ALZ-Bicep
ALZ-Bicep copied to clipboard
Azure
Sentinel Onboarding via `SecurityInsights` solution is deprecated
What happened? Provide a clear and concise description of the bug, including deployment details.
Currently the activation of Sentinel is done via deployment of the SecurityInsights solution to the Log Analytics Workspace.
This is deprecated and won't work after July 1st (i.e. now) . I learned this via E-Mail from MS (see screenshot below).
The "new" method uses the OnboardingStates API (see: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-azure-sentinel-new-onboarding-offboarding-api/ba-p/2640471).
We should implement the new method based on this ARM template: https://github.com/Azure/Azure-Sentinel/blob/master/Tools/ARM-Templates/Onboarding/OnboardSentinel.json
This is a first draft - untested for now, but should head us in the right direction:
resource workspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
name: workspaceName
location: workspaceLocation
tags: {}
properties: {
sku: {
name: 'pergb2018'
}
}
}
resource workspaceName_Microsoft_SecurityInsights_default 'Microsoft.SecurityInsights/onboardingStates@2024-03-01' = {
name: 'default'
parent: workspace
properties: {}
dependsOn: [
resourceId('Microsoft.OperationalInsights/workspaces', workspaceName)
]
}
Best, Christoph
Please provide the correlation id associated with your error or bug.
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
What was the expected outcome?
No response
Relevant log output
No response
Check previous GitHub issues
- [X] I have searched the issues for this item and found no duplicate
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
Thanks for reporting @cloudchristoph, we are looking into this now across all ALZ implementation options.
Would you be interested in submitting a PR to ALZ Bicep for these changes?
Would you be interested in submitting a PR to ALZ Bicep for these changes?
Yes. Will develop an update at the end of this week. Sure.