Azure-Sentinel/Tools/Sentinel-All-In-One
Gary Bushey d1610ac5d2
Update Create-NewSolutionAndRulesFromList.ps1
Modified line 175 to use the correct variable for the contentId field.  This will allow both the rule templates and the content hub to show that a rule has been used.
2023-12-07 07:59:07 -05:00
..
v1 Sentinel All-in-One version 2 (#7818) 2023-04-19 13:02:55 +05:30
v2 Update Create-NewSolutionAndRulesFromList.ps1 2023-12-07 07:59:07 -05:00
README.md Sentinel All-in-One version 2 (#7818) 2023-04-19 13:02:55 +05:30

README.md

Microsoft Sentinel All In One

Microsoft Sentinel All-in-One is aimed at helping customers and partners quickly set up a full-fledged Microsoft Sentinel environment that is ready to use, speeding up deployment and initial configuration tasks in few clicks, saving time and simplifying Microsoft Sentinel setup.

Version: 2

There are two versions of Microsoft Sentinel All-in-One, v1 and v2. V1 has two flavors, PowerShell and Azure Resource Manager. V2 only has Azure Resource Manager support for now. This page reflects v2, but you can find the previous version in the v1 folder.

What does All-in-One do?

Microsoft Sentinel All-in-One automates the following tasks:

  • Creates resource group
  • Creates Log Analytics workspace
  • Installs Microsoft Sentinel on top of the workspace
  • Sets workspace retention, daily cap and commitment tiers if desired
  • Enables UEBA with the relevant identity providers (AAD and/or AD)
  • Enables health diagnostics for Analytics Rules, Data Connectors and Automation Rules
  • Installs Content Hub solutions from a predefined list in three categories: 1st party, Essentials and Training
  • Enables Data Connectors from this list:
    • Azure Active Directory (with the ability to select which data types will be ingested)
    • Azure Active Directory Identity Protection
    • Azure Activity (from current subscription)
    • Dynamics 365
    • Microsoft 365 Defender
    • Microsoft Defender for Cloud
    • Microsoft Insider Risk Management
    • Microsoft Power BI
    • Microsoft Project
    • Office 365
    • Threat Intelligence Platforms
  • Enables analytics rules (Scheduled and NRT) included in the selected Content Hub solutions, with the ability to filter by severity
  • Enables analytics rules (Scheduled and NRT) that use any of the selected Data connectors, with the ability to filter by severity

Prerequisites

  • Azure Subscription
  • Azure user account with enough permissions to enable the desired connectors. See table at the end of this page for additional permissions. Write permissions to the workspace are always needed.
  • Some data connectors require the relevant licence in order to be enabled. See table at the end of this page for details.

Try it now!

Deploy to Azure

Supported connectors

The following table summarizes permissions, licenses and permissions needed and related cost to enable each Data Connector:

Data Connector License Permissions Cost
Azure Active Directory (Tenant scope version only) Any AAD license Global Admin or Security Admin Billed
Azure Active Directory Identity Protection AAD Premium 2 Global Admin or Security Admin Free
Azure Activity None Subscription Reader Free
Dynamics 365 D365 license Global Admin or Security Admin Billed
Microsoft 365 Defender M365D license Global Admin or Security Admin Free
Microsoft Defender for Cloud MDC license Security Reader Free
Microsoft Insider Risk Management IRM license Global Admin or Security Admin Free
Microsoft PowerBi PowerBi license Global Admin or Security Admin Billed
Microsoft Project MS Project license Global Admin or Security Admin Billed
Office 365 None Global Admin or Security Admin Free
Threat Intelligence Platforms None Global Admin or Security Admin Billed