From 2b9ba59173c79467e2fb176b3827358ebdbf2020 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 18 Jul 2024 13:04:16 +0400 Subject: [PATCH 01/14] feat: Add conditional onboarding for Sentinel in logAnalyticsSolutions.json --- .../logAnalyticsSolutions.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json b/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json index 7e13eb9209..16d86326e1 100644 --- a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json +++ b/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json @@ -232,7 +232,7 @@ "promotionCode": "", "publisher": "Microsoft" } - },*/ + }, { // Conditionally deploy solution for sentinel "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]", @@ -252,6 +252,17 @@ "promotionCode": "", "publisher": "Microsoft" } + },*/ + { + // Conditionally onboard Sentinel + "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.SecurityInsights/onboardingStates", + "name": "[variables('solutions').securityInsights.name]", + "scope": "[variables('laResourceId')]", + "properties": { + "customerManagedKey": false + } }/*, { // Conditionally deploy solution for SQL assessment From 79ee684eb5674f021f1e05c7b674a305edb7c295 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 18 Jul 2024 13:51:38 +0400 Subject: [PATCH 02/14] chore: Update logAnalyticsWorkspace.json to use the latest API version --- eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json index 6f5d8415b5..7bd91bcbce 100644 --- a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json +++ b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json @@ -34,7 +34,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2018-05-01", + "apiVersion": "2019-05-01", "name": "[variables('deploymentName')]", "resourceGroup": "[parameters('rgName')]", "dependsOn": [ From 404b032a68edee6f9a1252f4edbefe1f272da198 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 18 Jul 2024 14:41:37 +0400 Subject: [PATCH 03/14] chore: Update logAnalyticsWorkspace.json to use the latest API version --- .../subscriptionTemplates/logAnalyticsSolutions.json | 2 +- .../subscriptionTemplates/logAnalyticsWorkspace.json | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json b/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json index 16d86326e1..0df2e5b81a 100644 --- a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json +++ b/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json @@ -252,7 +252,7 @@ "promotionCode": "", "publisher": "Microsoft" } - },*/ + }, { // Conditionally onboard Sentinel "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]", diff --git a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json index 7bd91bcbce..edb42280aa 100644 --- a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json +++ b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json @@ -34,7 +34,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-05-01", + "apiVersion": "2018-05-01", "name": "[variables('deploymentName')]", "resourceGroup": "[parameters('rgName')]", "dependsOn": [ @@ -85,6 +85,16 @@ } } ] + }, + { + // Onboard Sentinel + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.SecurityInsights/onboardingStates", + "name": "[parameters('workspaceName')]", + "scope": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "properties": { + "customerManagedKey": false + } } ], "outputs": {} From 665a2ee29e13b88ecf3ae0e68f2c6004bc1d6e1b Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 18 Jul 2024 15:25:40 +0400 Subject: [PATCH 04/14] chore: Update logAnalyticsWorkspace.json to use the latest API version --- eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json index edb42280aa..292264cfaa 100644 --- a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json +++ b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json @@ -34,7 +34,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2018-05-01", + "apiVersion": "2024-03-01", "name": "[variables('deploymentName')]", "resourceGroup": "[parameters('rgName')]", "dependsOn": [ From 56b9dd9331cadcb6a6b38873efa7a439c7f6fe0c Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 18 Jul 2024 15:53:58 +0400 Subject: [PATCH 05/14] chore: Update logAnalyticsWorkspace.json to use the latest API version --- eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json index 292264cfaa..f279c8dbe1 100644 --- a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json +++ b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json @@ -92,6 +92,9 @@ "type": "Microsoft.SecurityInsights/onboardingStates", "name": "[parameters('workspaceName')]", "scope": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "dependsOn": [ + "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], "properties": { "customerManagedKey": false } From c741d5a074ba0f958bca5d43a3dc66172422095c Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 18 Jul 2024 16:19:33 +0400 Subject: [PATCH 06/14] chore: Update logAnalyticsWorkspace.json to use "default" name for onboarding Sentinel --- eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json index f279c8dbe1..0ff1cea57e 100644 --- a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json +++ b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json @@ -90,7 +90,7 @@ // Onboard Sentinel "apiVersion": "2023-02-01-preview", "type": "Microsoft.SecurityInsights/onboardingStates", - "name": "[parameters('workspaceName')]", + "name": "default", "scope": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", "dependsOn": [ "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" From a9f8acc9b0dedfb98bbff20afdeb1c751c6a3d43 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 18 Jul 2024 16:50:54 +0400 Subject: [PATCH 07/14] chore: Update logAnalyticsWorkspace.json to use "default" name for onboarding Sentinel --- eslzArm/eslzArm.json | 82 -------------------------------------------- 1 file changed, 82 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 2c25864a30..5a9aa8b753 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -203,14 +203,6 @@ ], "defaultValue": "Disabled" }, - "enableSecuritySolution": { - "type": "string", - "defaultValue": "Yes", - "allowedValues": [ - "Yes", - "No" - ] - }, "enableMonitorBaselines": { "type": "string", "defaultValue": "", @@ -1596,7 +1588,6 @@ "resourceGroup": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/resourceGroup.json')]", "ddosProtection": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/ddosProtection.json')]", "logAnalyticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json')]", - "monitoringSolutions": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/logAnalyticsSolutions.json')]", "asbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json')]", "regulatoryComplianceInitaitves": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json')]", "resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]", @@ -1714,7 +1705,6 @@ "monitorManagementDeploymentName": "[take(concat('alz-ManagementMonitor', variables('deploymentSuffix')), 64)]", "monitorLandingZoneDeploymentName": "[take(concat('alz-LandingZoneMonitor', variables('deploymentSuffix')), 64)]", "monitorServiceHealthDeploymentName": "[take(concat('alz-SvcHealthMonitor', variables('deploymentSuffix')), 64)]", - "monitoringSolutionsDeploymentName": "[take(concat('alz-Solutions', variables('deploymentSuffix')), 64)]", "asbPolicyDeploymentName": "[take(concat('alz-ASB', variables('deploymentSuffix')), 64)]", "regulatoryComplianceInitativesToAssignDeploymentName": "[take(concat('alz-RegComp-', deployment().location, '-', uniqueString(parameters('currentDateTimeUtcNow')), '-'), 64)]", "resourceDiagnosticsPolicyDeploymentName": "[take(concat('alz-ResourceDiagnostics', variables('deploymentSuffix')), 64)]", @@ -1842,7 +1832,6 @@ "subnetNsgIdentityLitePolicyDeploymentName": "[take(concat('alz-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", "monitoringLiteDeploymentName": "[take(concat('alz-MonitoringLite', variables('deploymentSuffix')), 64)]", "logAnalyticsLitePolicyDeploymentName": "[take(concat('alz-LAPolicyLite', variables('deploymentSuffix')), 64)]", - "monitoringSolutionsLiteDeploymentName": "[take(concat('alz-SolutionsLite', variables('deploymentSuffix')), 64)]", "platformLiteSubscriptionPlacement": "[take(concat('alz-PlatformSubLite', variables('deploymentSuffix')), 64)]", "vnetConnectivityHubLiteDeploymentName": "[take(concat('alz-VnetHubLite', variables('deploymentSuffix')), 64)]", "vwanConnectivityHubLiteDeploymentName": "[take(concat('alz-VWanHubLite', variables('deploymentSuffix')), 64)]", @@ -2538,40 +2527,6 @@ } } }, - { - // Deploying Sentinel to Log Analytics workspace if condition is true - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableSecuritySolution'), 'Yes'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').monitoringSolutionsDeploymentName]", - "location": "[deployment().location]", - "subscriptionId": "[parameters('managementSubscriptionId')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion" - ], - "properties": { - "mode": "Incremental", - "templateLink": { - "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').monitoringSolutions]" - }, - "parameters": { - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" - }, - "workspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" - }, - "workspaceRegion": { - "value": "[deployment().location]" - }, - "enableSecuritySolution": { - "value": "[parameters('enableSecuritySolution')]" - } - } - } - }, { // Assigning