From fdd0f019192502bca808662bdeb332e43da56222 Mon Sep 17 00:00:00 2001 From: Ken Lawson Date: Wed, 8 Jan 2025 11:26:04 -0700 Subject: [PATCH] Revised Bicep template & updated lab 08 instructions --- Allfiles/Bicep/Sentinel.bicep | 15 +++++++++++++++ .../Labs/LAB_AK_08_Lab1_Ex02_Connect_Windows.md | 10 +++++----- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/Allfiles/Bicep/Sentinel.bicep b/Allfiles/Bicep/Sentinel.bicep index b09bd1e3..b03159fc 100644 --- a/Allfiles/Bicep/Sentinel.bicep +++ b/Allfiles/Bicep/Sentinel.bicep @@ -97,6 +97,7 @@ resource pauseScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = { ] } +/* //Assign the Sentinel Contributor rights on the Resource Group to the User Identity that was just created resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid(resourceGroup().name, roleDefinitionId) @@ -108,6 +109,20 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { pauseScript ] } +*/ + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscription().id, resourceGroup().id, scriptIdentity.name, roleDefinitionId) + scope: resourceGroup() + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId) + principalId: scriptIdentity.properties.principalId + principalType: 'ServicePrincipal' + } + dependsOn: [ + pauseScript + ] +} // Call the external PowerShell script to deploy the solutions and rules resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = { diff --git a/Instructions/Labs/LAB_AK_08_Lab1_Ex02_Connect_Windows.md b/Instructions/Labs/LAB_AK_08_Lab1_Ex02_Connect_Windows.md index 2fd57328..a290de53 100644 --- a/Instructions/Labs/LAB_AK_08_Lab1_Ex02_Connect_Windows.md +++ b/Instructions/Labs/LAB_AK_08_Lab1_Ex02_Connect_Windows.md @@ -130,17 +130,17 @@ In this task, you install Azure Arc on an on-premises server to make onboarding In this task, you'll connect an Azure Windows virtual machine to Microsoft Sentinel. +>**Note:** Microsoft Sentinel has been predeployed in your Azure subscription with the name **defenderWorkspace**, and the *Content Hub* has been prepopulated with the necessary solutions. + 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**. -1. Select your Microsoft Sentinel Workspace you created earlier. +1. Select the Microsoft Sentinel **defenderWorkspace**. -1. 1. In the Microsoft Sentinel left menus, scroll down to the *Content management* section and select **Content Hub**. +1. 1. In the Microsoft Sentinel left navigation menu, scroll down to the *Content management* section and select **Content Hub**. 1. In the *Content hub*, search for the **Windows Security Events** solution and select it from the list. -1. On the *Windows Security Events* solution page select **Install**. - -1. When the installation completes select **Manage** +1. On the *Windows Security Events* solution page select **Manage**. >**Note:** The *Windows Security Events* solution installs both the *Windows Security Events via AMA* and the *Security Events via Legacy Agent* Data connectors. Plus 2 Workbooks, 20 Analytic Rules, and 43 Hunting Queries.