Senserva Setup for Azure Sentinel
This page reviews installing Senserva’s automated Multi-Tenant Cloud Security Posture Management solution for Azure Sentinel. Our Team of cloud experts at Senserva is always happy to provide support as well.
This page assumes you are onboarded as a Microsoft Azure customer and that the installer of Senserva for Azure Sentinel is a Global Administrator (required to install our Azure AD Application). More information can be found at this page
1. The process starts you off with creating an Azure AD Application with the necessary permissions for Senserva’s data analysis. This is a multi-tenant Application. This is the Main Application which will be located in the Main Tenant.
- A PowerShell script is provided for this in our Github repo
- Learn more about Azure Multi-tenant Apps here
- The Azure AD App ID/Secret will be needed in Step 5
- Note: The Application Secret generated and displayed here is the only time you will be able to see the Secret in full. It can not be retrieved again by any method
- This is optional step. If you are a CSP with multiple tenants to manage and scan, the Azure AD App will need to be configured as a Service Principal in your managed tenants. A Global Admin from the managed tenant will need to add the Service Principal and consent to the API Permissions of the Service Principal.
- The script will prompt for Child Tenant setup and help you through the consenting process
- You will need to save the Tenant ID for each Child Tenant for Step 7
2. You will need to configure an Azure Log Analytics Workspace(LAW) for use. You can reuse any LAW you’d like, but we strongly recommend creating a new LAW.
- This page from Microsoft shows how to create a Log Analytics Workspace
- This LAW will the output location for Senserva scanned items.
- The LAW ID and Key will be needed in step 5. This page shows how to get these items.
3. You will need to configure an Azure Key Vault for use. You can reuse any Key Vault you’d like, but we strongly recommend creating a new Vault. (This page from Microsoft shows how to create a Key Vault)
- The Key Vault will serve as a Configuration Manager that an admin can manage the configuration from (e.g. Configured tenants, desired Log Analytics Workspace location, etc.)
- The Key Vault URI will be needed in step 5
4. You will need to configure RBAC Resource access and an Access Policy for the AD Application from Step 1 to the Key Vault from Step 3
- This page from Microsoft shows how to configure an RBAC Resource
- The App will need the Reader RBAC role
- This page from Microsoft shows how to configure an Access Policy
- The App needs ‘Get’ permissions for Keys and Secrets
- The App will be used to access updated Configuration settings, such as a new Child Tenant, to let the scanner know what to do.
5. Visit our Azure Marketplace page to complete the process (That page is here)
6. The Azure Marketplace setup will prompt for basic customer information (e.g. Resource location, etc.), as well as the config items from Steps 1, 2, and 3, to complete the deployment process.
- Note: The Marketplace template will prompt you to create or select a Resource Group for the Managed Identity. You must select to create a new Resource Group. The Managed Identity must be the sole item in a Resource Group in order for Azure Lighthouse to deploy correctly.
7. Once finished, the App Service will start up the Senserva WebJob to run scanning. The scanner will output to provided Log Analytics Workspace.
- If a new configuration, such as a new Child Tenant is added or the Log Analytics Workspace key is rotated, write a new Key Vault Secret to the Key Vault to update the configuration. Senserva will poll the Key Vault periodically for new configurations. Once configured, the App Service WebJob will restart itself for the changes to propagate.
- Any Child Tenants to be scanned must be entered into a Key Secret
- Supported Keys are ‘LogAnalyticsWorkspaceID’, ‘LogAnalyticsWorkspaceKey’, ‘LogAnalyticsWorkspaceDisplayName’, and ‘ConfiguredTenants’.
- The format for ConfiguredTenants is ‘TenantId1:DisplayName1,TenantId2:DisplayName2,…’ This will be your child tenant list.
8. At this point, setup is complete and automated deltas-only scanning will commence. You can take the data from the Log Analytics Workspace and visualize according to your needs.
- Senserva offers predefined visualization options to help get you started
- Azure Sentinel (Our Azure Sentinel Solution Marketplace offering)
- Azure Dashboards (contact us)
- Power BI Desktop (contact us)
- You can contact our support team for further questions regarding visualizations at firstname.lastname@example.org
9. Further items like additional Queries and Workbooks built by our team are available on our Github repo