Feature Request: data connector automation about azsentinel HOT 4 CLOSED

hi Marc, thanks again for your great feedback. I am glad that you like the work done.

I cannot follow up with the first point, when I fallow the described path I cannot continue from "Virtual Machines > $MachineName - click on connect". Can you please add more info to this point

Point 2 is good one, I have already done some testing on this part. Unfortunately there is to much variation in configuration of each data connector, I need to find a way to dynamically resolve the connector properties. Maybe It's an idea to start with a set of most used connectors for now, please let me know what you think about it and which are your most used connectors? Maybe we can create a separate PS script to do this for your scenario for the time being?

from azsentinel.

Hi Pouyan,

Indeed, the option when selected has a different name compared to the 'top bar'. Basically I mean the path of enabling a connector on an (Azure) vm. Let's take the 'Security Events' connector for example. Full click-path is:
Home > Azure Sentinel workspaces > Azure Sentinel - Data connectors > Security Events > Open connector page > Install agent on Azure Windows Virtual Machine > Download & install agent for Azure Windows Virtual machines > Select the VMS you want > click on connect

I totally understand to start small with most important data connectors. Imho that would be 'Security Events'. Tbh, other connectors are not really in my interest at this moment.

Along side that, I would prefer to be able to configure the 'advanced settings' (Home > Azure Sentinel Workspaces > $WorkspaceName > Workspace settings > Advanced Settings) before enabling other data connectors. The reason for this is that it allows me to import Sysmon logs into Sentinel.
But again, I may be in a corner case here.

from azsentinel.

hi Marc,

Thanks for the extra info, that clarifies a lot. So the agent that you want to enable is actually the log analytics workspace agent "MicrosoftMonitoringAgent". You can enable this trough JOSN ARM or PowerShell by running the following:

$workspaceName = "your workspace name"
$VMresourcegroup = "**"
$VMresourcename = "**"

$workspace = (Get-AzOperationalInsightsWorkspace).Where({$_.Name -eq $workspaceName})

if ($workspace.Name -ne $workspaceName)
{
    Write-Error "Unable to find OMS Workspace $workspaceName. Do you need to run Select-AzureRMSubscription?"
}

$workspaceId = $workspace.CustomerId
$workspaceKey = (Get-AzOperationalInsightsWorkspaceSharedKeys -ResourceGroupName $workspace.ResourceGroupName -Name $workspace.Name).PrimarySharedKey

$vm = Get-AzVM -ResourceGroupName $VMresourcegroup -Name $VMresourcename
$location = $vm.Location

# For Windows VM uncomment the following line
 Set-AzVMExtension -ResourceGroupName $VMresourcegroup -VMName $VMresourcename -Name 'MicrosoftMonitoringAgent' -Publisher 'Microsoft.EnterpriseCloud.Monitoring' -ExtensionType 'MicrosoftMonitoringAgent' -TypeHandlerVersion '1.0' -Location $location -SettingString "{'workspaceId':  '$workspaceId'}" -ProtectedSettingString "{'workspaceKey': '$workspaceKey' }"

# For Linux VM uncomment the following line
# Set-AzVMExtension -ResourceGroupName $VMresourcegroup -VMName $VMresourcename -Name 'OmsAgentForLinux' -Publisher 'Microsoft.EnterpriseCloud.Monitoring' -ExtensionType 'OmsAgentForLinux' -TypeHandlerVersion '1.0' -Location $location -SettingString "{'workspaceId':  '$workspaceId'}" -ProtectedSettingString "{'workspaceKey': '$workspaceKey' }"

source

Regarding the second point I will keep you posted when we have a working function to enable the solutions.

from azsentinel.

Thanks, got it to work via templates.

Really looking forward on your solution for the data connectors!

from azsentinel.