Connect Azure Arc enabled servers to Azure Sentinel

The following README will guide you on how to onboard Azure Arc enabled servers on to Azure Sentinel, so you can start collecting security-related events and start correlating them with other data sources.

In this guide, you will enable and configure Azure Sentinel on your Azure subscription. To complete this process you will:

  • Setup a Log Analytics Workspace where logs and events will be aggregated for analysis and correlation.

  • Enable Azure Sentinel on the workspace.

  • Onboard Azure Arc enabled servers on Sentinel by using the extension management feature and Azure Policies.

Note: This guide assumes you already deployed VMs or servers that are running on-premises or other clouds and you have connected them to Azure Arc but If you haven’t, this repository offers you a way to do so in an automated fashion:

Prerequisites

  • Clone the Azure Arc Jumpstart repository

    git clone https://github.com/microsoft/azure_arc.git
    
  • As mentioned, this guide starts at the point where you already deployed and connected VMs or bare-metal servers to Azure Arc. For this scenario, as can be seen in the screenshots below, we will be using a Google Cloud Platform (GCP) instance that has been already connected to Azure Arc and is visible as a resource in Azure.

    Screenshot showing Azure Portal with Azure Arc enabled server

    Screenshot showing Azure Portal with Azure Arc enabled server detail

  • Install or update Azure CLI. Azure CLI should be running version 2.7** or later. Use az --version to check your current installed version.

  • Create Azure service principal (SP).

    To connect a VM or bare-metal server to Azure Arc, Azure service principal assigned with the “Contributor” role is required. To create it, login to your Azure account run the below command (this can also be done in Azure Cloud Shell).

    az login
    az ad sp create-for-rbac -n "<Unique SP Name>" --role contributor
    

    For example:

    az ad sp create-for-rbac -n "http://AzureArcServers" --role contributor
    

    Output should look like this:

    {
    "appId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "displayName": "AzureArcServers",
    "name": "http://AzureArcServers",
    "password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "tenant": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    }
    

    Note: It is optional but highly recommended to scope the SP to a specific Azure subscription and resource group.

Onboarding Azure Sentinel

Azure Sentinel uses the Log Analytics agent to collect Windows and Linux server’s log files and forwards them to Azure Sentinel, the data collected is stored in a Log Analytics workspace. Since you cannot use the default workspace created by Azure Security Center (ASC), a custom one is required and you could have raw events and alerts for ASC within the same custom workspace as Sentinel.

  • You will need to create a dedicated Log Analytics workspace and enable the Azure Sentinel solution on the top of it. For that you can use this ARM template that will create a new Log Analytics Workspace and define the Azure Sentinel solution and enable it for the workspace. To automate the deployment edit the ARM template parameters file, provide a name and location for your workspace:

    Screenshot showing Azure ARM template

  • To deploy the ARM template, navigate to the deployment folder and run the below command:

    az deployment group create --resource-group <Name of the Azure resource group> \
    --template-file <The *sentinel-template.json* template file location> \
    --parameters <The *sentinel-template.parameters.json* template file location>
    

For example:

Screenshot showing az deployment group create command

Azure Arc enabled VMs onboarding on Azure Sentinel

Once you have deployed Azure Sentinel on your Log Analytics workspace, you will need to connect data sources to it.

There are connectors for Microsoft services, third party solutions from the Security products ecosystem. You can also use Common Event Format (CEF), Syslog, or REST-API to connect your data sources with Azure Sentinel.

For servers and VMs, you can install the Microsoft Monitoring Agent (MMA) agent or the Sentinel agent which collects the logs and forwards them to Azure Sentinel. You can deploy the agent in multiple ways by leveraging Azure Arc:

This feature in Azure Arc enabled servers allows you to deploy the MMA agent VM extensions to a non-Azure Windows and/or Linux VMs. You can use the Azure Portal, Azure CLI, an ARM template as well as PowerShell script to manage extension deployment to Azure Arc enabled servers.

Using this approach, you will assign an Azure Policy to audit if the Azure Arc enabled Server has the MMA agent installed. If the agent is not installed, you will use the Extensions feature to automatically deploy it to the VM using a Remediation task, an enrollment experience that compares to Azure VMs.

Clean up environment

Complete the following steps to clean up your environment.