Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. VCS: Identify existing or create an org in version control system (Github/Gitlab) and add users involved in implementation to the org.
  2. Azure Subscription: It is advised to use a dedicated azure Azure subscription for XDR MDR deployment to separate any other production resources from XDR MDR resources. Suggested naming convention for new subscription: < company Name>-xdrmdr-< environment >.
  3. Service principal: A service principal is required for integration between Microsoft Sentinel and playbook for automated notifications. Permissions required by service principal is Microsoft Sentinel Contributor. Reference to MS Doc
  4. Azure owner permissions: For initial deployment, owner permissions with Application.Read.All is required to perform role assignment for some of the azure applications to communicate amongst each other or you can create a custom role in Azure AD using instructions in these documentation.

...

In the event of a re-deployment, ensure that the following Azure resources has been removed prior to deployment. Resource group 1.

  1. terraform-remote-state,
  2. security-dashboards,
  3. security-log-analytics,

Image RemovedImage Added

  1. Azure Policy Add resource activity and audit logs to perform self monitoring

Image RemovedImage Added

Login to Azure

...

During resource provisioning you will be asked for inputs at multiple stages inside a vi editor. One of the example is below:

Image RemovedImage Added

Read the instructions in the editor and to edit the values you can press i and update the input values. Once you are satisfied with the input values, press Esc to exit editor mode and :wq (save and quit) the editor to continue with resource provisioning.

...

In Sentinel, you will find our rules, workbooks and automation deployed. For more information about custom content, see XDR SIEM Content Management

If there is an error in running the update-environment script and the outcome was unexpected, you will need to delete the Sentinel resource groups security-dashboards and security-log-analytics before running the script againImage Removed

Update VCS

It is important to commit and push changes after running the update script, or after making any manual changes to code or configurations, within your organisation’s repository (i.e. infrastructure-live).

...