Add Microsoft Sentinel to Log Analytics Workspace using Ansible

Ravalia Krutika Harishbhai 40 Reputation points
2024-07-25T19:02:15.28+00:00

I am trying to create a Log Analytics Workspace with Microsoft Sentinel using Ansible following this module: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_loganalyticsworkspace_module.html


- name: Create a workspace with backup enabled
  azure_rm_loganalyticsworkspace:
    resource_group: myResourceGroup
    name: myLogAnalyticsWorkspace
    intelligence_pack:
      SecurityInsights: true

that works, and I can it connected to a Sentinel workspace, but when I try to install solutions using content hub it shows below error:

{"error":{"code":"BadRequest","message":"Workspace 'myLogAnalyticsWorkspace' is not onboarded to Microsoft Sentinel. Please onboard through the portal (https://learn.microsoft.com/en-us/azure/sentinel/quickstart-onboard) or use the OnboardingStates ARM api to onboard to Sentinel (https://learn.microsoft.com/en-us/rest/api/securityinsights/sentinel-onboarding-states/create?view=rest-securityinsights-2024-03-01)."}}

How can I resolve it? Any help is appreciated on this, Thank you!!

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,202 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andrew Blumhardt 9,866 Reputation points Microsoft Employee
    2024-07-29T12:26:46.1+00:00

    I don't think there is a good answer here. This is not a common and possibly unsupported deployment method. It seems unlikely that enough people have experience using this method to assist. I assume this is effectively calling the API and that documentation might shed some light on the error or deployment issue. You could manually remove Sentinel from the workspace in settings and reactivate or just blow it away and start again. It seems clear that this deployment method is leaving something out or not properly registering the instance. You might even find that redeployment is more successful on your 2nd attempt.

    This article may help:
    https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/deploying-and-managing-microsoft-sentinel-as-code/ba-p/1131928

    0 comments No comments

  2. Abdalla Elzedy 0 Reputation points
    2024-12-19T20:42:42.6933333+00:00

    The key issue is that you're missing the explicit onboarding step before deploying the Sentinel solution. To fix this, you need to first deploy the onboarding state resource for Sentinel, and then deploy the Sentinel solution with a dependency on the onboarding. Simply add a Microsoft.SecurityInsights/onboardingStates resource with API version 2023-11-01 before deploying the SecurityInsights solution.

    - name: Enable Microsoft Sentinel (Onboarding)
      azure_rm_resource:
        api_version: "2023-11-01"
        resource_group: "{{ resource_group }}"
        provider: SecurityInsights
        resource_type: onboardingStates
        resource_name: "default"
        subresource:
          - type: default
        body:
          properties: {}
        idempotency: true
      register: sentinel_onboarding
    
    - name: Deploy Microsoft Sentinel Solution
      azure_rm_resource:
        api_version: "2015-11-01-preview"
        resource_group: "{{ resource_group }}"
        provider: OperationsManagement
        resource_type: solutions
        resource_name: "SecurityInsights({{ workspace_name }})"
        body:
          location: "{{ location }}"
          properties:
            workspaceResourceId: "{{ workspace.id }}"
          plan:
            name: "SecurityInsights({{ workspace_name }})"
            publisher: "Microsoft"
            product: "OMSGallery/SecurityInsights"
            promotionCode: ""
      when: sentinel_onboarding is succeeded
    
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.