Azure · ExchMaster · Nov 9, 2021 · Nov 9, 2021 · Nov 9, 2021
@@ -0,0 +1,73 @@
+{
+  "firewallPrivateIPAddress": {
+    "Type": "String",
+    "Value": "10.0.100.4"
+  },
+  "hub": {
+    "Type": "Object",
+    "Value": {
+      "subscriptionId": "ddf87969-a498-4676-a488-1932fbc5a306",
+      "resourceGroupName": "contoso-hub",
+      "resourceGroupResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-hub",
+      "virtualNetworkName": "hub-vnet",
+      "virtualNetworkResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-hub/providers/Microsoft.Network/virtualNetworks/hub-vnet",
+      "subnetName": "hub-vnet/hub-subnet",
+      "subnetResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-hub/providers/Microsoft.Network/virtualNetworks/hub-vnet/subnets/hub-subnet",
+      "subnetAddressPrefix": "10.0.100.128/27",
+      "networkSecurityGroupName": "hub-nsg",
+      "networkSecurityGroupResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-hub/providers/Microsoft.Network/networkSecurityGroups/hub-nsg"
+    }
+  },
+  "logAnalyticsWorkspaceName": {
+    "Type": "String",
+    "Value": "contoso-laws"
+  },
+  "logAnalyticsWorkspaceResourceId": {
+    "Type": "String",
+    "Value": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-operations/providers/Microsoft.OperationalInsights/workspaces/contoso-laws"
+  },
+  "spokes": {
+    "Type": "Array",
+    "Value": [
+      {
+        "name": "operations",
+        "subscriptionId": "ddf87969-a498-4676-a488-1932fbc5a306",
+        "resourceGroupName": "contoso-operations",
+        "resourceGroupId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-operations",
+        "virtualNetworkName": "operations-vnet",
+        "virtualNetworkResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-operations/providers/Microsoft.Network/virtualNetworks/operations-vnet",
+        "subnetName": "operations-subnet",
+        "subnetResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-operations/providers/Microsoft.Network/virtualNetworks/operations-vnet/subnets/operations-subnet",
+        "subnetAddressPrefix": "10.0.115.0/27",
+        "networkSecurityGroupName": "operations-nsg",
+        "networkSecurityGroupResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-operations/providers/Microsoft.Network/networkSecurityGroups/operations-nsg"
+      },
+      {
+        "name": "identity",
+        "subscriptionId": "ddf87969-a498-4676-a488-1932fbc5a306",
+        "resourceGroupName": "contoso-identity",
+        "resourceGroupId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-identity",
+        "virtualNetworkName": "identity-vnet",
+        "virtualNetworkResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-identity/providers/Microsoft.Network/virtualNetworks/identity-vnet",
+        "subnetName": "identity-subnet",
+        "subnetResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-identity/providers/Microsoft.Network/virtualNetworks/identity-vnet/subnets/identity-subnet",
+        "subnetAddressPrefix": "10.0.110.0/27",
+        "networkSecurityGroupName": "identity-nsg",
+        "networkSecurityGroupResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-identity/providers/Microsoft.Network/networkSecurityGroups/identity-nsg"
+      },
+      {
+        "name": "sharedServices",
+        "subscriptionId": "ddf87969-a498-4676-a488-1932fbc5a306",
+        "resourceGroupName": "contoso-sharedServices",
+        "resourceGroupId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-sharedServices",
+        "virtualNetworkName": "sharedServices-vnet",
+        "virtualNetworkResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-sharedServices/providers/Microsoft.Network/virtualNetworks/sharedServices-vnet",
+        "subnetName": "sharedServices-subnet",
+        "subnetResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-sharedServices/providers/Microsoft.Network/virtualNetworks/sharedServices-vnet/subnets/sharedServices-subnet",
+        "subnetAddressPrefix": "10.0.120.0/27",
+        "networkSecurityGroupName": "sharedServices-nsg",
+        "networkSecurityGroupResourceId": "/subscriptions/ddf87969-a498-4676-a488-1932fbc5a306/resourceGroups/contoso-sharedServices/providers/Microsoft.Network/networkSecurityGroups/sharedServices-nsg"
+      }
+    ]
+  }
+}
@@ -1,22 +1,70 @@
 # Sentinel Example
 
-This example adds an Azure Sentinel solution to a Log Analytics Workspace using Terraform.
+This example adds an Azure Sentinel solution to a Log Analytics Workspace using two independent deployment methods:  Bicep or Terraform.  Pick whichever works best.
 
