Purpose
The purpose of this article is to show how you can automate the process of deploying the resources to setup log reporting to the CISA TALON, which is part of the TIC 3.0 Compliance requirements. There are many published resources on TIC 3.0 Compliance, which will be listed below, but this particular article will be focused on automating the deployment of the resources needed to setup the required log reporting to the CISA TALON.
Assumptions
Working level knowledge of Azure Event Hub, Entra, and Azure automated deployments.
Deployment Steps
This solution utilizes Azure PowerShell, Azure CLI, and Azure Bicep to deploy the required resources to setup the log reporting to the CISA TALON. The code described is published on GitHub HERE.
Here is a list of the actions taken by the code as described:
- Setup Deployment Environment (PowerShell, Bicep, CLI, etc)
- Logging of Activities/Errors
- Validate Resource Group
- Validate/Create Entra Service Principal
- Validate/Upload Certificate to Entra Service Principal
- Execute Bicep Deployment
- Validate/Create Azure Event Hub
- Validate/Create Azure Event Hub Namespace
- Create Required RBAC Role Assignment
Executing the Code
Note: Powershell modules Az.Accounts & Az.Resources, Az CLI, and Bicep must be installed with current version prior to executing the script. The script assumes all files are stored in the same directory.
You will need to launch the PowerShell script ".ps1" to execute the build. The PowerShell script will do some validation, some creation, and then it will call the Bicep template to complete the build. When launching the PowerShell script, be sure to read the help section at the top of the script or by using the "Get-Help TIC3-Talon-Build-Launcher.ps1" command. When launching the PowerShell script, you must set your appropriate values in the "Param" section of the PowerShell script OR specify them as command-line arguments. As documented in the PowerShell help in the script, the input parameters are as follows:
.PARAMETER AADAppName
This parameter is for the Azure AD Application Name. The name must be unique. Default value is "My-Talon-Test-App".
.PARAMETER AADTenatID
This parameter is for the Azure AD Tenant ID where the app will be installed.
.PARAMETER CertPath
This parameter is for the path to the certificate to install in the AAD App. Cert must be ".cer" format.
.PARAMETER EvtHubName
This parameter is for the Event Hub name.
.PARAMETER RGName
This parameter is for the Resource Group name.
.PARAMETER Bicep
This parameter is for the path to the Bicep Template.
.PARAMETER AzureEnvironment
This parameter is for the Azure Environment. Default is AzureCloud (Commercial). For Azure USGov, use AzureUSGovernment.
.PARAMETER AzureSubID
This parameter is for the Azure Subscription ID.
.PARAMETER OutputFile
This parameter is for the output log for this script. The default value is "./CDS-Log-Forwarding-CSSP.log".
An example of a command-line launch of the script would be:
.EXAMPLE
.\TIC3-Talon-Build-Launcher.ps1 -AADAppName "My-Talon-Test-App" -AzureSubID "My-Subscription-ID" -AADTenantID "My-AAD-Tenant-ID"
Once the code execution is complete, you should validate the build by reviewing the output log from the script and by checking your Azure resources to see if they are present as expected.
Note: This code was created based on instructions to configure log reporting for TIC 3.0 compliance. If there are any changes to this process, they may not be reflected in this code as this code was created based on a specific version of the configuration.
Resources
Implement TIC 3.0 compliance - Azure Architecture Center | Microsoft Learn
Trusted Internet Connections guidance - Azure Government | Microsoft Learn
Monitor Zero Trust (TIC 3.0) security architectures with Microsoft Sentinel | Microsoft Learn
https://www.cisa.gov/resources-tools/programs/trusted-internet-connections-tic
https://www.cisa.gov/publication/tic-30-core-guidance-documents
Special Thanks to LMHutch for the assist.