This example adds an Azure Sentinel: Zero Trust (TIC3.0) Workbook solution to MLZ, provided Sentinel has already been deployed; either through the bicep or terraform implementation instructions in the Operations (T1) resource group.
Documentation can be found here: Build and monitor Zero Trust (TIC 3.0) security architectures with Microsoft Sentinel
-
A MissionLZ deployment with Microsoft Defender for Cloud and Azure Sentinel enabled
-
Enablement of enhanced security features in Microfost Defender for Cloud
The following table lists the required parameters for a Mission LZ deployment to enable an Azure Sentinel Workbook:
Required Parameters | Description |
---|---|
location | The region to deploy Azure Sentinel into |
resourcePrefix | A 3-10 alphanumeric character string without whitespace, used to prefix resources and generate uniqueness for resources with globally unique naming requirements |
deploySentinel | A boolean expression indicating that Azure Sentinel is to be deployed with the MissionLZ deployment |
deployDefender | A boolean expression indicating that Microsoft Defender for Cloud is enabled in the Mission LZ deployment |
An example deployment with required deployment parameters included is shown below:
az deployment sub create \
--name "myMlzDeployment" \
--location eastus \
--template-file src/bicep/mlz.bicep \
--parameters resourcePrefix=myPrefix \
deploySentinel=true \
deployDefender=true
The Sentinel Zero Trust (TIC3.0) Workbook is maintained in the Azure Sentinel GitHub repository
With the link provided, it is possible to use the "Deploy to Azure" button with some simple input parameters for Azure Government and Azure Commercial clouds.
The workbook can be deployed using the Azure CLI az deployment
command. The workbook template requires the workspace
parameter, which is the name of the Log Analytics workspace connected to Sentinel in MLZ. The workspace name can be found in the MLZ operations resource group, which also contains the Log Analytics and Sentinel deployment. The same resource group is where the az deployment
command
is deployed. See the example below:
az deployment group create \
--name MlzWorkbookDeploy \
--resource-group myPrefix-rg-operations-mlz \
--template-uri "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json" \
--parameters workspace=myPrefix-log-operations-mlz