Blog Post

Microsoft Sentinel Blog
5 MIN READ

Azure Sentinel All-In-One Accelerator

Hesham_Saad's avatar
Hesham_Saad
Icon for Microsoft rankMicrosoft
Feb 02, 2021

Azure Sentinel All in One is a project designed and developed by Javier-Soriano (Senior Program Manager - Microsoft), Hesham_Saad  (Sr. CyberSecurity Technical Specialist - Microsoft) & Sreedhar Ande  (Program Manager - Microsoft) that seeks to speed up deployment and initial configuration tasks of an Azure Sentinel environment in just a few clicks!, this is ideal for Proof of Concept, Pilot scenarios, and connector onboarding when highly privileged users are needed.

 

Azure Sentinel All in One is a project that seeks to speed up deployment and initial configuration tasks of an Azure Sentinel environment. This is ideal for Proof of Concept scenarios and connector onboarding when highly privileged users are needed.

 

There's two versions of Sentinel All-In-One: Powershell script and ARM template. There's slight differences on what things get automated with each. We try to summarize them here:

 

All-In-One version Data Connectors Analytics Rules
Powershell script Azure Activity, Azure Security Center, Azure Active Directory, Azure Active Directory Identity Protection, Office 365, Microsoft Cloud App Security, Azure Advanced Threat Protection, Microsoft Defender Advanced ThreatProtection, Threat Intelligence Platforms Microsoft Incident Creation rules
ARM template Azure Activity, Azure Security Center, Azure Active Directory Identity Protection, Office 365, Microsoft Cloud App Security, Azure Advanced Threat Protection, Microsoft Defender Advanced ThreatProtection, Security Events, DNS (Preview), Windows Firewall Microsoft Incident Creation, Fusion, ML Behavior Analytics, Scheduled

 

Prerequisites

  • Azure user account with enough permissions to enable the required connectors. See table below for additional permissions. Write permissions to the workspace are always needed.
  • Some data connectors also require a license to be present in order to be enabled. See table below.
  • PowerShell Core needs to be installed ONLY if using Powershell version
  • Threat Intelligence Platforms connector requires additional setup documented here

The following table summarizes permissions, licenses and permissions needed and related cost to enable each Data Connector:

 

Data Connector License Permissions Cost
Azure Activity None Subscription Reader Free
Azure Security Center ASC Standard Security Reader Free
Azure Active Directory Any AAD license Global Admin or Security Admin Billed
Azure Active Directory Identity Protection AAD Premium 2 Global Admin or Security Admin Free
Office 365 None Global Admin or Security Admin Free
Microsoft Cloud App Security MCAS Global Admin or Security Admin Free
Azure Advanced Threat Protection AATP Global Admin or Security Admin Free
Microsoft Defender Advanced Threat Protection MDATP Global Admin or Security Admin Free
Threat Intelligence Platforms None Global Admin or Security Admin Billed
Security Events None None Billed
Linux Syslog None None Billed
DNS (preview) None None Billed
Windows Firewall None None Billed

 

ARM template instructions

The template performs the following tasks:

  • Creates resource group (if given resource group doesn't exist yet)
  • Creates Log Analytics workspace (if given workspace doesn't exist yet)
  • Installs Azure Sentinel on top of the workspace (if not installed yet)
  • Enables selected Data Connectors from this list:
    • Azure Activity
    • Azure Security Center
    • Azure Active Directory Identity Protection
    • Office 365 (SharePoint, Exchange and Teams)
    • Microsoft Cloud App Security
    • Azure Advanced Threat Protection
    • Microsoft Defender Advanced Threat Protection
    • Security Events
    • Linux Syslog
    • DNS (Preview)
    • Windows Firewall
  • Enables analytics rules for selected Microsoft 1st party products
  • Enables Fusion rule and ML Behavior Analytics rules for RDP or SSH (if Security Events or Syslog data sources are selected)
  • Enables Scheduled analytics rules that apply to all the enabled connectors

It takes around few minutes to deploy if enabling Scheduled analytics rules is selected. If Scheduled rules are not needed it will complete in less than 1 minute.

 

In order to create the Scheduled analytics rules, the deployment template uses an ARM deployment script which requires a user assigned identity. You will see this resource in your resource group when the deployment finishes. You can remove after deployment if desired.

Try it now

Deploy To Azure

 

Powershell script Instructions

The Powershell script inside the Powershell folder (SentinelallInOne.ps1) takes care of the following steps:

  • Creates resource group (if given resource group doesn't exist yet)
  • Creates Log Analytics workspace (if given workspace doesn't exist yet)
  • Installs Azure Sentinel on top of the workspace (if not installed yet)
  • Enables the following Data Connectors:
    • Azure Activity
    • Azure Security Center
    • Azure Active Directory
    • Azure Active Directory Identity Protection
    • Office 365 (SharePoint, Exchange and Teams)
    • Microsoft Cloud App Security
    • Azure Advanced Threat Protection
    • Microsoft Defender Advanced Threat Protection
    • Threat Intelligence Platforms
  • Enables Analytics Rules for enabled Microsoft 1st party products

 

Getting started

These instructions will show you what you need to now to use Sentinel All in One.

