search

Azure / ALZ-Bicep

This repository contains the Azure Landing Zones (ALZ) Bicep modules that help deliver and deploy the Azure Landing Zone conceptual architecture in a modular approach. https://aka.ms/alz/docs
MIT License
754 stars 506 forks source link

Sentinel Onboarding via `SecurityInsights` solution is deprecated #802

Closed cloudchristoph closed 2 months ago

cloudchristoph commented 3 months ago

What happened? Provide a clear and concise description of the bug, including deployment details.

Currently the activation of Sentinel is done via deployment of the SecurityInsights solution to the Log Analytics Workspace.

This is deprecated and won't work after July 1st (i.e. now) . I learned this via E-Mail from MS (see screenshot below).

The "new" method uses the OnboardingStates API (see: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-azure-sentinel-new-onboarding-offboarding-api/ba-p/2640471).

We should implement the new method based on this ARM template: https://github.com/Azure/Azure-Sentinel/blob/master/Tools/ARM-Templates/Onboarding/OnboardSentinel.json

This is a first draft - untested for now, but should head us in the right direction:

resource workspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
  name: workspaceName
  location: workspaceLocation
  tags: {}
  properties: {
    sku: {
      name: 'pergb2018'
    }
  }
}

resource workspaceName_Microsoft_SecurityInsights_default 'Microsoft.SecurityInsights/onboardingStates@2024-03-01' = {
  name: 'default'
  parent: workspace
  properties: {}
  dependsOn: [
    resourceId('Microsoft.OperationalInsights/workspaces', workspaceName)
  ]
}

Best, Christoph

image

Please provide the correlation id associated with your error or bug.

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

What was the expected outcome?

No response

Relevant log output

No response

Check previous GitHub issues

Code of Conduct

jtracey93 commented 3 months ago

Thanks for reporting @cloudchristoph, we are looking into this now across all ALZ implementation options.

Would you be interested in submitting a PR to ALZ Bicep for these changes?

cloudchristoph commented 3 months ago

Would you be interested in submitting a PR to ALZ Bicep for these changes?

Yes. Will develop an update at the end of this week. Sure.