Share via

How to enable EUBA via bicep / ARM template

Matthew Jensen 20 Reputation points
2024-07-22T11:30:26.68+00:00

We are trying to deploy Microsoft Sentinel as code and we would like to enable EUBA as part of the Bicep template but we cannot figure out how to.

Does anyone know how we can enable EUBA via an ARM/Bicep template?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,151 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Matthew Jensen 20 Reputation points
    2024-07-22T14:44:52.7833333+00:00

    It's hidden under SecurityInsights/settings. You'll first need to create it as an entity analytics provider, then you can create the setting. For some reason, there is a known bug when creating the enable_euba if it's already created, you need the 'etag' but grabbing it and putting it in doesn't work so I deleted it via Azure API.

    But this is the Bicep for anyone wondering.

    
resource enable_euba 'Microsoft.SecurityInsights/settings@2024-01-01-preview' = {
  name: 'EntityAnalytics'
  scope: sentinel_workspace
  kind: 'EntityAnalytics'
  properties: {
    entityProviders: ['ActiveDirectory','AzureActiveDirectory']
  }

}

resource euba_setting 'Microsoft.SecurityInsights/settings@2024-01-01-preview' = {
  name: 'Ueba'
  scope: sentinel_workspace
  kind: 'Ueba'
  properties: {
    dataSources: [
      'AuditLogs'
      'AzureActivity'
      'SecurityEvent'
      'SigninLogs']
  }
  dependsOn: [enable_euba]
}
    0 comments
  2. Givary-MSFT 32,991 Reputation points Microsoft Employee
    2024-07-24T07:42:37.44+00:00

    @Matthew Jensen I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: trying to deploy Microsoft Sentinel as code and we would like to enable EUBA as part of the Bicep template but we cannot figure out how to.

    Does anyone know how we can enable EUBA via an ARM/Bicep template?

    Resolution: Resolved by @Matthew Jensen below are the steps

    It's hidden under SecurityInsights/settings. You'll first need to create it as an entity analytics provider, then you can create the setting. For some reason, there is a known bug when creating the enable_euba if it's already created, you need the 'etag' but grabbing it and putting it in doesn't work so I deleted it via Azure API.

    But this is the Bicep for anyone referring to 

    resource enable_euba 'Microsoft.SecurityInsights/settings@2024-01-01-preview' = {
  name: 'EntityAnalytics'
  scope: sentinel_workspace
  kind: 'EntityAnalytics'
  properties: {
    entityProviders: ['ActiveDirectory','AzureActiveDirectory']
  }
}
resource euba_setting 'Microsoft.SecurityInsights/settings@2024-01-01-preview' = {
  name: 'Ueba'
  scope: sentinel_workspace
  kind: 'Ueba'
  properties: {
    dataSources: [
      'AuditLogs'
      'AzureActivity'
      'SecurityEvent'
      'SigninLogs']
  }
  dependsOn: [enable_euba]
}

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.