In this blog post, we will learn how to deploy Azure Sentinel with ARM template and Azure CLI.
About Azure Sentinel
Azure Sentinel is a cloud-based Security Information and event management (SIEM) system that is powered by azure Log Analytics.
The core components of Sentinel are:
- Data Connectors – These are built-in connectors that allow us to connect to data sources like Syslog server, Azure AD and Microsoft 365.
- Log retention – Capability to store logs for short and long time periods.
- Workbooks – This is where we can create dashboards with all the data we get from the connectors.
- Alers, notification and investigations – Manage Security incidents.
- Automation – Automation of response to Security incidents.
ARM
To deploy Sentinel, I will use an ARM template file and a parameter file. The files for the deployment are in our GitHub repository below:
https://github.com/ntweeklycom/ARM/tree/main/Sentinel/Deploy
To deploy the ARM template I will use Azure CLI using the following commands. In the commands below I’m creating a resource group which you don’t have to create if you are using an existing one.
The template will create a new Log Analytics resource to use for Sentinel.
# Login to Azure az login #Set Subscription az account set --subscription "name of subscription" # Create resource group az group create --name "Sentinel" --location "West US" # Deploy template az deployment group create --name deploysentinel --resource-group sentinel --template-file azuredeploy.json --parameters azuredeploy.parameters.json --verbose