enabled": true
|
||||
},
|
||||
{
|
||||
"category": "AuditLogs",
|
||||
"enabled": true
|
||||
}
|
||||
],
|
||||
"metrics": []
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,17 @@
|
|||
# Azure Active Directory connector template
|
||||
|
||||
Author: Javier Soriano
|
||||
|
||||
This template enables the Azure AD connector on your Sentinel workspace.
|
||||
|
||||
Azure Active Directory Audit/SignIn logs requires permissions to deploy at tenant scope. Assign Owner or Contributor to the principal that needs to deploy the templates (details [here](https://docs.microsoft.com/azure/azure-resource-manager/templates/deploy-to-tenant?tabs=azure-cli#required-access)):
|
||||
|
||||
`az role assignment create --role Owner --scope "/" --assignee {user object ID}`
|
||||
|
||||
Required template parameter is workspaceResourceId in format:
|
||||
|
||||
`/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.operationalinsights/workspaces/{workspaceName}`
|
||||
|
||||
Try it with the link below:
|
||||
|
||||
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FAzureAD%2FAzureAD.json)
|
|
@ -0,0 +1,41 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Workspace name for Log Analytics where Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"subscriptionId": {
|
||||
"type": "string",
|
||||
"defaultValue": "[subscription().subscriptionId]",
|
||||
"metadata": {
|
||||
"description": "Subscription ID to monitor"
|
||||
}
|
||||
},
|
||||
"location": {
|
||||
"type": "string",
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"metadata": {
|
||||
"description": "Location for all resources."
|
||||
}
|
||||
}
|
||||
},
|
||||
"functions": [],
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
|
||||
"apiVersion": "2020-03-01-preview",
|
||||
"location": "[parameters('location')]",
|
||||
"name": "[concat(parameters('workspaceName'), '/', replace(parameters('subscriptionId'),'-', ''))]",
|
||||
"kind": "AzureActivityLog",
|
||||
"properties": {
|
||||
"linkedResourceId": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/microsoft.insights/eventtypes/management')]"
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {}
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
# Azure Activity connector template
|
||||
|
||||
Author: Javier Soriano
|
||||
|
||||
This template enables the Azure Activity connector on your Sentinel workspace.
|
||||
|
||||
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FAzureActivity%2FAzureActivity.json)
|
|
@ -1,6 +1,10 @@
|
|||
# Azure Sentinel Data Connector sample ARM templates
|
||||
|
||||
The templates in this folder allow you to onboard data connectors in Azure Sentinel. You can try them with the following links:
|
||||
The templates in this folder allow you to onboard data connectors in Azure Sentinel.
|
||||
|
||||
***DISCLAIMER:*** *as of today, these templates can be used only for first time deployment and not for updates. We are working to add update support soon.*
|
||||
|
||||
You can try them with the following links:
|
||||
|
||||
| Data Connector | Deploy |
|
||||
| :---| :---|
|
||||
|
@ -9,3 +13,5 @@ The templates in this folder allow you to onboard data connectors in Azure Senti
|
|||
| [Azure Security Center](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/ARM-Templates/DataConnectors/AzureSecurityCenter/AzureSecurityCenter.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FAzureSecurityCenter%2FAzureSecurityCenter.json) |
|
||||
| [MCAS](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/ARM-Templates/DataConnectors/MCAS/MCAS.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FMCAS%2FMCAS.json) |
|
||||
| [Microsoft Defender ATP](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/ARM-Templates/DataConnectors/MDATP/MDATP.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FMDATP%2FMDATP.json) |
|
||||
| [Azure Activity](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/ARM-Templates/DataConnectors/AzureActivity/AzureActivity.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FAzureActivity%2FAzureActivity.json) |
|
||||
| [Azure AD](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/ARM-Templates/DataConnectors/AzureAD/AzureAD.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FDataConnectors%2FAzureAD%2FAzureAD.json) |
|
|
@ -0,0 +1 @@
|
|||
# Azure Sentinel Quickstart ARM Templates
|
Загрузка…
Ссылка в новой задаче