Azure Sentinel All in One is a project designed and developed by @Javier-Soriano (Senior Program Manager - Microsoft), @Hesham Saad (Sr. CyberSecurity Technical Specialist - Microsoft) & @Sreedhar Ande (Program Manager - Microsoft) that seeks to speed up deployment and initial configuration tasks of an Azure Sentinel environment in just a few clicks!, this is ideal for Proof of Concept, Pilot scenarios, and connector onboarding when highly privileged users are needed.
Azure Sentinel All in One is a project that seeks to speed up deployment and initial configuration tasks of an Azure Sentinel environment. This is ideal for Proof of Concept scenarios and connector onboarding when highly privileged users are needed.
There's two versions of Sentinel All-In-One: Powershell script and ARM template. There's slight differences on what things get automated with each. We try to summarize them here:
All-In-One version | Data Connectors | Analytics Rules |
---|---|---|
Powershell script | Azure Activity, Azure Security Center, Azure Active Directory, Azure Active Directory Identity Protection, Office 365, Microsoft Cloud App Security, Azure Advanced Threat Protection, Microsoft Defender Advanced ThreatProtection, Threat Intelligence Platforms | Microsoft Incident Creation rules |
ARM template | Azure Activity, Azure Security Center, Azure Active Directory Identity Protection, Office 365, Microsoft Cloud App Security, Azure Advanced Threat Protection, Microsoft Defender Advanced ThreatProtection, Security Events, DNS (Preview), Windows Firewall | Microsoft Incident Creation, Fusion, ML Behavior Analytics, Scheduled |
The following table summarizes permissions, licenses and permissions needed and related cost to enable each Data Connector:
Data Connector | License | Permissions | Cost |
---|---|---|---|
Azure Activity | None | Subscription Reader | Free |
Azure Security Center | ASC Standard | Security Reader | Free |
Azure Active Directory | Any AAD license | Global Admin or Security Admin | Billed |
Azure Active Directory Identity Protection | AAD Premium 2 | Global Admin or Security Admin | Free |
Office 365 | None | Global Admin or Security Admin | Free |
Microsoft Cloud App Security | MCAS | Global Admin or Security Admin | Free |
Azure Advanced Threat Protection | AATP | Global Admin or Security Admin | Free |
Microsoft Defender Advanced Threat Protection | MDATP | Global Admin or Security Admin | Free |
Threat Intelligence Platforms | None | Global Admin or Security Admin | Billed |
Security Events | None | None | Billed |
Linux Syslog | None | None | Billed |
DNS (preview) | None | None | Billed |
Windows Firewall | None | None | Billed |
The template performs the following tasks:
It takes around few minutes to deploy if enabling Scheduled analytics rules is selected. If Scheduled rules are not needed it will complete in less than 1 minute.
In order to create the Scheduled analytics rules, the deployment template uses an ARM deployment script which requires a user assigned identity. You will see this resource in your resource group when the deployment finishes. You can remove after deployment if desired.
The Powershell script inside the Powershell folder (SentinelallInOne.ps1) takes care of the following steps:
These instructions will show you what you need to now to use Sentinel All in One.
The following table summarizes permissions, licenses needed and cost to enable each Data Connector:
Data Connector | License | Permissions | Cost |
---|---|---|---|
Azure Activity | None | Reader | Free |
Azure Security Center | ASC Standard | Security Reader | Free |
Azure Active Directory | Any AAD license | Global Admin or Security Admin | Billed |
Azure Active Directory Identity Protection | AAD Premium 2 | Global Admin or Security Admin | Free |
Office 365 | None | Global Admin or Security Admin | Free |
Microsoft Cloud App Security | MCAS | Global Admin or Security Admin | Free |
Azure Advanced Threat Protection | AATP | Global Admin or Security Admin | Free |
Microsoft Defender Advanced Threat Protection | MDATP | Global Admin or Security Admin | Free |
Threat Intelligence Platforms | None | Global Admin or Security Admin | Billed |
Once you have PowerShell Core installed on your machine, you just need two files from this repo:
connectors.json - contains all the connectors that will be enabled. If you don't want some of the connectors to be enabled, just remove them from the your copy of the file.
SentinelAllInOne.ps1 - script that automates all the steps outlined above.
The script uses your current Azure context, if you want to change the subscription you want to use, make sure you do that before executing the script. You can use Connect-AzAccount -SubscriptionId <subscription_id>
to do that
Open a PowerShell core terminal, navigate to the folder where these two files are located and execute SentinelAllInOne.ps1. You will be asked to enter the following parameters:
If not logged in already, the script will ask you to log in to your Azure account. Make sure you have the right permissions to enable the connectors specified in connectors.json file.
The script will then iterate through the connectors specified in the connectors.json file and enable them. It will also enable the corresponding Microsoft analytics rules.
Here you have a GIF that shows the execution process:
The main script in this repository takes care of the following steps:
Download the project's package from GitHub repo, follow the usage guide and the below gif:
Get started today!
We encourage you to try it now and leverage the next generation of SIEM world for your environment. You can also contribute new connectors, workbooks, analytics, and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.