Add Microsoft Sentinel to Log Analytics Workspace using Ansible

Question

I am trying to create a Log Analytics Workspace with Microsoft Sentinel using Ansible following this module: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_loganalyticsworkspace_module.html

- name: Create a workspace with backup enabled
  azure_rm_loganalyticsworkspace:
    resource_group: myResourceGroup
    name: myLogAnalyticsWorkspace
    intelligence_pack:
      SecurityInsights: true

that works, and I can it connected to a Sentinel workspace, but when I try to install solutions using content hub it shows below error:

{"error":{"code":"BadRequest","message":"Workspace 'myLogAnalyticsWorkspace' is not onboarded to Microsoft Sentinel. Please onboard through the portal (https://learn.microsoft.com/en-us/azure/sentinel/quickstart-onboard) or use the OnboardingStates ARM api to onboard to Sentinel (https://learn.microsoft.com/en-us/rest/api/securityinsights/sentinel-onboarding-states/create?view=rest-securityinsights-2024-03-01)."}}

How can I resolve it? Any help is appreciated on this, Thank you!!

Answer 1

I don't think there is a good answer here. This is not a common and possibly unsupported deployment method. It seems unlikely that enough people have experience using this method to assist. I assume this is effectively calling the API and that documentation might shed some light on the error or deployment issue. You could manually remove Sentinel from the workspace in settings and reactivate or just blow it away and start again. It seems clear that this deployment method is leaving something out or not properly registering the instance. You might even find that redeployment is more successful on your 2nd attempt.

This article may help:
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/deploying-and-managing-microsoft-sentinel-as-code/ba-p/1131928