Deployment via Azure Lighthouse

[BlydCL]

Hi,

My team and I are great fans of the Microsoft Sentinel Triage AssistanT (STAT) and have managed to deploy it with great success. However, we have not managed yet to deploy STAT via Azure Lighthouse. Do you know whether it is actually possible to deploy STAT via Azure Ligthouse? So far we have had to deploy the instance in each of our customer's dedicated tenant.

Thank you for your time.

Kevin Blijd

[briandelmsft]

Hi @BlydCL,

Glad to hear it! It's not really possible to deploy STAT with Lighthouse today. The System assigned managed identities are the main reason for that (though there's a few others) since they can't be granted permissions across tenants. But, Lighthouse support is coming, and soon. We're currently finishing up a v2 release which will include this capability among other new features.

To use this, you will need 2 things

1. A multi-tenant service principal in your management tenant with access to the customer/lighthouse tenants
2. A way to identify which tenant ids the incidents came from, so that STAT knows which tenant to authenticate to as the incident trigger data does not include tenant Ids. This could be done by creating your own mapping based on any of the incident trigger data, such as the subscription/workspace id and then looking it up against a watchlist or other store where you keep those mappings

You can see more on this feature in #360

We expect to have a preview build out soon

[briandelmsft]

@BlydCL

STAT v2 Preview is ready for you to try. This is a major move forward from previous versions of STAT, now using an Azure Functions backend and Logic Apps front end. The look and feel is the same as v1, but the improvements on the backend are substantial. This is also a complete rewrite of all of the backend functionality, so do be aware there may be some undiscovered bugs, though there are no known issues in this build. If you encounter any bugs, or even unexpected changes in functionality from previous version please open an issue no matter how small the issue may be.

This build includes the following new features:

• Backend of STAT is now using Azure Functions instead of Logic apps
• Support for User Assigned Managed Identities, Service Principal and Multi Tenant service principal authentication (in addition to existing system assigned managed id support)
• Support for the Sentinel Alert trigger (in addition to existing incident trigger)
• Ability to create a new Sentinel incident from an alert and automatically link the alert
• Additional performance and other minor improvements

The Preview deployment can be found only in the statv2_preview branch of this repo as well as supporting documentation. That includes documentation specific to multi-tenant/MSSP scenarios.

The main branch does not contain any information about v2 at this time, so ensure you select the correct branch.