Another step to York

By Rob Litjens

May 25, 2023

Hello all.

I must admit, last week I was counterproductive. There where reasons… The most influencing was the fact that my monitor died. Would not be a big problem, but I cannot work without my 43 inch IIyama.. It gives me enough room to work on various things, including my day to day work.

But.. I survived. I will continue today on my journey towards #DataYork.

Another thing we need to do is to create the Log Analytics workspace and add the Defender stuff to it. I have reused a script from Azure Quickstart Template repo on Github for this.

targetScope = 'resourceGroup'
param location string = resourceGroup().location
param sentinelName string = 'DataYork-Sentinel'
@minValue(30)
@maxValue(730)
param retentionInDays int = 90

var workspaceName = '${location}-${sentinelName}-${uniqueString(resourceGroup().id)}'
var solutionName = 'SecurityInsights(${sentinelWorkspace.name})'

resource sentinelWorkspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' = {
  name: workspaceName
  location: location
  properties: {
    sku: {
      name: 'PerGB2018'
    }
    retentionInDays: retentionInDays
  }
}

resource sentinelSolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = {
  name: solutionName
  location: location
  properties: {
    workspaceResourceId: sentinelWorkspace.id
  }
  plan: {
    name: solutionName
    publisher: 'Microsoft'
    product: 'OMSGallery/SecurityInsights'
    promotionCode: ''
  }
}

The first thing you see again is the targetscope. Because it must be deployed in the Resourcegroup you should mention that as a first step. The next parameter is filled with location property of the resource group.

The third parameter is to give the name of the Workspace.
The parameter ‘retentionInDays’ does not need any additional explanation I think.

After these parameters, there are two variables constructed based on the parameters mentioned above. Another thing, which is of interest is the Properties part. It is in the first Resource. This resource creates the Log Analytics Workspace. Also of interest is the ‘PerGB2018’ mentioned in the SKU properties, which is a perfect fit for our “Pay-As-You-Go” subscription.

The second solution we deploy is the sentinelSolution. This refers to a product named OMSGallery/SeecurityInsights.

Wait.. OMSGallery .. Isn’t that the expensive product named “System Center Operations Manager”… Yes. How would that work then?

Well, If you have SCOM on premise and are up to date, you will know that it writes its data already to the cloud. How defender for SQL fits in this? Well, the agent (both MMA and OMS) can be used to write Defender for SQL events to a log analytics workspace. Only thing you need to do is to add the WorkspaceID to the local Workspace settings. That is something we do in one of the next steps.

Before we are going to add some more stuff, I want you to look at the settings. That can safe you a lot of money and frustrations. To make sure not to pay for every server with a MMA or OMS agent it is wise to disable all the settings. Only then you can enable them on a per configuration (Server or Database) level.

To do this, go to the Azure portal, Login and type “Defender for Cloud” in the search bar. Next step is to click on “Environment settings” under Management. There you can see your subscription. Click on the “>” in front of it. It will collapse and show you your Log Analytics Workspace. Portal Settings
Open the LAW and change the settings to:
Defender Settings Press Save..

Thats it for today. Tomorrow I will continue to get some data in the LAW. For that I will add one or two VM’s and maybe an Azure Database. Lets see.

Hope you will see my blog tomorrow, otherwise I hope to see you at #datayork.