5dd46183e3
|
||
|---|---|---|
| .. | ||
| AADUserInfo | ||
| .funcignore | ||
| .gitignore | ||
| AADUserInfo_template.zip | ||
| README.MD | ||
| azuredeploy.json | ||
| host.json | ||
| profile.ps1 | ||
| proxies.json | ||
| requirements.psd1 | ||
README.MD
Deploy a Function App for collecting Azure AD User Information data into Azure Sentinel
This function app run daily, query Azure AD for all users and write the information to Log Analytics.
Notes:
- There is a parser available here
- The managed identity of the function app will need to be assigned to the 'Directory Reader' role within Azure AD 'Roles and administrators' section
Deploy the Function App
The easiest way is via the provided ARM templates:
1: Deploy via Azure ARM Template
- Deploy the template.
Alternatively you can deploy the elements manually.
2: Deploy via VS Code
Note: You will need to prepare VS code for Azure function development. See https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-powershell#prerequisites
- Download the [Zip](https://github.com/Azure/Azure-Sentinel/blob/master/Soltuions/AADUserInfo/Data Connectors/AADUserInfo_template.zip?raw=true) file of the Azure Funciton app from Github.
- Extract to a location on your local host.
- Open VS Code.
- Click File -> Open Folder.
- Select the top level folder from extracted files.
- Type Crtl+Shift+P.
- Click Azure Functions: Deploy to function app. You maybe asked to sign in to Azure.
- Click Create New function app in Azure (advanced).
- Provide a unique name like "AADUserInfo". Press Enter.
- Click Windows.
- Click Consumption.
- Click PowerShell.
- Click Create new Resource Group.
- Press enter to accept the name.
- Click Create a new storage Account.
- Press enter to accept the name.
- Click Create new Application Insights resource.
- Press enter to accept the name.
- Pick a location to deploy in.
- Deployment will begin.
- Wait for the deployment to complete, then click upload settings in the bottom right.
- Click yes to all to upload.
- Go to the Azure Portal.
- Go to the resource group that was created. Click the Function.
- Click Stop.
- Click Identity.
- Click On under system assigned. Click Save. Click Yes.
- Click Configuration
- Click General Settings.
- Change Platform to 64 Bit. Click Save.
Create a Key Vault
- Go to the Azure Portal.
- Go to the resource group that was created. Click Add.
- Type Key Vault.
- Create a Key vault.
- Go to the resource created.
- Click Access Policies.
- Click Add Access Policy.
- Select Secret Management from Configure from template.
- Click Select Principal.
- Search for the name of the function app. Click Select.
- Click Add.
- Click Save.
- Click Secrets.
- Click Generate.
- Enter WorkspaceKey. Paste in your Azure Sentinel Workspace Key. Click Create.
- Click Generate.
- Click WorkspaceKey and copy the current version string to a temporary location.
Configure Settings for the Function
- Go to the Azure Portal.
- Go to the resource group that was created. Click the Function.
- Click Configuration.
- Click edit next to workspaceKey.
- Update the value using the string copied from KeyVault.
- @Microsoft.KeyVault(SecretUri=https:///secrets/workspaceKey/)
- Click Ok.
- Click edit next to workspaceId.
- Update the value with your Sentinel Workspace Id.
- Click Ok.
- Click Save.
If successfully deployed you should start to see events appear in your Azure Sentinel workspace as soon as they are generated. If you run into issues there are a number of options for monitoring and deugging your Function App.