Automate Resource Deployment for TIC 3.0 Compliance - Log Reporting
Published Nov 10 2023 12:52 PM 1,585 Views


The purpose of this article is to show how you can automate the process of deploying the resources to setup log reporting to the CISA TALON, which is part of the TIC 3.0 Compliance requirements.  There are many published resources on TIC 3.0 Compliance, which will be listed below, but this particular article will be focused on automating the deployment of the resources needed to setup the required log reporting to the CISA TALON.



Working level knowledge of Azure Event Hub, Entra, and Azure automated deployments.


Deployment Steps

This solution utilizes Azure PowerShell, Azure CLI, and Azure Bicep to deploy the required resources to setup the log reporting to the CISA TALON.  The code described is published on GitHub HERE


Here is a list of the actions taken by the code as described:


  • Setup Deployment Environment (PowerShell, Bicep, CLI, etc)
  • Logging of Activities/Errors
  • Validate Resource Group
  • Validate/Create Entra Service Principal
  • Validate/Upload Certificate to Entra Service Principal
  • Execute Bicep Deployment
  • Validate/Create Azure Event Hub
  • Validate/Create Azure Event Hub Namespace
  • Create Required RBAC Role Assignment


Executing the Code

NotePowershell modules Az.Accounts & Az.Resources, Az CLI, and Bicep must be installed with current version prior to executing the script. The script assumes all files are stored in the same directory.


You will need to launch the PowerShell script ".ps1" to execute the build.  The PowerShell script will do some validation, some creation, and then it will call the Bicep template to complete the build.  When launching the PowerShell script, be sure to read the help section at the top of the script or by using the "Get-Help TIC3-Talon-Build-Launcher.ps1" command.  When launching the PowerShell script, you must set your appropriate values in the "Param" section of the PowerShell script OR specify them as command-line arguments.  As documented in the PowerShell help in the script, the input parameters are as follows:



This parameter is for the Azure AD Application Name. The name must be unique. Default value is "My-Talon-Test-App".
This parameter is for the Azure AD Tenant ID where the app will be installed.
This parameter is for the path to the certificate to install in the AAD App. Cert must be ".cer" format.
This parameter is for the Event Hub name.
This parameter is for the Resource Group name.
This parameter is for the path to the Bicep Template.
.PARAMETER AzureEnvironment
This parameter is for the Azure Environment.  Default is AzureCloud (Commercial).  For Azure USGov, use AzureUSGovernment.
This parameter is for the Azure Subscription ID.
This parameter is for the output log for this script.  The default value is "./CDS-Log-Forwarding-CSSP.log".



An example of a command-line launch of the script would be:



	.\TIC3-Talon-Build-Launcher.ps1 -AADAppName "My-Talon-Test-App" -AzureSubID "My-Subscription-ID" -AADTenantID "My-AAD-Tenant-ID"



Once the code execution is complete, you should validate the build by reviewing the output log from the script and by checking your Azure resources to see if they are present as expected.


Note:  This code was created based on instructions to configure log reporting for TIC 3.0 compliance.  If there are any changes to this process, they may not be reflected in this code as this code was created based on a specific version of the configuration.



Implement TIC 3.0 compliance - Azure Architecture Center | Microsoft Learn

Trusted Internet Connections guidance - Azure Government | Microsoft Learn

Monitor Zero Trust (TIC 3.0) security architectures with Microsoft Sentinel | Microsoft Learn

Federal-App-Innovation-Community/topics/infrastructure at main · microsoft/Federal-App-Innovation-Co...


Special Thanks to @Laura Hutchcroft  for the assist.


Version history
Last update:
‎Nov 10 2023 12:52 PM
Updated by: