Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Solutions/1Password
История
PrasadBoke 70f8412e60 Hyperlinks corrected 2024-06-27 14:22:59 +05:30
..
Analytics Rules Update 1Password - Changes to SSO configuration.yaml 2024-06-26 09:05:37 +02:00
Data Hyperlinks corrected 2024-06-27 14:22:59 +05:30
Data Connectors Hyperlinks corrected 2024-06-27 14:22:59 +05:30
Package Hyperlinks corrected 2024-06-27 14:22:59 +05:30
Workbooks Commit reset 2024-04-25 14:37:38 +05:30
images updated solution template 2024-02-05 11:04:01 +01:00
README.md Hyperlinks corrected 2024-06-27 14:22:59 +05:30
ReleaseNotes.md Fixed typo and logo in CreateUI 2024-06-27 12:01:57 +05:30
SolutionMetadata.json Shortlink and tier updated 2024-06-24 13:51:41 +05:30

README.md

1Password (Preview)

Overview

The key function of this Solution is to retrieve sign-in attempts, item usage, and audit events logs from your 1Password Business account using the 1Password Events Reporting API, and store it in an Azure Log Analytics Workspace using Microsoft cloud native features.

Azure services needed

Required

Automated Installation

Installing the 1Password Solution for Microsoft Sentinel is easy and can be completed in only a few minutes. Just click the button below to get started with the deployment wizard.

Deploy To Azure

NOTE: To deploy the solution, the Azure user account executing the deployment needs to have Owner permissions on the Microsoft Sentinel Resource Group in Azure.
This is required to assign the correct RBAC role to the managed identity of the FunctionApp!

Manual Installation using the ARM template

Deployment steps

Manual Installation using the ARM template

  1. Install the data connector using the ARM template or use this link to skip the steps below

Alt text

  1. After the deployment of the template has completed open the Microsoft Sentinel portal and select the data connector

Alt text

  1. Select the Open connector page button to open the data connector configuration
  2. click on the Deploy to Azure button
    This will open a new browser page containing a deployment wizard in Microsoft Azure.
    Fill in all the required fields and select create on the last page.

Alt text

The required resources for the deployment will now be created.

Deployed Resources

The 1Password Solution for Microsoft Sentinel is comprised of following Azure resources:

Click on the topics below to fold them out.

Resource Group

Resource Group

The Azure resource group is used as a container to group a set of Azure resources that share the same lifecycle.

NOTE: Known limitation is that the Solution can only be deployed within the same resourcegroup as where Microsoft Sentinel is hosted.

Function App

FunctionApp

The Azure FunctionApp runs on top of an Azure App Service and is used to host the PowerShell function to query the 1Password API endpoint. The Azure FunctionApp has the following components:

|- WWWROOT
|-|- Modules
|-|-|- HelperFunctions.psm1
|-|- function
|-|-|- function.json
|-|-|- run.ps1
|-|- host.json
|-|- profile.ps1
|-|- requirements.psd1

The HelperFunctions.psm1 module is used to simplify the FunctionApp code and handles security related tasks like:

  • Query the 1Password Events API endpoint
  • Send the data to the Data Collection Rule endpoint
  • Set and retrieve the cursor and timestamp to a storage account
Key Vault

Key Vault

The Azure Key Vault resource is used to securely store certain sensitive or secret values used in the 1Password Solution for Microsoft Sentinel. Because of the sensitivity of the secrets in the Key Vault, access is restricted to the Managed Identity (MSI) of the FunctionApp. Secrets that reside in the vault are:

  • APIKey (1password)
  • functionAppPackage (location to zip package hosting the function)
  • dataCollectionEndpoint (endpoint for uploading 1Password logs)
Storage Account

Storage Account

The Storage Account resources is used to store logs and properties of the Azure FunctionApp.

Application Insights

Application Insights

The Application Insights instance is used for collecting telemetry of the Azure FunctionApp. This provides visibility into the availability, performance, and usage patterns of the FunctionApp.

Data Collection Rule

Data Collection Rule (DCR)

The Data Collection Rule is attached to a data collection endpoint and a Log Analytics table. The Managed Identity (MSI) of the FunctionApp is used to authenticate against the data collection endpoint.

Custom Table

Custom Table

During deployment, a custom table with the name "OnePasswordEventLogs_CL" is created in the Log Analytics workspace.

Role Assignment

Role Assignment

The identity used to send the data to the Data Collection Endpoint needs to have the Monitoring Metrics Publisher role on the Data Collection Rule (DCR).

NOTE: I can take up to 30 minutes after deployment before the first data is received by the table.

Implementation resources

The 1Password Solution for Microsoft Sentinel is deployed from the Data Connector in sentinel. You must create the Data Connector in order to deploy the 1Password Solution.

Note: In the 1Password (Preview) Solution the installation in done using an ARM (Azure Resource Manager) template.
Once the Solution is in GA (general availability) it will be installed from the Microsoft Sentinel content hub.

Post Deployment steps

  • N/A