...
- VCS: Identify existing or create an org in version control system (Github/Gitlab) and add users involved in implementation to the org.
- Azure Subscription: It is advised to use a dedicated azure Azure subscription for XDR MDR deployment to separate any other production resources from XDR MDR resources. Suggested naming convention for new subscription: < company Name>-xdrmdr-< environment >.
- Service principal: A service principal is required for integration between Microsoft Sentinel and playbook for automated notifications. Permissions required by service principal is
Microsoft Sentinel Contributor. Reference to MS Doc - Azure owner permissions: For initial deployment, owner permissions with Application.Read.All is required to perform role assignment for some of the azure applications to communicate amongst each other or you can create a custom role in Azure AD using instructions in these documentation.
...
terraform-remote-state,security-dashboards,security-log-analytics,
- Azure Policy
Add resource activity and audit logs to perform self monitoring
...
Login to Azure
...
Note: You need to be in root directory of infrastructure-live to run all the following operations.
| Code Block | |||||
|---|---|---|---|---|---|
| |||||
cd ./infrastructure-live |
...
Once you have run the bootstrap script successfully, you will be able to see the /azure/<ENVIRONMENT> folder generated
You will also be able to see the remote state called tfstate created by visiting Storage accounts in the Azure Portal
If there is an error in running the bootstrap process and the outcome was unexpected, you will need to delete the environment directory in /azure before running the bootstrap script again
...
During resource provisioning you will be asked for inputs at multiple stages inside a vi editor. One of the example is below:
Read the instructions in the editor and to edit the values you can press i and update the input values. Once you are satisfied with the input values, press Esc to exit editor mode and :wq (save and quit) the editor to continue with resource provisioning.
Once you have successfully run the update-environment script, you will be able to verify that the following resource groups for remote-state, log-analytics & dashboards have been created in Azure Portal
Sentinel would also have been configured
In Sentinel, you will find our rules, workbooks and automation deployed. For more information about custom content, see XDR SIEM Content Management
If there is an error in running the update-environment script and the outcome was unexpected, you will need to delete the Sentinel resource groups security-dashboards and security-log-analytics before running the script again
...