feat: Add Microsoft Sentinel accelerator with UEBA, analytics, and data connectors (#1280)#1281
Open
sedmonds22 wants to merge 8 commits into
Open
feat: Add Microsoft Sentinel accelerator with UEBA, analytics, and data connectors (#1280)#1281sedmonds22 wants to merge 8 commits into
sedmonds22 wants to merge 8 commits into
Conversation
…, Hardcoded sentinel settings
There was a problem hiding this comment.
Pull request overview
Adds an opt-in Microsoft Sentinel “accelerator” layer to Mission Landing Zone (MLZ), intended to provision Sentinel settings (UEBA/anomalies), data connectors, analytic rules, and workbooks on top of the Operations Log Analytics workspace during deployment.
Changes:
- Introduces new Sentinel-focused Bicep modules to configure Sentinel settings, data connectors, content packages, analytic rules, and workbooks.
- Wires a new
modules/sentinel.bicepdeployment intosrc/mlz.bicepbehind the existingdeploySentinelflag. - Adds a large set of Sentinel analytic rule definitions plus a generated manifest used by a deployment script.
Reviewed changes
Copilot reviewed 110 out of 116 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/mlz.bicep | Adds a conditional sentinel module deployment when deploySentinel is enabled. |
| src/modules/monitoring.bicep | Refactors monitoring resource group placement/naming and continues to provision the LAW used by Sentinel. |
| src/modules/sentinel.bicep | Orchestrates Sentinel settings/connectors/content/rules/workbooks modules at subscription scope. |
| src/modules/sentinel-settings.bicep | Configures Sentinel onboarding/settings (UEBA/entity analytics/anomalies) and Entra diagnostics via scripts. |
| src/modules/sentinel-connectors.bicep | Deploys/upserts Entra ID and Azure Activity data connectors via deployment scripts. |
| src/modules/sentinel-analytic-rules.bicep | Deploys analytic rules from a manifest via an Azure CLI deployment script (with RBAC helper module). |
| src/modules/sentinel-analytic-rules-role-assignment.bicep | Assigns Sentinel Contributor role on the workspace to the deployment script identity. |
| src/modules/sentinel-content.bicep | Deploys Sentinel content hub solution packages and (optionally) ARM-template workbooks. |
| src/modules/sentinel-workbooks.bicep | Deploys “custom” workbooks from JSON into Azure Workbooks with deterministic GUIDs. |
| src/data/sentinel/analytic-rules-manifest.json | Generated manifest containing ~92 analytic rules for scripted deployment. |
| src/data/sentinel/workbooks/AzureActivity.json | Workbook content used by sentinel-workbooks.bicep. |
| src/data/sentinel/workbooks/AzureServiceHealthWorkbook.json | Workbook content used by sentinel-workbooks.bicep. |
| src/data/sentinel/workbooks/AzureActiveDirectoryAuditLogs.json | Workbook content used by sentinel-workbooks.bicep. |
| src/data/sentinel/workbooks/AzureActiveDirectorySignins.json | Workbook content used by sentinel-workbooks.bicep. |
| src/data/sentinel/custom-workbooks/deploy/AzureActivity.workbook.template.json | ARM-template workbook used when deployCustomWorkbooks is enabled in sentinel-content.bicep. |
| src/data/sentinel/custom-workbooks/deploy/AzureServiceHealthWorkbook.workbook.template.json | ARM-template workbook used when deployCustomWorkbooks is enabled in sentinel-content.bicep. |
| src/data/sentinel/custom-workbooks/deploy/AzureActiveDirectoryAuditLogs.workbook.template.json | ARM-template workbook used when deployCustomWorkbooks is enabled in sentinel-content.bicep. |
| src/data/sentinel/custom-workbooks/deploy/AzureActiveDirectorySignins.workbook.template.json | ARM-template workbook used when deployCustomWorkbooks is enabled in sentinel-content.bicep. |
| src/data/sentinel/custom-workbooks/deploy/SignalQualityFalsePositiveReduction.json | Additional workbook template asset for Sentinel workbook deployment options. |
| src/data/sentinel/packages/azure-activity/mainTemplate.json | Azure Activity Sentinel solution package template source. |
| src/data/sentinel/packages/azure-activity/solution.json | Azure Activity Sentinel solution package template artifact. |
| src/data/sentinel/packages/azure-activity/solution.bicep | Bicep wrapper for deploying the Azure Activity Sentinel solution package. |
| src/data/sentinel/packages/microsoft-entra-id/mainTemplate.json | Microsoft Entra ID Sentinel solution package template source. |
| src/data/sentinel/analytic-rules/AADHybridHealthADFSNewServer.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/AADHybridHealthADFSServiceDelete.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/AADHybridHealthADFSSuspApp.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/AccountCreatedandDeletedinShortTimeframe.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/AccountCreatedDeletedByNonApprovedUser.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/ADFSDomainTrustMods.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/ADFSSignInLogsPasswordSpray.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/AnomalousUserAppSigninLocationIncrease-detection.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/AzureAADPowerShellAnomaly.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/AzureADRoleManagementPermissionGrant.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/AzurePortalSigninfromanotherAzureTenant.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/AzureRBAC.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Brute Force Attack against GitHub Account.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/BruteForceCloudPC.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/BulkChangestoPrivilegedAccountPermissions.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/BypassCondAccessRule.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Conditional Access - A Conditional Access app exclusion has changed.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Conditional Access - A Conditional Access policy was deleted.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Conditional Access - A Conditional Access policy was disabled.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Conditional Access - A Conditional Access policy was put into report-only mode.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Conditional Access - A Conditional Access policy was updated.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Conditional Access - A Conditional Access usergrouprole exclusion has changed.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Conditional Access - A new Conditional Access policy was created.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Conditional Access - Dynamic Group Exclusion Changes.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Creating_Anomalous_Number_Of_Resources_detection.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Creation_of_Expensive_Computes_in_Azure.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/CredentialAddedAfterAdminConsent.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Cross-tenantAccessSettingsOrganizationAdded.