Sentinel Deployment Fix (#1709)

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Azure · Aug 14, 2024 · 24ae46a · 24ae46a
1 parent 7b7ff1d
commit 24ae46a
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 413 deletions.
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -1,6 +1,7 @@
 ## In this Section
 
 - [Updates](#updates)
+  - [August 2024](#august-2024)
   - [July 2024](#july-2024)
   - [June 2024](#june-2024)
   - [🆕 AMA Updates](#-ama-updates)
@@ -47,6 +48,14 @@ This article will be updated as and when changes are made to the above and anyth
 
 Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
+### August 2024
+
+#### Other
+
+- Cleaned up the Log Analytics "solutions" in portal ARM template, as these are no longer required and deployed by ALZ.
+- Re-introduced the option to enable "Sentinel" in the portal accelerator.
+- Updated Microsoft Sentinel onboarding (enablement) using the new mechanism that fixes issues after 1 July 2024. Microsoft Sentinel is enabled by default through the portal accelerator as a best practice - we do not however configure any data connectors, we only enable the service. Should you wish to remove this, you can delete the association from the Azure Portal after deployment from the "Sentinel" feature blade.
+
 ### July 2024
 
 #### Policy

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
@@ -439,6 +439,26 @@
                                 "style": "Info"
                             }
                         },
+                        {
+                            "name": "enableSentinel",
+                            "type": "Microsoft.Common.OptionsGroup",
+                            "label": "Deploy Microsoft Sentinel (configuration required to activate)",
+                            "defaultValue": "Yes (recommended)",
+                            "toolTip": "If 'Yes' is selected Sentinel will be enabled on the Log Analytics workspace. Note additional configuration is required to complete Sentinel onboarding.",
+                            "constraints": {
+                                "allowedValues": [
+                                    {
+                                        "label": "Yes (recommended)",
+                                        "value": "Yes"
+                                    },
+                                    {
+                                        "label": "No",
+                                        "value": "No"
+                                    }
+                                ]
+                            },
+                            "visible": true
+                        },
                         {
                             "name": "esMgmtSubSection",
                             "type": "Microsoft.Common.Section",
@@ -8972,6 +8992,7 @@
                 "enableUpdateMgmt": "[steps('management').enableUpdateMgmt]",
                 "enableVmInsights": "[steps('management').enableVmInsights]",
                 "retentionInDays": "[string(steps('management').retentionInDays)]",
+                "enableSentinel": "[steps('management').enableSentinel]",
                 "managementSubscriptionId": "[steps('management').esMgmtSubSection.esMgmtSub]",
                 "enableAsc": "[steps('management').enableAsc]",
                 "emailContactAsc": "[steps('management').emailContactAsc]",

diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
@@ -40,6 +40,10 @@
             "type": "string",
             "defaultValue": ""
         },
+        "enableSentinel": {
+            "type": "string",
+            "defaultValue": "Yes"
+        },
         "managementSubscriptionId": {
             "type": "string",
             "defaultValue": "",
@@ -203,14 +207,6 @@
             ],
             "defaultValue": "Disabled"
         },
-        "enableSecuritySolution": {
-            "type": "string",
-            "defaultValue": "Yes",
-            "allowedValues": [
-                "Yes",
-                "No"
-            ]
-        },
         "enableMonitorBaselines": {
             "type": "string",
             "defaultValue": "",
@@ -1596,7 +1592,6 @@
             "resourceGroup": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/resourceGroup.json')]",
             "ddosProtection": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/ddosProtection.json')]",
             "logAnalyticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json')]",
-            "monitoringSolutions": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/logAnalyticsSolutions.json')]",
             "asbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json')]",
             "regulatoryComplianceInitaitves": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json')]",
             "resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]",
@@ -1714,7 +1709,6 @@
             "monitorManagementDeploymentName": "[take(concat('alz-ManagementMonitor', variables('deploymentSuffix')), 64)]",
             "monitorLandingZoneDeploymentName": "[take(concat('alz-LandingZoneMonitor', variables('deploymentSuffix')), 64)]",
             "monitorServiceHealthDeploymentName": "[take(concat('alz-SvcHealthMonitor', variables('deploymentSuffix')), 64)]",
-            "monitoringSolutionsDeploymentName": "[take(concat('alz-Solutions', variables('deploymentSuffix')), 64)]",
             "asbPolicyDeploymentName": "[take(concat('alz-ASB', variables('deploymentSuffix')), 64)]",
             "regulatoryComplianceInitativesToAssignDeploymentName": "[take(concat('alz-RegComp-', deployment().location, '-', uniqueString(parameters('currentDateTimeUtcNow')), '-'), 64)]",
             "resourceDiagnosticsPolicyDeploymentName": "[take(concat('alz-ResourceDiagnostics', variables('deploymentSuffix')), 64)]",
@@ -1842,7 +1836,6 @@
             "subnetNsgIdentityLitePolicyDeploymentName": "[take(concat('alz-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]",
             "monitoringLiteDeploymentName": "[take(concat('alz-MonitoringLite', variables('deploymentSuffix')), 64)]",
             "logAnalyticsLitePolicyDeploymentName": "[take(concat('alz-LAPolicyLite', variables('deploymentSuffix')), 64)]",
-            "monitoringSolutionsLiteDeploymentName": "[take(concat('alz-SolutionsLite', variables('deploymentSuffix')), 64)]",
             "platformLiteSubscriptionPlacement": "[take(concat('alz-PlatformSubLite', variables('deploymentSuffix')), 64)]",
             "vnetConnectivityHubLiteDeploymentName": "[take(concat('alz-VnetHubLite', variables('deploymentSuffix')), 64)]",
             "vwanConnectivityHubLiteDeploymentName": "[take(concat('alz-VWanHubLite', variables('deploymentSuffix')), 64)]",
@@ -2414,6 +2407,9 @@
                     },
                     "retentionInDays": {
                         "value": "[parameters('retentionInDays')]"
+                    },
+                    "enableSentinel": {
+                        "value": "[parameters('enableSentinel')]"
                     }
                 }
             }
@@ -2538,40 +2534,6 @@
                 }
             }
         },
-        {
-            // Deploying Sentinel to Log Analytics workspace if condition is true
-            "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableSecuritySolution'), 'Yes'))]",
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "[variables('deploymentNames').monitoringSolutionsDeploymentName]",
-            "location": "[deployment().location]",
-            "subscriptionId": "[parameters('managementSubscriptionId')]",
-            "dependsOn": [
-                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
-                "policyCompletion"
-            ],
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "contentVersion": "1.0.0.0",
-                    "uri": "[variables('deploymentUris').monitoringSolutions]"
-                },
-                "parameters": {
-                    "rgName": {
-                        "value": "[variables('platformRgNames').mgmtRg]"
-                    },
-                    "workspaceName": {
-                        "value": "[variables('platformResourceNames').logAnalyticsWorkspace]"
-                    },
-                    "workspaceRegion": {
-                        "value": "[deployment().location]"
-                    },
-                    "enableSecuritySolution": {
-                        "value": "[parameters('enableSecuritySolution')]"
-                    }
-                }
-            }
-        },
         {
             // Assigning Log Analytics workspace policy to management management group if condition is true
             "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]",
@@ -7544,6 +7506,9 @@
                     },
                     "retentionInDays": {
                         "value": "[parameters('retentionInDays')]"
+                    },
+                    "enableSentinel": {
+                        "value": "[parameters('enableSentinel')]"
                     }
                 }
             }
@@ -7581,43 +7546,6 @@
                 }
             }
         },
-        /*
-            Note: ES Lite only: the following deployments will deploy Sentinel to the platform subscription
-        */
-        {
-            // Deploying Sentinel to the Log Analytics workspace if condition is true
-            "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableSecuritySolution'), 'Yes'))]",
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "[variables('esLiteDeploymentNames').monitoringSolutionsLiteDeploymentName]",
-            "location": "[deployment().location]",
-            "subscriptionId": "[parameters('singlePlatformSubscriptionId')]",
-            "dependsOn": [
-                "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]",
-                "policyCompletion"
-            ],
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "contentVersion": "1.0.0.0",
-                    "uri": "[variables('deploymentUris').monitoringSolutions]"
-                },
-                "parameters": {
-                    "rgName": {
-                        "value": "[variables('platformRgNames').mgmtRg]"
-                    },
-                    "workspaceName": {
-                        "value": "[variables('platformResourceNames').logAnalyticsWorkspace]"
-                    },
-                    "workspaceRegion": {
-                        "value": "[deployment().location]"
-                    },
-                    "enableSecuritySolution": {
-                        "value": "[parameters('enableSecuritySolution')]"
-                    }
-                }
-            }
-        },
         /*
             Note: ES Lite only: deploy Log Analytics workspace policy to the platform management group
         */