🛡️ You Had Me at Bicep: Deploying Microsoft Sentinel Made Easy 💪
In this post, I’ll demonstrate how to quickly and easily deploy Microsoft Sentinel to an existing Log Analytics workspace using Bicep. This step-by-step guide simplifies the process, showing that deploying Microsoft Sentinel doesn’t have to be complicated—whether you’re an experienced cloud professional or new to Azure.
What is Microsoft Sentinel?
If you’re new to Microsoft Sentinel, here’s a brief introduction. Feel free to skip this section if you’re already familiar with it.
Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) solution that provides intelligent security analytics across your entire enterprise. It helps organizations detect, investigate, and respond to security threats with real-time insights and advanced threat intelligence. By integrating seamlessly with Azure, Microsoft Sentinel offers a scalable platform to monitor, analyze, and protect data across cloud, on-premises, and hybrid environments.
For more details, check out the official Microsoft Sentinel documentation .
Deploying Microsoft Sentinel using Bicep
1. Gathering Prerequisites and Creating Parameters
Before we start, we need to prepare some input. First, we need the name of the Log Analytics workspace where we want to deploy Microsoft Sentinel. The goal of this post is to maximize modularity and reusability, so we’ll assume that the Log Analytics workspace has already been created. If you need help creating a Log Analytics workspace, check out the official documentation .
For the existing workspace, we need the following information:
- Log Analytics Workspace Name: The name of the Log Analytics workspace where we want to deploy Microsoft Sentinel.
- Resource Location: The Azure region where the Log Analytics workspace is located and where we want to deploy the Sentinel solution.
With this info ready, we can create the parameters as shown in the following snippet.
2. Get the Log Analytics Workspace Resource
Next, let’s retrieve the Log Analytics workspace resource, as shown in the following snippet.
3. Deploying the Microsoft Sentinel Solution
Now, let’s deploy the Microsoft Sentinel solution to the Log Analytics workspace, as shown in the following snippet.
It’s important to note that we are deploying a gallery solution here. This solution is a prerequisite for onboarding the Log Analytics workspace to Microsoft Sentinel, which we will do in the next step. Simply deploying this resource won’t be enough for a successful Microsoft Sentinel setup.
The solution is defined using semi-hardcoded values. Deviating from these values will cause the deployment to fail. This is fundamentally different from how other resource deployments are done in Azure.
- The name must be defined as
SecurityInsights(<YourSentinelWorkspaceName>) - The plan name must match exactly as
SecurityInsights(<YourSentinelWorkspaceName>) - The publisher must be hardcoded to
Microsoft.
4. Onboard the Log Analytics Workspace to Sentinel
Finally, we need to onboard the Log Analytics workspace to Sentinel. This is done by calling the Microsoft.OperationsManagement/solutions/Onboarding resource provider, as shown in the following snippet.
Without this step, you can view the Log Analytics workspace in Microsoft Sentinel, but the portal will throw errors when you try to interact with various features.
default. Any other value will cause the deployment to fail.Wrapping up
And that’s all folks! We have successfully deployed Microsoft Sentinel to an existing Log Analytics workspace using Bicep. I hope you found this post educational and easy to follow. If you’re interested in the reference material used in this post, please visit the following links:
- Microsoft Sentinel documentation
- What is Microsoft Sentinel?
- Microsoft.OperationsManagement solutions
- Create a Log Analytics workspace
As always, a big thanks for reading! If you liked this post, don’t be shy—check out my other posts .