Azure-Sentinel/Playbooks/AutoConnect-ASCSubscriptions
liortamirmicrosoft f42cfa6135 ASC readme update fix (No local links) 2020-10-01 11:42:53 +03:00
..
azuredeploy.json
readme.md

readme.md

AutoConnect-ASCSubscriptions

author: Lior Tamir

The playbook is triggered on a scheduled basis. It is running on behalf of a registered Azure AD application, which monitors a certain management group. For each subscription this app has access to, if the subscription doesn't have an Azure Security Center connection enabled, a connection to Azure Sentinel is created.

See expanded guidance in the following blogpost: Azure Security Center Auto-connect to Sentinel



The registered application needs to have the following RBAC Roles:

  1. Security Reader Role on the Management Group which ASC subscriptions are under. This is required for listing all available subscriptions, including new ones which are not connected yet. In some organizations, it is the Root Management Group.

  2. Azure Sentinel Contributor Role on the Azure Sentinel workspace. This is required for checking if a connection exists for a certain subscription, and for creating the connection rule from a not connected subscription to Azure Sentinel.

Documentation references:

  • Azure Management groups as containers of subscriptions to monitor
  • Azure Active Directory registered application, assigned with RBAC roles