Deployment
The deployment of the STAT v2 solution is broken down into 2 steps:
- Deploying Azure Resources
- Granting Permissions
Users who have previously deployed STAT v1 and are looking to upgrade, please see our migration documentation.
The first step to deploying STAT is to deploy the STAT components into a Resource Group in your Azure subscription. These components consist of an Azure Function, API Connections and a Custom Logic Apps Connector. While seperate ARM templates exist for components of the STAT solution, it is intended to be deployed through the single ARM template available below.
Consider the permissions on the Resource Group where you deploy STAT and ensure that no unauthorized users have access to the resources. Since these resources will contain information about security incidents that have been analyzed which may contain private or sensitive information.
When deploying STAT you should use a Resource Group within the same subscription and datacenter region as your other Microsoft Sentinel automation Playbooks. Logic Apps Custom Connectors can only be used from the same subscription and datacenter as they are created in. If multiple subscriptions or datacenters must be used, STAT can be deployed to each one.
STAT can be deployed using any of the following identity types
- System Assigned Managed Identity
- User Assigned Managed Identity
- Service Principal Identity
See authentication for more information on configuring these authentication methods.
For MSSPs or other Multi Tenant environments, you will need to deploy STAT using a Multi Tenant Service Principal Identity if you wish to centrally run your automation. For Single Tenant use, we recommend using a System Assigned Managed Identity, but any other supported identity type will work in a single tenant deployment.
After the STAT template is deployed it will need to be granted permissions to various APIs and Sentinel itself to operate.
To grant permissions to STAT, use the PowerShell script GrantPermissions.ps1.
The following modifications will need to be made to the script prior to execution:
- Set the $TenantID to your tenant id
- Set the $AzureSubscriptionId to the Azure Subscription GUID of the Microsoft Sentinel subscription
- Set the $SentinelResourceGroupName to the Resource Group Name where Microsoft Sentinel resides
- Set the $STATIdentityName to the name of the identity you chose during STAT deployment. If using a System assigned managed identity, this will be the name of the Azure Function app
The GrantPermissions.ps1 script contains 2 types of permissions assignments that are set via PowerShell Functions. To execute these functions you will require permission:
| Function | Permissions |
|---|---|
| Set-APIPermissions | Calls to this function require the user to be either an Entra ID Global Administrator or Entra ID Privileged Role Administrator |
| Set-RBACPermissions | Calls to this function require the user to be either a Resource Group Owner or User Access Administrator on the Resource Group where Microsoft Sentinel is installed |
If you do not have a single account with both the necessary Entra ID and Resource group permissions, you can run the Set-APIPermissions and Set-RBACPermissions calls seperately under different accounts.
STAT Uses the following permissions
| Permission | Type | Description |
|---|---|---|
| Data.Read | Log Analytics API | Execute KQL queries against your Log Analytics workspace |
| Directory.Read.All | Microsoft Graph API | Read Entra ID data in the Microsoft Graph to resolve/enrich entities |
| AuditLog.Read.All | Mirosoft Graph API | Read authentication methods and SSPR reports for users |
| MailboxSettings.Read | Mirosoft Graph API | Read users Out of Office settings |
| RoleManagement.Read.Directory | Microsoft Graph API | Read privileged role information to enrich user data |
| IdentityRiskyUser.Read.All | Microsoft Graph API | Read user risk information from Entra ID Identity Protection |
| AdvancedQuery.Read.All | Microsoft Defender for Endpoint API | Query MDE data |
| Machine.Read.All | Microsoft Defender for Endpoint API | Retrieve Machine inforamtion including risk level |
| File.Read.All | Microsoft Defender for Endpoint API | Retrieve file information including known threats and GlobalPrevalence |
| investigation.read | Microsoft Defender for Cloud Apps API | Retrieve user investigation priorities |
| AdvancedHunting.Read.All | Microsoft 365 Security API | Execute KQL queries against the Microsoft 365 Security service |
| Microsoft Sentinel Responder | Azure RBAC Role | Gives permissions to update incidents and read data from Sentinel. This is typically used by STAT to add comments to incidents. |
By default, the STAT function is protected by a unique Shared Access Signature. However, there are not any default restrictions on which IP addresses this function can be called from, and it is possible to restrict it to only allow calls from Logic Apps custom connectors.
To restrict the STAT Function to only accept calls from the Logic apps custom connector:
- Navigate in the Azure Portal to the STAT Function app
- Locate Settings -> Networking
- Click Access restriction
- Click + Add to add a new restriction
- Configure the rule with the following properties:
| Field | Value |
|---|---|
| Name | Allow LA Connector |
| Action | Allow |
| Priority | 100 |
| Description | Allow access from Logic app custom connector |
| Type | Service Tag |
| Service Tag | AzureConnector. |
- Click Add rule
Note: To maintain these IP restrictions, these steps will need to be repeated when updating the STAT solution.