Azure Sentinel ARM Template

I got a question from some readers asking about if there is a way to deploy Azure Sentinel through Azure ARM template and what are common use cases for deploying such an ARM template.

In this article, let’s explore the ARM template for Azure Sentinel and common scenarios.

TL;DR: You can skip this article and use template from here for deploying Azure Security Center for your subscription https://github.com/azsec/scaf-azure-arm-templates/tree/master/AzureSentinel

Common Scenarios

A common scenario is when you want to deploy Azure Sentinel is to provide it as a service to your customer (a model of MSSP – Managed Security Service Provider). Another use case would be to deliver Azure Sentinel service directly to an entity in a global company with complex organization structure via Azure Blueprint.

Having different Azure Sentinel for different subsidiaries would not be bad, especially when you would like to empower subset of InfoSec or system admin team to play more in Azure Sentinel.

Azure ARM template

In fact, deploying Azure Sentinel is actually to deploy a Log Analytics solution whose name is SecurityInsights (the original name of Azure Sentinel). That said, you would only need to add this solution to the existing Log Analytics workspace, or a new one.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        ....
    },
    "variables": {
        "azureSentinelSolutionName": "[concat('SecurityInsights', '(', parameters('workspaceName'), ')')]",
        "product": "OMSGallery/SecurityInsights",
        "publisher": "Microsoft"
    },
    "resources": [
        {
            "type": "Microsoft.OperationsManagement/solutions",
            "apiVersion": "2015-11-01-preview",
            "name": "[variables('azureSentinelSolutionName')]",
            "location": "[parameters('location')]",
            "plan": {
                "name": "[variables('azureSentinelSolutionName')]",
                "promotionCode": "",
                "product": "[variables('product')]",
                "publisher": "[variables('publisher')]"
            },
            "dependsOn": [
                "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
            ],
            "properties": {
                "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
            }
        }
    ]
}

The template here allows you to deploy Azure Sentinel into a new Log Analytics workspace or an existing one.

For Azure Sentinel deployment in Azure Blueprint, stay tuned!

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

3 Responses to Azure Sentinel ARM Template

  1. Pingback: Extract all Azure Sentinel incidents

  2. Pingback: Create a fully customized Azure Sentinel incident

  3. Pingback: Update Azure Sentinel incident programatically

Leave a Reply