 Read on to understand what this example does, and when you're ready, collect all of the pre-requisites, then deploy the example.
 
 ## What this example does
 
 ### Deploys Sentinel
 
-The docs on Azure Sentinel: <https://docs.microsoft.com/en-us/azure/sentinel/overview>
+The docs on Azure Sentinel: <https://docs.microsoft.com/en-us/azure/sentinel/overview>.  This sample shows how to deploy using either Bicep or Terraform.  The deployment options are not intended to be used together, both are wholly independent options.
 
 ## Pre-requisites
 
-1. Terraform ([link to download](https://www.terraform.io/downloads.html))
-1. An internet connection (you can bundle Terraform dependencies, but this example does not and retrieves them from the internet)
-1. A desired region to deploy Azure Sentinel into described below
+### Bicep Deployment Option
+
 1. A Mission LZ deployment (a deployment of mlz.bicep)
-1. The output from that deployment described below
+2. The output from that deployment described below:
+
+Deployment Output Name | Description
+-----------------------| -----------
+logAnalyticsWorkspaceName | The Log Analytics Workspace to which Azure Sentinel will be added as as solution
+logAnalyticsWorkspaceResourceId | The resource ID of the Log Anayltics Workspace for use within Azure Sentinel
+operationsResourceGroupName | The resource group name which contains the Log Analytics Workspace to be used with Azure Sentinel
+operationsSubscriptionId | The Azure subscription ID which contains the operations resource group deployed as part of MLZ
+
+One way to generate a global variable file(deploymentVariables.json) which contains all of the needed values for this examples and others as well is through PowerShell Core and the Azure PowerShell module.  Both PowerShell Core and the Azure PowerShell module are open source projects and avaliable for all major operating systems (Mac, Linux, Windows).
+
+* Get PowerShell Core:  <https://github.com/PowerShell/PowerShell/releases>
+* Get Azure PowerShell: <https://docs.microsoft.com/en-us/powershell/azure/install-az-ps>
+* Getting Started with Azure PowerShell: <https://docs.microsoft.com/en-us/powershell/azure/get-started-azureps>
+* Generate 'deploymentVariables.json': (Get-AzSubscriptionDeployment -Name MLZDeploymentName).outputs | ConvertTo-Json -Depth 10 | Out-File -FilePath .\deploymentVariables.json
+* Replace "MLZDeploymentName" with your deployment name:  Browse to 'Subscriptions', to the subscription MLZ was deployed into, and then look at 'Deployments'
+
+Place the 'deploymentVariables.json' file ./src/bicep/examples folder.  See the sample for reference.
+
+### Deploying Sentinel - Bicep
+
+Connect to the appropriate Azure Environment and set appropriate context, see getting started with Azure PowerShell for help if needed.  The commands below assume you are deploying in Azure Commercial and show the entire process from deploying MLZ and then adding Azure Sentinel post-deployment. 
+
+```PowerShell
+cd ./src/bicep
+Connect-AzAccount
+New-AzSubscriptionDeployment -Name contosoMLZ -TemplateFile .\mlz.bicep -resourcePrefix 'contoso' -Location 'eastus'
+cd ./examples
+(Get-AzSubscriptionDeployment -Name contosoMLZ).outputs | ConvertTo-Json -Depth 10 | Out-File -FilePath .\deploymentVariables.json
+cd ./sentinel
+New-AzSubscriptionDeployment -DeploymentName deploySentinel -TemplateFile .\sentinel.bicep -Location 'eastus'
+```
+
+Or, completely experimentally, try the Portal:
+
+### AzureCloud
+
+[![Deploy To Azure](../../../../docs/images/deploytoazure.svg?sanitze=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fexamples%2Fsentinel%2Fmodules%2FdeploySentinel.json)
+
+### AzureUSGovernment
+
+[![Deploy To Azure US Gov](../../../../docs/images/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#create/Microsoft.https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fexamples%2Fsentinel%2Fmodules%2FdeploySentinel.json)
+
+## Terraform Deployment Option
+
+1. Terraform ([link to download](https://www.terraform.io/downloads.html))
+2. An internet connection (you can bundle Terraform dependencies, but this example does not and retrieves them from the internet)
+3. A desired region to deploy Azure Sentinel into described below
+4. A Mission LZ deployment (a deployment of mlz.bicep)
+5. The output from that deployment described below
 