Prerequisites

  • PowerShell Core
  • Azure user account with enough permissions to enable the required connectors. See table below.
  • Some data connectors also require a license to be present in order to be enabled. See table below.
  • Threat Intelligence Platforms connector requires additional setup documented here

The following table summarizes permissions, licenses needed and cost to enable each Data Connector:

 

Data Connector License Permissions Cost
Azure Activity None Reader Free
Azure Security Center ASC Standard Security Reader Free
Azure Active Directory Any AAD license Global Admin or Security Admin Billed
Azure Active Directory Identity Protection AAD Premium 2 Global Admin or Security Admin Free
Office 365 None Global Admin or Security Admin Free
Microsoft Cloud App Security MCAS Global Admin or Security Admin Free
Azure Advanced Threat Protection AATP Global Admin or Security Admin Free
Microsoft Defender Advanced Threat Protection MDATP Global Admin or Security Admin Free
Threat Intelligence Platforms None Global Admin or Security Admin Billed

 

 

Usage

Once you have PowerShell Core installed on your machine, you just need two files from this repo:

  • connectors.json - contains all the connectors that will be enabled. If you don't want some of the connectors to be enabled, just remove them from the your copy of the file.

  • SentinelAllInOne.ps1 - script that automates all the steps outlined above.

The script uses your current Azure context, if you want to change the subscription you want to use, make sure you do that before executing the script. You can use Connect-AzAccount -SubscriptionId <subscription_id> to do that

Open a PowerShell core terminal, navigate to the folder where these two files are located and execute SentinelAllInOne.ps1. You will be asked to enter the following parameters:

 

  • Resource Group - Resource Group that will contain the Azure Sentinel environment. If the provided resource group already exists, the script will skip its creation.
  • Workspace - Name of the Azure Sentinel workspace. If it already exists, the script will skip its creation.
  • Location - Location for the resource group and Azure Sentinel workspace.

If not logged in already, the script will ask you to log in to your Azure account. Make sure you have the right permissions to enable the connectors specified in connectors.json file.

The script will then iterate through the connectors specified in the connectors.json file and enable them. It will also enable the corresponding Microsoft analytics rules.

Here you have a GIF that shows the execution process:

 

The main script in this repository takes care of the following steps:

  • Creates resource group (if given resource group doesn't exist yet)
  • Creates Log Analytics workspace (if given workspace doesn't exist yet)
  • Installs Azure Sentinel on top of the workspace (if not installed yet)
  • Enables the following Data Connectors:
    • Azure Activity
    • Azure Security Center
    • Azure Active Directory
    • Azure Active Directory Identity Protection
    • Office 365 (SharePoint, Exchange, and Teams)
    • Microsoft Cloud App Security
    • Azure Advanced Threat Protection
    • Microsoft Defender Advanced Threat Protection
    • Threat Intelligence Platforms
  • Enables Analytics Rules for enabled Microsoft 1st party products

 

Download the project's package from GitHub repo, follow the usage guide and the below gif:

 

 

Get started today!

 

We encourage you to try it now and leverage the next generation of SIEM world for your environment.  You can also contribute new connectors, workbooks, analytics, and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.

Updated Nov 03, 2021
Version 5.0
  • mikhailf's avatar
    mikhailf
    Steel Contributor

    For those who have an issue with the PowerShell script.

    This is the answer from Microsoft Tech Support:

    "We checked the issue with our PG team and they have acknowledged the issue and they will be working on it and there is no TAT provided for the same as the tech community is on best effort basis. As a workaround you can use ARM button from the document which is working as expected."

  • mikhailf's avatar
    mikhailf
    Steel Contributor

    Good day to all,

     

    Hesham_Saad, thank you for sharing this with the Microsoft community.

     

    We are trying to use the PowerShell script in order to deploy Sentinel and connect MS systems to it. 

    1. We found that in line 66 in PowerShell script -Sku Standard is unnecessary. Before we removed it, we had errors while creating Workspace and Sentinel. 

    2. While connecting Microsoft systems, we have the following error: 

     

    AzureSecurityCenter data connector is not enabled yet
    Enabling data connector AzureSecurityCenter
    Write-Error: /home/mikhail/SentinelallInOne1.ps1:285
    Line285 | EnableOrUpdateDataconnector $baseUri $connectorProperties.gui …
    Unable to enable data connector AzureSecurityCenter with error:

     

    The only connector that doesn't show it is AzureActivityLog.

     

    And the most interesting thing here is that after all errors, Sentinel has all connectors connected and working properly.

     

    Has anyone experienced the same behaviour?

  • AndrePKI's avatar
    AndrePKI
    Iron Contributor

    Maybe not a Sentinel question per se, but we are looking how to deploy the associated roles and rights (perhaps from a json source file) for

    • tier 1 Analyst
    • tier 2 Analyst
    • tier 3 Analyst/threat hunter
    • technical management (i.e. responsible for Sentinel configuration, like adding data connectors etc)
    • notebook/workbook/playbook developers
    • notebook/workbook/playbook users (overlapping with tier1/2/3 Analysts)
    • ...

    This would map (most likely not 1:1) to the Sentinel roles (Azure Sentinel Reader/Responder/Contributor/Automation Contributor) as well as to several ARM RBAC roles at subscription/resource group/workspace levels and of course things like Reader on the source subscriptions connected.

    We are seeking advice on how to do this, and for as much as possible automate it. Of course, I am aware that some things cannot be known/configured beforehand, like some additional rights for in AAD for the AAD data connector (e.g. read and write permissions to AAD diagnostic settings), or maybe this can be added per dataconnector.

     

    The ultimate goal would be to manage the entire set-up  of Sentinel from code.

     

    Any ideas, suggestions, and/or code? Most appreciated

  • Mikko_Koivunen's avatar
    Mikko_Koivunen
    Copper Contributor

    The script is helpful, but you might want to check the license prerequisites for Azure AD connector. It is a bit unfortunate that almost all Microsoft blog posts and documents claim that you can use the AAD connector with any license, when in fact the Data Connector wants to see P1 or P2 before it allows to be activated.

  • All this could have been easier if Sentinel had ARM Template support and you can do any configuration with ARM Template.