Log Analytics workspace policy to management management group if condition is true "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", @@ -7581,43 +7536,6 @@ } } }, - /* - Note: ES Lite only: the following deployments will deploy Sentinel to the platform subscription - */ - { - // Deploying Sentinel to the Log Analytics workspace if condition is true - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableSecuritySolution'), 'Yes'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[variables('esLiteDeploymentNames').monitoringSolutionsLiteDeploymentName]", - "location": "[deployment().location]", - "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", - "policyCompletion" - ], - "properties": { - "mode": "Incremental", - "templateLink": { - "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').monitoringSolutions]" - }, - "parameters": { - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" - }, - "workspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" - }, - "workspaceRegion": { - "value": "[deployment().location]" - }, - "enableSecuritySolution": { - "value": "[parameters('enableSecuritySolution')]" - } - } - } - }, /* Note: ES Lite only: deploy Log Analytics workspace policy to the platform management group */ From b37791fb0344969753b30bc273c698450bc6c576 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 18 Jul 2024 17:16:28 +0400 Subject: [PATCH 08/14] chore: Deleted logAnalyticsSolutions.json as it's no longer needed. --- .../logAnalyticsSolutions.json | 341 ------------------ 1 file changed, 341 deletions(-) delete mode 100644 eslzArm/subscriptionTemplates/logAnalyticsSolutions.json diff --git a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json b/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json deleted file mode 100644 index 0df2e5b81a..0000000000 --- a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json +++ /dev/null @@ -1,341 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "rgName": { - "type": "string", - "metadata": { - "description": "Provide the resource group name where the Log Analytics workspace is deployed." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Provide resource name for the Log Analytics workspace." - } - }, - "workspaceRegion": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Select Azure region for the Log Analytics workspace. Default, we will use same region as deployment." - } - }, - "enableSecuritySolution": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether security solutions should be enabled or not." - } - }/*, - "enableAgentHealth": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether agent health solution should be enabled or not." - } - }, - "enableChangeTracking": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether change tracking solution should be enabled or not." - } - }, - "enableUpdateMgmt": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether update mgmt solution should be enabled or not." - } - }, - "enableVmInsights": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether VM insights solution should be enabled or not." - } - }, - "enableSqlAssessment": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether SQL assessment solution should be enabled or not." - } - }, - "enableSqlVulnerabilityAssessment": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether SQL vulnerability assessment solution should be enabled or not." - } - }, - "enableSqlAdvancedThreatProtection": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether SQL advanced threat protection solution should be enabled or not." - } - }*/ - }, - "variables": { - "laResourceId": "[toLower(concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')))]", - "solutions": { - /*"security": { - "name": "[concat('Security', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "Security" - }, - "agentHealth": { - "name": "[concat('AgentHealthAssessment', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "AgentHealthAssessment" - }, - "changeTracking": { - "name": "[concat('ChangeTracking', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "ChangeTracking" - }, - "updateMgmt": { - "name": "[concat('Updates', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "Updates" - }, - "sqlAssessment": { - "name": "[concat('SQLAssessment', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "SQLAssessment" - }, - "sqlAdvancedThreatProtection": { - "name": "[concat('SQLAdvancedThreatProtection', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "SQLAdvancedThreatProtection" - }, - "sqlVulnerabilityAssesment": { - "name": "[concat('SQLVulnerabilityAssessment', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "SQLVulnerabilityAssessment" - }, - "vmInsights": { - "name": "[concat('VMInsights', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "VMInsights" - },*/ - "securityInsights": { - "name": "[concat('SecurityInsights', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "SecurityInsights" - } - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2018-05-01", - "name": "[take(concat('alz-', 'solutions-', guid(deployment().name)), 63)]", - "resourceGroup": "[parameters('rgName')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - /*{ - // Conditionally deploy solution for agent health - "condition": "[equals(parameters('enableAgentHealth'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').agentHealth.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').agentHealth.name]", - "product": "[concat('OMSGallery/', variables('solutions').agentHealth.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - /*{ - // Conditionally deploy solution for change tracking - "condition": "[equals(parameters('enableChangeTracking'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').changeTracking.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').changeTracking.name]", - "product": "[concat('OMSGallery/', variables('solutions').changeTracking.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - /*{ - // Conditionally deploy solution for vm insights - "condition": "[equals(parameters('enableVmInsights'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').vmInsights.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').vmInsights.name]", - "product": "[concat('OMSGallery/', variables('solutions').vmInsights.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - /*{ - // Conditionally deploy solution for security - "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').security.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').security.name]", - "product": "[concat('OMSGallery/', variables('solutions').security.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - // Conditionally deploy solution for sentinel - "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').securityInsights.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]", - "sku": { - "name": "Unified" - } - }, - "plan": { - "name": "[variables('solutions').securityInsights.name]", - "product": "[concat('OMSGallery/', variables('solutions').securityInsights.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - // Conditionally onboard Sentinel - "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.SecurityInsights/onboardingStates", - "name": "[variables('solutions').securityInsights.name]", - "scope": "[variables('laResourceId')]", - "properties": { - "customerManagedKey": false - } - }/*, - { - // Conditionally deploy solution for SQL assessment - "condition": "[equals(parameters('enableSqlAssessment'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').sqlAssessment.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').sqlAssessment.name]", - "product": "[concat('OMSGallery/', variables('solutions').sqlAssessment.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - /*{ - // Conditionally deploy solution for SQL advanced threat protection - "condition": "[equals(parameters('enableSqlAdvancedThreatProtection'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').sqlAdvancedThreatProtection.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').sqlAdvancedThreatProtection.name]", - "product": "[concat('OMSGallery/', variables('solutions').sqlAdvancedThreatProtection.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - /*{ - // Conditionally deploy solution for SQL vulnerability protection - "condition": "[equals(parameters('enableSqlVulnerabilityAssessment'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').sqlVulnerabilityAssesment.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').sqlVulnerabilityAssesment.name]", - "product": "[concat('OMSGallery/', variables('solutions').sqlVulnerabilityAssesment.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - },*/ - /*{ - // Conditionally deploy solution for update management - "condition": "[equals(parameters('enableUpdateMgmt'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').updateMgmt.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').updateMgmt.name]", - "product": "[concat('OMSGallery/', variables('solutions').updateMgmt.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }*/ - ] - } - } - } - ], - "outputs": {} -} \ No newline at end of file From f4e106fd7aff26def6e145f5be99fe66379f5f24 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 18 Jul 2024 17:45:10 +0400 Subject: [PATCH 09/14] chore: Updated whats new --- docs/wiki/Whats-new.