Mimecast API integration is creating new log analytic workspace..

[AkshayPadekar]

Hi,

I have tried Azure deploy function app code for Mimecast SEG and Microsoft sentinel integration. I have an existing sentinel in my tenant where i want to deploy Mimecast SEG Data connector through the function app. During this process, I tried to deploy azuredeploy_MimecastSEG_AzureFunctionApp.json through custom deployment but it is creating a new log analytic workspace in my tenant. I tried to put my existing workspace key and ID code, but it is not accepting it. can you please guide me on how can i deploy this connector in my existing Log analytic workspace?

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-muuppugund]

Hi @AkshayPadekar , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 27Oct23. Thanks!

[v-muuppugund]

Hi @AkshayPadekar ,I tried to deploy mimecast seg api through custom deployment https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Data%20Connectors/azuredeploy_MimecastSEG_AzureFunctionApp.json,please find below screen shot for reference

we are using key vault parameters for log analytics work space key and id,please find below screen shot for reference

Please try to redeploy using the same template and let me know if any issues

[AkshayPadekar]

Yes, you are right. In the code, we can see it is taking the value from the Key vault but while deploying through custom deployment we are getting options to fill the required details as you have shared in a snap but not asking for the workspace details. and if I create a new key vault and save these details there while deploying it again creates a new key vault.

Could you please guide me on how can I use my existing workspace key and ID while deploying it using a custom template?

[v-muuppugund]

@AkshayPadekar Thanks for your above query, Will check on it and get back to you by 02Nov23

[v-muuppugund]

@AkshayPadekar The following are the two options for achieving it

1. Use existing key vault updating the existing secrets in key vault with log-analytics-workspace-id,log-analytics-workspace-key values,then restart function app
2. Change the ARM template input parameters for collecting log analytic work space id and key

Please let me know if have any questions on it

[v-sudkharat]

Hi @AkshayPadekar, hope you are doing well. Could you please have a look at above comment? and share response with us. Thanks!

[v-muuppugund]

Hi @AkshayPadekar , Since we have not received a response in the last 5 days, we are closing your issue (https://github.com/Azure/Azure-Sentinel/issues/9256) as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation!