From 24ae46adeae1eaa4d2cd0f543606033468957084 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 14 Aug 2024 16:16:11 +0400 Subject: [PATCH] Sentinel Deployment Fix (#1709) Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> --- docs/wiki/Whats-new.md | 9 + eslzArm/eslz-portal.json | 21 ++ eslzArm/eslzArm.json | 92 +---- .../logAnalyticsSolutions.json | 330 ------------------ .../logAnalyticsWorkspace.json | 19 +- 5 files changed, 58 insertions(+), 413 deletions(-) delete mode 100644 eslzArm/subscriptionTemplates/logAnalyticsSolutions.json diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 38e12bae..b3e3f31d 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -1,6 +1,7 @@ ## In this Section - [Updates](#updates) + - [August 2024](#august-2024) - [July 2024](#july-2024) - [June 2024](#june-2024) - [🆕 AMA Updates](#-ama-updates) @@ -47,6 +48,14 @@ This article will be updated as and when changes are made to the above and anyth Here's what's changed in Enterprise Scale/Azure Landing Zones: +### August 2024 + +#### Other + +- Cleaned up the Log Analytics "solutions" in portal ARM template, as these are no longer required and deployed by ALZ. +- Re-introduced the option to enable "Sentinel" in the portal accelerator. +- Updated Microsoft Sentinel onboarding (enablement) using the new mechanism that fixes issues after 1 July 2024. Microsoft Sentinel is enabled by default through the portal accelerator as a best practice - we do not however configure any data connectors, we only enable the service. Should you wish to remove this, you can delete the association from the Azure Portal after deployment from the "Sentinel" feature blade. + ### July 2024 #### Policy diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index e017fe9c..b3e68499 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -439,6 +439,26 @@ "style": "Info" } }, + { + "name": "enableSentinel", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Microsoft Sentinel (configuration required to activate)", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected Sentinel will be enabled on the Log Analytics workspace. Note additional configuration is required to complete Sentinel onboarding.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, { "name": "esMgmtSubSection", "type": "Microsoft.Common.Section", @@ -8972,6 +8992,7 @@ "enableUpdateMgmt": "[steps('management').enableUpdateMgmt]", "enableVmInsights": "[steps('management').enableVmInsights]", "retentionInDays": "[string(steps('management').retentionInDays)]", + "enableSentinel": "[steps('management').enableSentinel]", "managementSubscriptionId": "[steps('management').esMgmtSubSection.esMgmtSub]", "enableAsc": "[steps('management').enableAsc]", "emailContactAsc": "[steps('management').emailContactAsc]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 2c25864a..c0ea0b7c 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -40,6 +40,10 @@ "type": "string", "defaultValue": "" }, + "enableSentinel": { + "type": "string", + "defaultValue": "Yes" + }, "managementSubscriptionId": { "type": "string", "defaultValue": "", @@ -203,14 +207,6 @@ ], "defaultValue": "Disabled" }, - "enableSecuritySolution": { - "type": "string", - "defaultValue": "Yes", - "allowedValues": [ - "Yes", - "No" - ] - }, "enableMonitorBaselines": { "type": "string", "defaultValue": "", @@ -1596,7 +1592,6 @@ "resourceGroup": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/resourceGroup.json')]", "ddosProtection": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/ddosProtection.json')]", "logAnalyticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json')]", - "monitoringSolutions": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/logAnalyticsSolutions.json')]", "asbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json')]", "regulatoryComplianceInitaitves": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json')]", "resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]", @@ -1714,7 +1709,6 @@ "monitorManagementDeploymentName": "[take(concat('alz-ManagementMonitor', variables('deploymentSuffix')), 64)]", "monitorLandingZoneDeploymentName": "[take(concat('alz-LandingZoneMonitor', variables('deploymentSuffix')), 64)]", "monitorServiceHealthDeploymentName": "[take(concat('alz-SvcHealthMonitor', variables('deploymentSuffix')), 64)]", - "monitoringSolutionsDeploymentName": "[take(concat('alz-Solutions', variables('deploymentSuffix')), 64)]", "asbPolicyDeploymentName": "[take(concat('alz-ASB', variables('deploymentSuffix')), 64)]", "regulatoryComplianceInitativesToAssignDeploymentName": "[take(concat('alz-RegComp-', deployment().location, '-', uniqueString(parameters('currentDateTimeUtcNow')), '-'), 64)]", "resourceDiagnosticsPolicyDeploymentName": "[take(concat('alz-ResourceDiagnostics', variables('deploymentSuffix')), 64)]", @@ -1842,7 +1836,6 @@ "subnetNsgIdentityLitePolicyDeploymentName": "[take(concat('alz-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", "monitoringLiteDeploymentName": "[take(concat('alz-MonitoringLite', variables('deploymentSuffix')), 64)]", "logAnalyticsLitePolicyDeploymentName": "[take(concat('alz-LAPolicyLite', variables('deploymentSuffix')), 64)]", - "monitoringSolutionsLiteDeploymentName": "[take(concat('alz-SolutionsLite', variables('deploymentSuffix')), 64)]", "platformLiteSubscriptionPlacement": "[take(concat('alz-PlatformSubLite', variables('deploymentSuffix')), 