Deploying Microsoft Sentinel with PowerShell
Today, I wanted to take a look at quickly deploying Microsoft Sentinel so that we can test different scenarios with data connectors, analytics rules, hunting queries, and automations. This is an important idea – testing in non-production – that is often overlooked due to complexity of deployment. Let’s take some of the mystery out of this today!
Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) solution that helps organizations detect, investigate, and respond to threats across their enterprise. With Sentinel, you can ingest data from various sources, including Microsoft 365, Azure, and third-party solutions, and use advanced analytics and machine learning to identify potential security incidents.
In this post, we’ll walk through the steps to deploy Microsoft Sentinel using PowerShell and include some code samples for automating some common tasks.
You can customize the names of the Resource Group, Log Analytics Workspace, and deployment Location to meet your needs. Remember to use your NON-PROD subscription when doing testing like this. If you’re not sure which subscription to use in your Azure environment, have a chat with your Cloud Team.
Prerequisites
- An Azure subscription with permissions to create a resource group, deploy resources, and assign permissions to those resources.
- The latest version of Azure PowerShell installed on your local machine.
- An Azure Active Directory (AD) tenant with global administrator permissions.
- An Azure AD application with the required permissions to deploy Sentinel resources.
- The Azure AD application’s client ID and client secret.
- A PowerShell script editor or Integrated Development Environment (IDE).
Now that we have our prerequisites ready, let’s dive into the deployment steps.
Deployment
Step 1: Create a Resource Group
The first step in deploying Microsoft Sentinel is to create a resource group where all the required resources will be deployed. To create a new resource group, use the following PowerShell command:
New-AzResourceGroup -Name "SentinelResourceGroup" -Location "East US"
This command creates a new resource group named "SentinelResourceGroup" in the East US region. You can change the location to match your preferred region.
Step 2: Create a Log Analytics Workspace
Next, we need to create a Log Analytics workspace where Sentinel will store and analyze data. To create a new Log Analytics workspace, use the following PowerShell command:
$resourceGroupName = "SentinelResourceGroup"
$workspaceName = "SentinelWorkspace"
$location = "East US"
New-AzOperationalInsightsWorkspace `
-ResourceGroupName $resourceGroupName `
-Name $workspaceName `
-Location $location `
-Sku "PerGB2018"
This command creates a new Log Analytics workspace named “SentinelWorkspace” in the “SentinelResourceGroup” resource group in the East US region. You can change the workspace name and location to match your preferred settings.
Step 3: Create a Sentinel Workspace
Now that we have a Log Analytics workspace, we can create a Sentinel workspace that will use it to store and analyze data. To create a new Sentinel workspace, use the following PowerShell command:
$resourceGroupName = "SentinelResourceGroup" $workspaceName = "SentinelWorkspace" $location = "East US" $workspace = Get-AzOperationalInsightsWorkspace ` -ResourceGroupName $resourceGroupName ` -Name $workspaceName New-AzOperationalInsightsWorkspace ` -ResourceGroupName $resourceGroupName ` -Name "SentinelWorkspace" ` -Location $location ` -Sku "PerGB2018" ` -Tags @{workspaceId=$workspace.ResourceId}
This command creates a new Sentinel workspace that uses the Log Analytics workspace we created in the previous step. The workspace is named “SentinelWorkspace” and is located in the “SentinelResourceGroup” resource group in the East US region. You can change the workspace name and location to match your preferred settings.
Configuration
Next up is configuration of:
- RBAC Permissions
- Data Connectors
- Analytics Rules
In the next article, we will take a look at some detailed configuration that can be done to use our new Microsoft Sentinel deployment.