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/DefaultRouteToInternetOrNVAAdded.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/DisabledAccountSigninsAcrossManyApplications.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/DistribPassCrackAttempt.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/ExchangeFullAccessGrantedToApp.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/ExplicitMFADeny.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/FailedLogonToAzurePortal.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/FirstAppOrServicePrincipalCredential.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Granting_Permissions_To_Account_detection.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Machine_Learning_Creation.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/MailPermissionsAddedToApplication.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/MaliciousOAuthApp_O365AttackToolkit.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/MaliciousOAuthApp_PwnAuth.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/MFARejectedbyUser.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/MFASpammingfollowedbySuccessfullogin.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/New-CloudShell-User.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NewAppOrServicePrincipalCredential.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NewOnmicrosoftDomainAdded.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NewResourceGroupsDeployedTo.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NRT_ADFSDomainTrustMods.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NRT_Creation_of_Expensive_Computes_in_Azure.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/nrt_FirstAppOrServicePrincipalCredential.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NRT_NewAppOrServicePrincipalCredential.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NRT_PIMElevationRequestRejected.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NRT_UseraddedtoPrivilgedGroups.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NRT-AADHybridHealthADFSNewServer.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NSGFlowLogsDisabledOrDeleted.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NSGInboundInternetToManagementPorts.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/NSGOutboundAllowToInternet.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/PIMElevationRequestRejected.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/PossibleSignInfromAzureBackdoor.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/PrivilegedAccountsSigninFailureSpikes.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/PrivlegedRoleAssignedOutsidePIM.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/RareApplicationConsent.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/RareOperations.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/SeamlessSSOPasswordSpray.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/Sign-in Burst from Multiple Locations.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/SigninAttemptsByIPviaDisabledAccounts.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/SigninBruteForce-AzurePortal.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/SigninPasswordSpray.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/SubnetWithoutNSGAssociation.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/SubscriptionMigration.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/SuccessThenFail_DiffIP_SameUserandApp.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/SuspiciousAADJoinedDeviceUpdate.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/SuspiciousOAuthApp_OfflineAccess.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/SuspiciousServicePrincipalcreationactivity.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/SuspiciousSignInFollowedByMFAModification.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/UnusualGuestActivity.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/UserAccounts-CABlockedSigninSpikes.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/UseraddedtoPrivilgedGroups.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/UserAssignedNewPrivilegedRole.yaml | Adds a Sentinel analytic rule definition (YAML source). |
| src/data/sentinel/analytic-rules/UserAssignedPrivilegedRole.yaml | Adds a Sentinel analytic rule definition (YAML source). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+18
to
+25
| var logAnalyticsWorkspaceName = split(logAnalyticsWorkspaceResourceId, '/')[8] | ||
| var purpose = 'sentinel' | ||
|
|
||
| resource resourceGroup 'Microsoft.Resources/resourceGroups@2019-05-01' = { | ||
| name: replace(tier.namingConvention.resourceGroup, tokens.purpose, purpose) | ||
| location: location | ||
| tags: union(tags[?'Microsoft.Resources/resourceGroups'] ?? {}, mlzTags) | ||
| } |
Comment on lines
+11
to
+15
| var azureActivityWorkbookName = 'Azure Activity' | ||
| var azureServiceHealthWorkbookName = 'Azure Service Health Workbook' | ||
| var deployAnalyticRules = true | ||
| var enableAzureActivityDataConnector = true | ||
| var enableEntraIdDataConnector = true |
Comment on lines
+1004
to
+1010
| module sentinel 'modules/sentinel.bicep' = if (deploySentinel) { | ||
| name: 'deploy-sentinel-${deploymentNameSuffix}' | ||
| scope: subscription(operationsSubscriptionId) | ||
| params: { | ||
| deploymentNameSuffix: deploymentNameSuffix | ||
| location: location | ||
| logAnalyticsWorkspaceResourceId: monitoring.outputs.logAnalyticsWorkspaceResourceId |
Comment on lines
+20
to
31
| var purpose = 'monitoring' | ||
|
|
||
| resource resourceGroup 'Microsoft.Resources/resourceGroups@2019-05-01' = { | ||
| name: replace(tier.namingConvention.resourceGroup, tokens.purpose, purpose) | ||
| location: location | ||
| tags: union(tags[?'Microsoft.Resources/resourceGroups'] ?? {}, mlzTags) | ||
| } | ||
|
|
||
| module logAnalyticsWorkspace 'log-analytics-workspace.bicep' = { | ||
| name: 'deploy-law-${deploymentNameSuffix}' | ||
| scope: resourceGroup(tier.subscriptionId, tier.resourceGroupName) | ||
| scope: resourceGroup | ||
| params: { |
Comment on lines
+117
to
+121
| query: .query, | ||
| queryFrequency: .queryFrequency, | ||
| queryPeriod: .queryPeriod, | ||
| triggerOperator: .triggerOperator, | ||
| triggerThreshold: .triggerThreshold, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds optional Microsoft Sentinel integration to Mission Landing Zone that provisions security monitoring infrastructure alongside the core MLZ deployment, reducing manual post-deployment configuration and accelerating time-to-security-value.
Closes #1280
Changes
Core Sentinel Infrastructure
Data Connectors
Security Content
New Bicep Modules
New Parameters
Backward Compatibility
All Sentinel features are opt-in with parameters defaulting to \alse. Existing MLZ deployments are unaffected when Sentinel parameters are not specified.
Testing