64)]", "vnetConnectivityHubLiteDeploymentName": "[take(concat('alz-VnetHubLite', variables('deploymentSuffix')), 64)]", "vwanConnectivityHubLiteDeploymentName": "[take(concat('alz-VWanHubLite', variables('deploymentSuffix')), 64)]", @@ -2414,6 +2407,9 @@ }, "retentionInDays": { "value": "[parameters('retentionInDays')]" + }, + "enableSentinel": { + "value": "[parameters('enableSentinel')]" } } } @@ -2538,40 +2534,6 @@ } } }, - { - // Deploying Sentinel to Log Analytics workspace if condition is true - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableSecuritySolution'), 'Yes'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').monitoringSolutionsDeploymentName]", - "location": "[deployment().location]", - "subscriptionId": "[parameters('managementSubscriptionId')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion" - ], - "properties": { - "mode": "Incremental", - "templateLink": { - "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').monitoringSolutions]" - }, - "parameters": { - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" - }, - "workspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" - }, - "workspaceRegion": { - "value": "[deployment().location]" - }, - "enableSecuritySolution": { - "value": "[parameters('enableSecuritySolution')]" - } - } - } - }, { // Assigning Log Analytics workspace policy to management management group if condition is true "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", @@ -7544,6 +7506,9 @@ }, "retentionInDays": { "value": "[parameters('retentionInDays')]" + }, + "enableSentinel": { + "value": "[parameters('enableSentinel')]" } } } @@ -7581,43 +7546,6 @@ } } }, - /* - Note: ES Lite only: the following deployments will deploy Sentinel to the platform subscription - */ - { - // Deploying Sentinel to the Log Analytics workspace if condition is true - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableSecuritySolution'), 'Yes'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[variables('esLiteDeploymentNames').monitoringSolutionsLiteDeploymentName]", - "location": "[deployment().location]", - "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", - "policyCompletion" - ], - "properties": { - "mode": "Incremental", - "templateLink": { - "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').monitoringSolutions]" - }, - "parameters": { - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" - }, - "workspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" - }, - "workspaceRegion": { - "value": "[deployment().location]" - }, - "enableSecuritySolution": { - "value": "[parameters('enableSecuritySolution')]" - } - } - } - }, /* Note: ES Lite only: deploy Log Analytics workspace policy to the platform management group */ diff --git a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json b/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json deleted file mode 100644 index 7e13eb92..00000000 --- a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json +++ /dev/null @@ -1,330 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "rgName": { - "type": "string", - "metadata": { - "description": "Provide the resource group name where the Log Analytics workspace is deployed." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Provide resource name for the Log Analytics workspace." - } - }, - "workspaceRegion": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Select Azure region for the Log Analytics workspace. Default, we will use same region as deployment." - } - }, - "enableSecuritySolution": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether security solutions should be enabled or not." - } - }/*, - "enableAgentHealth": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether agent health solution should be enabled or not." - } - }, - "enableChangeTracking": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether change tracking solution should be enabled or not." - } - }, - "enableUpdateMgmt": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether update mgmt solution should be enabled or not." - } - }, - "enableVmInsights": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether VM insights solution should be enabled or not." - } - }, - "enableSqlAssessment": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether SQL assessment solution should be enabled or not." - } - }, - "enableSqlVulnerabilityAssessment": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether SQL vulnerability assessment solution should be enabled or not." - } - }, - "enableSqlAdvancedThreatProtection": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether SQL advanced threat protection solution should be enabled or not." - } - }*/ - }, - "variables": { - "laResourceId": "[toLower(concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')))]", - "solutions": { - /*"security": { - "name": "[concat('Security', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "Security" - }, - "agentHealth": { - "name": "[concat('AgentHealthAssessment', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "AgentHealthAssessment" - }, - "changeTracking": { - "name": "[concat('ChangeTracking', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "ChangeTracking" - }, - "updateMgmt": { - "name": "[concat('Updates', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "Updates" - }, - "sqlAssessment": { - "name": "[concat('SQLAssessment', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "SQLAssessment" - }, - "sqlAdvancedThreatProtection": { - "name": "[concat('SQLAdvancedThreatProtection', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "SQLAdvancedThreatProtection" - }, - "sqlVulnerabilityAssesment": { - "name": "[concat('SQLVulnerabilityAssessment', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "SQLVulnerabilityAssessment" - }, - "vmInsights": { - "name": "[concat('VMInsights', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "VMInsights" - },*/ - "securityInsights": { - "name": "[concat('SecurityInsights', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "SecurityInsights" - } - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2018-05-01", - "name": "[take(concat('alz-', 'solutions-', guid(deployment().name)), 63)]", - "resourceGroup": "[parameters('rgName')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - /*{ - // Conditionally deploy solution for agent health - "condition": "[equals(parameters('enableAgentHealth'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').agentHealth.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').agentHealth.name]", - "product": "[concat('OMSGallery/', variables('solutions').agentHealth.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - /*{ - // Conditionally deploy solution for change tracking - "condition": "[equals(parameters('enableChangeTracking'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').changeTracking.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').changeTracking.name]", - "product": "[concat('OMSGallery/', variables('solutions').changeTracking.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - /*{ - // Conditionally deploy solution for vm insights - "condition": "[equals(parameters('enableVmInsights'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').vmInsights.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').vmInsights.name]", - "product": "[concat('OMSGallery/', variables('solutions').vmInsights.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - /*{ - // Conditionally deploy solution for security - "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').security.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').security.name]", - "product": "[concat('OMSGallery/', variables('solutions').security.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - { - // Conditionally deploy solution for sentinel - "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').securityInsights.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]", - "sku": { - "name": "Unified" - } - }, - "plan": { - "name": "[variables('solutions').securityInsights.name]", - "product": "[concat('OMSGallery/', variables('solutions').securityInsights.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }/*, - { - // Conditionally deploy solution for SQL assessment - "condition": "[equals(parameters('enableSqlAssessment'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').sqlAssessment.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').sqlAssessment.name]", - "product": "[concat('OMSGallery/', variables('solutions').sqlAssessment.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - /*{ - // Conditionally deploy solution for SQL advanced threat protection - "condition": "[equals(parameters('enableSqlAdvancedThreatProtection'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').sqlAdvancedThreatProtection.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').sqlAdvancedThreatProtection.name]", - "product": "[concat('OMSGallery/', variables('solutions').sqlAdvancedThreatProtection.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - /*{ - // Conditionally deploy solution for SQL vulnerability protection - "condition": "[equals(parameters('enableSqlVulnerabilityAssessment'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').sqlVulnerabilityAssesment.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').sqlVulnerabilityAssesment.name]", - "product": "[concat('OMSGallery/', variables('solutions').sqlVulnerabilityAssesment.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - /*{ - // Conditionally deploy solution for update management - "condition": "[equals(parameters('enableUpdateMgmt'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').updateMgmt.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').updateMgmt.name]", - "product": "[concat('OMSGallery/', variables('solutions').updateMgmt.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }*/ - ] - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json index 6f5d8415..811f1b29 100644 --- a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json +++ b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json @@ -19,6 +19,9 @@ }, "retentionInDays": { "type": "String" + }, + "enableSentinel": { + "type": "String" } }, "variables": { @@ -34,7 +37,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2018-05-01", + "apiVersion": "2024-03-01", "name": "[variables('deploymentName')]", "resourceGroup": "[parameters('rgName')]", "dependsOn": [ @@ -85,6 +88,20 @@ } } ] + }, + { + // Onboard Sentinel + "condition": "[equals(parameters('enableSentinel'), 'Yes')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.SecurityInsights/onboardingStates", + "name": "default", + "scope": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "dependsOn": [ + "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "customerManagedKey": false + } } ], "outputs": {}