-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spike: Deploy Zero Trust Workbook to Sentinel #258
Comments
FYSA, as of this writing, the AppInsights SDK for Go that backs the azurerm provider does not support Workbook resources: hashicorp/terraform-provider-azurerm#5956 (comment) Doesn't mean we cannot create it by other means, but it will end up more source to maintain. |
Happy to lean in here if needed but essentially @glennmusa is correct. Workbooks are hard, even in ARM template since they have the ability to contain strings and characters that are difficult to encode for the proper client being used. In addition, the post linked above by @brooke-hamilton is both a blog and example/preview of doing it not technically a fully supported functionality. TJ even points out in the blog it is limited in its control set coverage. |
@glennmusa and @shawngib thanks for this info. Based on what you said I removed this issue from the current release backlog and I have reached out to TJ for a discussion on automation mechanisms for the TIC 3.0 workbook. Let's leave this issue in a triage state until we get a firm automation solution. |
Can I get some clarification here; from the last correspondence posted Jun 30. What specifically has changed that indicates this needs to be in our prioritized backlog at this time? |
Determine if Terraform does not support this (TBD)
|
I would be remiss if I didn't include this feature enhancement request: #573 presently there is no bicep implementation instructions for Sentinel. Given that this effort is only able to be deployed via bicep, we very likely will need to have implementation instructions for Sentinel included in the examples folder. |
Sentinel is deployed by the main Bicep deployment when the parameter |
Pulling this back into the in-progress workflow since the Sentinel instructions for bicep have been updated as per #613 |
@lisamurphy-msft there may be some confusion between PR #613 (and its related backlog item #573). #613 was a documentation issue to clarify the purpose of the Sentinel example that was written in Terraform. This backlog item, #258, is to deploy the Zero Trust workbook into sentinel. #258 and #613/#573 are not related. |
Recommend adding the following workbooks/analytics/playbooks to the Sentinel instance: Zero Trust (TIC 3.0), Maturity Model for Event Log Management (M-21-31), Insider Risk Management, Threat Intelligence, Threat Analysis & Response (MITRE ATT&CK), CMMC2.0, Azure Security Benchmarkv3, IT/OT Threat Monitoring, NIST SP 800-53 |
@brooke-hamilton my mistake! It does indeed appear that although clarification in the TF implementation documentation has been updated; we still do not have clear instructions for bicep implementation of Sentinel through MLZ. Although you provided this instruction fairly succinctly in comments; we might need to address this. |
@thbanasi Thank you for providing the additional information and insight into this; that is sincerely appreciated. This might be somewhat out of scope for this particular issue, however. Will address with the team on if we need to expand the scope of this issue or if we need another issue as follow-on to address adding additional sentinel workbook instructions. |
Able to deploy via the "easy-button" located in the Sentinel Github repository Have the following error:
while completing the equivalent of:
Investigating |
This is the template-uri you need: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json |
I tried this too. When I click the Deploy to Azure button in the Sentinel GitHub repo I get this error in the Azure portal when I click Review + create. I get the same error when trying to deploy using the Azure CLI--the same as @lisamurphy-msft reported. {"code":"InvalidTemplate","message":"Deployment template validation failed: 'The template resource '/Microsoft.SecurityInsights/0b315195-6b74-4380-b954-dcf2cfe765bd' for type 'Microsoft.OperationalInsights/workspaces/providers/alertRules' at line '224' and column '77' has incorrect segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage details.'."} I suggest opening an issue or bug in the Sentinel repo. |
Since this is confirmed as not working, I have created the following issue: Azure/Azure-Sentinel#4146 |
@lisamurphy-msft checking in for latest status. |
Pending PR push, appears that what looks like a json validation error was in fact a missing parameter as per the assertion by @thbanasi |
Team, I submitted the PR for the next version of the Microsoft Sentinel: Zero Trust (TIC 3.0) Solution over the weekend. The new version will be available in GH and Sentinel Content Hub within 2 weeks. I wanted to make sure you guys knew about the updates because there are substantial improvements in content based in customer feedback/learnings. Azure/Azure-Sentinel#4275 |
@thbanasi thank you for the update! |
Benefit/Result/Outcome
So that I can be sure that MLZ implements the security guidelines of Zero Trust, and to have an MLZ example that includes additional deployment technologies like shell scripts and manual Azure portal configuration.
Description
Azure Sentinel has the Zero Trust (TIC 3.0) workbook. (https://devblogs.microsoft.com/azuregov/zero-trust-in-azure-for-government/). This is a spike to determine if we can deploy the ZT workbook using shell scripts and Bicep or both. Manual steps in the Azure portal could also be included if the Sentinel APIs and resource providers do not support the work. If successful, the result will go into the
src/bicep/examples
folder as an optional deployment.One of the key outcomes for this work could be having a meaningful example that combines script, Bicep/ARM, and manual Azure portal configuration steps.
Acceptance Criteria
examples
folderThe text was updated successfully, but these errors were encountered: