Skip to content

Latest commit

 

History

History
 
 

zero-trust-workbook

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

Zero Trust (TIC3.0) Workbook Example

This example adds an Azure Sentinel: Zero Trust (TIC3.0) Workbook solution to MLZ, provided Sentinel has already been deployed in the Operations (T1) resource group.

What this example does

Deploys a Zero Trust (TIC3.0) Workbook in Azure Sentinel

Documentation can be found here: Build and monitor Zero Trust (TIC 3.0) security architectures with Microsoft Sentinel

Pre-requisites

  1. A MissionLZ deployment with Microsoft Defender for Cloud and Azure Sentinel enabled

  2. Enablement of enhanced security features in Microfost Defender for Cloud

The following table lists the required parameters for a Mission LZ deployment to enable an Azure Sentinel Workbook:

Required Parameters Description
location The region to deploy Azure Sentinel into
resourcePrefix A 3-10 alphanumeric character string without whitespace, used to prefix resources and generate uniqueness for resources with globally unique naming requirements
deploySentinel A boolean expression indicating that Azure Sentinel is to be deployed with the MissionLZ deployment
deployDefender A boolean expression indicating that Microsoft Defender for Cloud is enabled in the Mission LZ deployment

An example deployment with required deployment parameters included is shown below:

 az deployment sub create \
   --name "myMlzDeployment" \
   --location eastus \
   --template-file src/bicep/mlz.bicep \
   --parameters resourcePrefix=myPrefix \
   deploySentinel=true \
   deployDefender=true

Deploying Sentinel Zero Trust (TIC3.0) Workbook

The Sentinel Zero Trust (TIC3.0) Workbook is maintained in the Azure Sentinel GitHub repository

With the link provided, it is possible to use the "Deploy to Azure" button with some simple input parameters for Azure Government and Azure Commercial clouds.

Command Line Workbook Deployment

The workbook can be deployed using the Azure CLI az deployment command. The workbook template requires the workspace parameter, which is the name of the Log Analytics workspace connected to Sentinel in MLZ. The workspace name can be found in the MLZ operations resource group, which also contains the Log Analytics and Sentinel deployment. The same resource group is where the az deployment command is deployed. See the example below:

az deployment group create \
--name MlzWorkbookDeploy \
--resource-group myPrefix-rg-operations-mlz \
--template-uri "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json" \
--parameters workspace=myPrefix-log-operations-mlz