Why does an automatic Log Analytic Workspace/Resource Group keep getting created?

Question

Hi,

I am trying to add 1Password as a data connector into Microsoft Sentinel, following this article: https://support.1password.com/1password-sentinel-integration/

I am deploying 1Password using an Azure custom template/deployment, and I am specifying the pre-existing Log Analytic Workspace and Resource Group I already have setup for using Microsoft Sentinel.

My issue is that when I hit deploy, it automatically creates a new workspace and resource group. For example, named: "managed-1pwtdz6pamh-ws" and "ai_1pwtdz6pamh_8c69692e-6920-4275-9432-a6a06c9100e2_managed". Why is it doing this?? And how do I get it to use the current resource group/workspace?

I find that I cannot just delete this new workspace without deleting each resource individually (and manually) that it seems to place into the resource group that I specified, oddly.

Please help.

Answer 1

Hi Ciaran,

Welcome to Q&A, You're wondering why a new Log Analytics workspace and resource group keep getting created when you're trying to add 1Password as a data connector to Microsoft Sentinel. Even though you're specifying your pre-existing workspace and resource group, the deployment still creates something like "managed-1pwtdz6pamh-ws." This usually happen because of the template it self setup this can include parameter restriction or others.

After check the 1Password integration setup uses a custom Azure deployment template that automatically creates these new "managed" resources. It's done this way to make sure everything runs smoothly and stays separate from your other stuff. Unfortunately, the deployment doesn’t let you pick your current workspace or resource group for these managed items and there is some restrictions that you can find on the repository template:

https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/README.md

Here’s some options how you can deal with it:

• You can try again the deployment following the automatic deployment and taking into consideration all the restrictions.
• Try to deploy the connector manually , following the guide: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/README.md#manual-installation-using-the-arm-template-1
• Take into consideration this solution depends on technologies which may be in Preview , I don't know but in the nearly future is expected to have this connector in the sentinel connector page for easy installation.

References:

• https://support.1password.com/1password-sentinel-integration/
• https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/1password
• https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/README.md

Luis