Azure Sentinel All-In-One Accelerator

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Sentinel21Logo.PNG

Azure Sentinel All in One is a project designed and developed by  (Senior Program Manager - Microsoft),   (Sr. CyberSecurity Technical Specialist - Microsoft) &   (Program Manager - Microsoft) that seeks to speed up deployment and initial configuration tasks of an Azure Sentinel environment in just a few clicks!, this is ideal for Proof of Concept , Pilot scenarios and connector onboarding when highly privileged users are needed.

 

The main script in this repository takes care of the following steps:

 

  • Creates resource group (if given resource group doesn't exist yet)
  • Creates Log Analytics workspace (if given workspace doesn't exist yet)
  • Installs Azure Sentinel on top of the workspace (if not installed yet)
  • Enables the following Data Connectors:
    • Azure Activity
    • Azure Security Center
    • Azure Active Directory
    • Azure Active Directory Identity Protection
    • Office 365 (SharePoint, Exchange and Teams)
    • Microsoft Cloud App Security
    • Azure Advanced Threat Protection
    • Microsoft Defender Advanced Threat Protection
    • Threat Intelligence Platforms
  • Enables Analytics Rules for enabled Microsoft 1st party products

 

Implementation

 

These instructions will show you what you need to now to use Sentinel All in One.

Prerequisites

  • PowerShell Core
  • Azure user account with enough permissions to enable the required connectors. See table below.
  • Some data connectors also require a license to be present in order to be enabled. See table below.

The following table summarizes permissions and licenses needed to enable each Data Connector:

 

Data Connector License Permissions
Azure Activity None Reader
Azure Security Center ASC Standard Security Reader
Azure Active Directory Any AAD license Global Admin or Security Admin
Azure Active Directory Identity Protection AAD Premium 2 Global Admin or Security Admin
Office 365 None Global Admin or Security Admin
Microsoft Cloud App Security MCAS Global Admin or Security Admin
Azure Advanced Threat Protection AATP Global Admin or Security Admin
Microsoft Defender Advanced Threat Protection MDATP Global Admin or Security Admin
Threat Intelligence Platforms None Global Admin or Security Admin

 

Usage

 

Download the project's package from github repo, follow the usage guide and the below gif:

 

SentinelAllInOne.gif

 

Get started today!

 

We encourage you to try it now and leverage the next generation of SIEM world for your environment.  You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.