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 9ee6e32d65..2c1e04212f 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -1,6 +1,7 @@ ## In this Section - [Updates](#updates) + - [July 2024](#july-2024) - [June 2024](#june-2024) - [🆕 AMA Updates](#-ama-updates) - [🔃 Policy Refresh H2 FY24](#-policy-refresh-h2-fy24) @@ -46,6 +47,13 @@ This article will be updated as and when changes are made to the above and anyth Here's what's changed in Enterprise Scale/Azure Landing Zones: +### July 2024 + +#### Other + +- Cleaned up the Log Analytics "solutions" in portal ARM template, as these are no longer required and deployed by ALZ. +- Updated Microsoft Sentinel onboarding (enablement) using the new mechanism that fixes issues after 1 July 2024. Microsoft Sentinel is enabled by default through the portal accelerator as a best practice - we do not however configure any data connectors, we only enable the service. Should you wish to remove this, you can delete the association from the Azure Portal after deployment from the "Sentinel" feature blade. + ### June 2024 #### Documentation From 0ecbc0609ad5bf739258b16c60933730f3244357 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 13 Aug 2024 19:54:17 +0400 Subject: [PATCH 10/14] chore: Update logAnalyticsWorkspace.json to enable Sentinel onboarding using the "default" name --- docs/wiki/Whats-new.md | 5 +++-- eslzArm/eslz-portal.json | 21 +++++++++++++++++++ eslzArm/eslzArm.json | 16 ++++++++++++++ .../logAnalyticsWorkspace.json | 4 ++++ 4 files changed, 44 insertions(+), 2 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 2c1e04212f..d0f53fc652 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -1,7 +1,7 @@ ## In this Section - [Updates](#updates) - - [July 2024](#july-2024) + - [August 2024](#august-2024) - [June 2024](#june-2024) - [🆕 AMA Updates](#-ama-updates) - [🔃 Policy Refresh H2 FY24](#-policy-refresh-h2-fy24) @@ -47,11 +47,12 @@ This article will be updated as and when changes are made to the above and anyth Here's what's changed in Enterprise Scale/Azure Landing Zones: -### July 2024 +### August 2024 #### Other - Cleaned up the Log Analytics "solutions" in portal ARM template, as these are no longer required and deployed by ALZ. +- Re-introduced the option to enable "Sentinel" in the portal accelerator. - Updated Microsoft Sentinel onboarding (enablement) using the new mechanism that fixes issues after 1 July 2024. Microsoft Sentinel is enabled by default through the portal accelerator as a best practice - we do not however configure any data connectors, we only enable the service. Should you wish to remove this, you can delete the association from the Azure Portal after deployment from the "Sentinel" feature blade. ### June 2024 diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 047668d1f5..01d7885490 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -439,6 +439,26 @@ "style": "Info" } }, + { + "name": "enableSentinel", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Microsoft Sentinel and enable security monitoring for your platform and resources", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected Sentinel will be enabled on the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, { "name": "esMgmtSubSection", "type": "Microsoft.Common.Section", @@ -8972,6 +8992,7 @@ "enableUpdateMgmt": "[steps('management').enableUpdateMgmt]", "enableVmInsights": "[steps('management').enableVmInsights]", "retentionInDays": "[string(steps('management').retentionInDays)]", + "enableSentinel": "[steps('management').enableSentinel]", "managementSubscriptionId": "[steps('management').esMgmtSubSection.esMgmtSub]", "enableAsc": "[steps('management').enableAsc]", "emailContactAsc": "[steps('management').emailContactAsc]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 5a9aa8b753..585b870ee6 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -40,6 +40,10 @@ "type": "string", "defaultValue": "" }, + "enableSentinel": { + "type": "string", + "defaultValue": "Yes" + }, "managementSubscriptionId": { "type": "string", "defaultValue": "", @@ -2403,6 +2407,9 @@ }, "retentionInDays": { "value": "[parameters('retentionInDays')]" + }, + "enableSentinel": { + "value": "[parameters('enableSentinel')]" } } } @@ -2566,6 +2573,9 @@ }, "retentionInDays": { "value": "[parameters('retentionInDays')]" + }, + "enableSentinel": { + "value": "[parameters('enableSentinel')]" } } } @@ -7499,6 +7509,9 @@ }, "retentionInDays": { "value": "[parameters('retentionInDays')]" + }, + "enableSentinel": { + "value": "[parameters('enableSentinel')]" } } } @@ -7578,6 +7591,9 @@ }, "retentionInDays": { "value": "[parameters('retentionInDays')]" + }, + "enableSentinel": { + "value": "[parameters('enableSentinel')]" } } } diff --git a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json index 0ff1cea57e..811f1b29e9 100644 --- a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json +++ b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json @@ -19,6 +19,9 @@ }, "retentionInDays": { "type": "String" + }, + "enableSentinel": { + "type": "String" } }, "variables": { @@ -88,6 +91,7 @@ }, { // Onboard Sentinel + "condition": "[equals(parameters('enableSentinel'), 'Yes')]", "apiVersion": "2023-02-01-preview", "type": "Microsoft.SecurityInsights/onboardingStates", "name": "default", From 58171f605d69cd0c19ef2b8d51bad9b8a1d8a2e9 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 13 Aug 2024 15:54:52 +0000 Subject: [PATCH 11/14] Auto-update Portal experience [Springstone/7b7ff1d1] --- .../policyDefinitions/initiatives.json | 4 ++-- .../managementGroupTemplates/policyDefinitions/policies.json | 4 ++-- .../roleDefinitions/customRoleDefinitions.json | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 05720324ea..69fee6e458 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "14881039068741859194" + "version": "0.29.47.4906", + "templateHash": "5357404441524922976" } }, "parameters": { diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 2edbae4ca7..9c86608a2d 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "1159734146410583397" + "version": "0.29.47.4906", + "templateHash": "49176136240050651" } }, "parameters": { diff --git a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json index 385dcbebdf..6c8ce646a2 100644 --- a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json +++ b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "7289710698265093596" + "version": "0.29.47.4906", + "templateHash": "12429908550017328445" } }, "variables": { From 281b1551d38a854e13cca3c17cabb2e1f024f6f5 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 13 Aug 2024 19:58:23 +0400 Subject: [PATCH 12/14] . --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 01d7885490..d15f7c2d3e 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -444,7 +444,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Deploy Microsoft Sentinel and enable security monitoring for your platform and resources", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected Sentinel will be enabled on the Log Analytics workspace.", + "toolTip": "If 'Yes' is selected Sentinel will be enabled on the Log Analytics workspace. Note additional configuration is required to complete Sentinel onboarding.", "constraints": { "allowedValues": [ { From 14a8a0b5331d44d687291b441087b2d4c417ef02 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 13 Aug 2024 20:10:50 +0400 Subject: [PATCH 13/14] chore: Update logAnalyticsWorkspace.json to use "default" name for onboarding Sentinel --- eslzArm/eslz-portal.json | 2 +- eslzArm/eslzArm.json | 6 ------ 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index d15f7c2d3e..75419d8aac 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -442,7 +442,7 @@ { "name": "enableSentinel", "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy Microsoft Sentinel and enable security monitoring for your platform and resources", + "label": "Deploy Microsoft Sentinel (configuration required to activate)", "defaultValue": "Yes (recommended)", "toolTip": "If 'Yes' is selected Sentinel will be enabled on the Log Analytics workspace. Note additional configuration is required to complete Sentinel onboarding.", "constraints": { diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 585b870ee6..c0ea0b7c36 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -2573,9 +2573,6 @@ }, "retentionInDays": { "value": "[parameters('retentionInDays')]" - }, - "enableSentinel": { - "value": "[parameters('enableSentinel')]" } } } @@ -7591,9 +7588,6 @@ }, "retentionInDays": { "value": "[parameters('retentionInDays')]" - }, - "enableSentinel": { - "value": "[parameters('enableSentinel')]" } } } From e8ba0d3417af4a5794c3ac46fced491fea658b74 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 14 Aug 2024 07:53:13 +0000 Subject: [PATCH 14/14] Auto-update Portal experience [Springstone/7b7ff1d1] --- .../managementGroupTemplates/policyDefinitions/initiatives.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 5b91d4bb85..f3562d9ca2 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.29.47.4906", - "templateHash": "5357404441524922976" + "templateHash": "15544708819382265845" } }, "parameters": {