 Required Parameters | Description
 ------------------- | -----------
@@ -79,7 +127,7 @@ export $(az deployment sub show --name "myMlzDeployment" --query "properties.out
 ```
 <!-- markdownlint-enable MD013 -->
 
-## Deploying Sentinel
+## Deploying Sentinel - Terraform
 
 You'll need to initialize Terraform in this directory:
 

@@ -0,0 +1,23 @@
+
+param sentinelSolutionName string 
+param logAnalyticsWorkspaceResourceId string
+
+
+var product = 'OMSGallery/SecurityInsights'
+var publisher = 'Microsoft'
+
+
+resource MicrosoftSentinelSolutionName 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = {
+  name: sentinelSolutionName
+  location: resourceGroup().location
+  plan: {
+    name: sentinelSolutionName
+    promotionCode: ''
+    product: product
+    publisher: publisher
+  }
+  properties: {
+    workspaceResourceId: logAnalyticsWorkspaceResourceId
+  }
+}
+
@@ -0,0 +1,41 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.4.613.9944",
+      "templateHash": "11023628893449650523"
+    }
+  },
+  "parameters": {
+    "sentinelSolutionName": {
+      "type": "string"
+    },
+    "logAnalyticsWorkspaceResourceId": {
+      "type": "string"
+    }
+  },
+  "functions": [],
+  "variables": {
+    "product": "OMSGallery/SecurityInsights",
+    "publisher": "Microsoft"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationsManagement/solutions",
+      "apiVersion": "2015-11-01-preview",
+      "name": "[parameters('sentinelSolutionName')]",
+      "location": "[resourceGroup().location]",
+      "plan": {
+        "name": "[parameters('sentinelSolutionName')]",
+        "promotionCode": "",
+        "product": "[variables('product')]",
+        "publisher": "[variables('publisher')]"
+      },
+      "properties": {
+        "workspaceResourceId": "[parameters('logAnalyticsWorkspaceResourceId')]"
+      }
+    }
+  ]
+}
@@ -0,0 +1,31 @@
+/*
+//
+//Makes use of a global variable json file to provide necessary information to support the deployment of Azure Sentinel 
+//
+//To create the 'deploymentVariables.json' file from your MLZ deployment in PowerShell:
+//
+//--  (Get-AzSubscriptionDeployment -Name <MLZDeploymentName>).outputs | ConvertTo-Json -Depth 10 | Out-File -FilePath .\deploymentVariables.json
+//
+//Retrieve the MLZ deployment name by browsing to 'Subscriptions', to the subscription you deployed into, and then look at 'Deployments'
+//
+//Requires PowerShell Core (avaliable for all operating systems):  https://github.com/PowerShell/PowerShell/releases
+//Requires Azure PowerShell Module (avaliable for all operating systems): https://docs.microsoft.com/en-us/powershell/azure/install-az-ps
+//
+//By-pass the use of the deploymentVariables.json file altogther by calling the './modules/deploySentinel.bicep' file directly with the required informaiton.
+//
+*/
+targetScope = 'subscription'
+
+var mlzDeploymentVariables = json(loadTextContent('../deploymentVariables.json'))
+var sentinelSolutionName = 'SecurityInsights(${mlzDeploymentVariables.logAnalyticsWorkspaceName.Value})'
+var logAnalyticsWorkspaceResourceId = '${mlzDeploymentVariables.logAnalyticsWorkspaceResourceId.Value}'
+var operationsResourceGroupName = '${mlzDeploymentVariables.spokes.Value[0].resourceGroupName}'
+var operationsSubscriptionId = '${mlzDeploymentVariables.spokes.Value[0].subscriptionId}'
+module deploySentinel 'modules/deploySentinel.bicep' = {
+  name: 'deploySentinel'
+  params: {
+    logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
+    sentinelSolutionName: sentinelSolutionName
+  }
+  scope: resourceGroup(operationsSubscriptionId,operationsResourceGroupName)
+}