Deployment
The deployment of the STAT v2 solution is broken down into 2 steps:
- Deploying Azure Resources
- Granting Permissions
Users who have previously deployed STAT v1 and are looking to upgrade, please see our migration documentation.
The first step to deploying STAT is to deploy the STAT components into a Resource Group in your Azure subscription. These components consist of an Azure Function, API Connections and a Custom Logic Apps Connector. While seperate ARM templates exist for components of the STAT solution, it is intended to be deployed through the single ARM template available below.
Consider the permissions on the Resource Group where you deploy STAT and ensure that no unauthorized users have access to the resources. Since these resources will contain information about security incidents that have been analyzed which may contain private or sensitive information.
When deploying STAT you should use a Resource Group within the same subscription and datacenter region as your other Microsoft Sentinel automation Playbooks. Logic Apps Custom Connectors can only be used from the same subscription and datacenter as they are created in. If multiple subscriptions or datacenters must be used, STAT can be deployed to each one.
STAT can be deployed using any of the following identity types
- System Assigned Managed Identity
- User Assigned Managed Identity
- Service Principal Identity
See authentication for more information on configuring these authentication methods.
For MSSPs or other Multi Tenant environments, you will need to deploy STAT using a Multi Tenant Service Principal Identity if you wish to centrally run your automation. For Single Tenant use, we recommend using a System Assigned Managed Identity, but any other supported identity type will work in a single tenant deployment.
After the STAT template is deployed it will need to be granted permissions to various APIs and Sentinel itself to operate.
To grant permissions to STAT, use the PowerShell script GrantPermissions.ps1. We suggest running the script in Cloud Shell due to potential challenges arising from variations in the PowerShell version or the module versions across different environments.
In Cloud Shell, execute the following:
Invoke-WebRequest -Uri https://aka.ms/mstatgrantscript -OutFile GrantPermissions.ps1
.\GrantPermissions.ps1 -TenantId <TenantId> -AzureSubscriptionId <AzureSubscriptionId> -SentinelResourceGroupName <SentinelResourceGroupName> -STATIdentityName <STATIdentityName>You can also run it in a PowerShell prompt. Possible arguments:
| Arugment | Mandatory | Description |
|---|---|---|
TenantId |
✅ | Refers to the identifier of the tenant in which the identity executing STATv2 is located. |
SubscriptionId |
✅ | Azure subscription identifier hosting the Sentinel workspace. |
SentinelResourceGroupName |
✅ | Name of the resource group where the Sentinel workspace is located. Note that it is not necessarily the same as the resource group where STATv2 is deployed. |
STATIdentityName |
✅ | Name of identity STAT will be running under. If using a System assigned managed identity, this will be the name of the function app (do not include .azurewebsites.net). If using a User Assigned Managed Identity or service principal, this will be the name of that identity. |
SampleLogicAppName |
Name of the sample logic app if it has been deployed to grant its managed identity Sentinel Responder permissions. It is not mandatory and if not specified the permissions will not be granted to any logic app. | |
DeviceCodeFlow |
Set the device code flow to sign-in to the Graph API and to the Azure Management modules. It is set to $false by default. Note that it is automatically set to $true and it is the only supported mode when the script is running in Azure Cloud Shell. |
The GrantPermissions.ps1 script contains 2 types of permissions assignments that are set via internal PowerShell functions. To execute these functions, you will require the following permissions:
| Function | Permissions |
|---|---|
| Set-APIPermissions | Calls to this function require the user to be either an Entra ID Global Administrator or Entra ID Privileged Role Administrator |
| Set-RBACPermissions | Calls to this function require the user to be either a Resource Group Owner or User Access Administrator on the Resource Group where Microsoft Sentinel is installed |
If you do not have a single account with both the necessary Entra ID and Resource group permissions, you can run the Set-APIPermissions and Set-RBACPermissions calls separately under different accounts. In order to do that, when prompting to authenticate to the Graph API, use one account and when prompted to connect to the Azure Management API, use the other account.
STAT Uses the following permissions
| Permission | Type | Description |
|---|---|---|
| Data.Read | Log Analytics API | Execute KQL queries against your Log Analytics workspace |
| Directory.Read.All | Microsoft Graph API | Read Entra ID data in the Microsoft Graph to resolve/enrich entities |
| AuditLog.Read.All | Mirosoft Graph API | Read authentication methods and SSPR reports for users |
| MailboxSettings.Read | Mirosoft Graph API | Read users Out of Office settings |
| RoleManagement.Read.Directory | Microsoft Graph API | Read privileged role information to enrich user data |
| IdentityRiskyUser.Read.All | Microsoft Graph API | Read user risk information from Entra ID Identity Protection |
| AdvancedQuery.Read.All | Microsoft Defender for Endpoint API | Query MDE data |
| Machine.Read.All | Microsoft Defender for Endpoint API | Retrieve Machine inforamtion including risk level |
| File.Read.All | Microsoft Defender for Endpoint API | Retrieve file information including known threats and GlobalPrevalence |
| investigation.read | Microsoft Defender for Cloud Apps API | Retrieve user investigation priorities |
| AdvancedHunting.Read.All | Microsoft 365 Security API | Execute KQL queries against the Microsoft 365 Security service |
| Microsoft Sentinel Responder | Azure RBAC Role | Gives permissions to update incidents and read data from Sentinel. This is typically used by STAT to add comments to incidents. |
By default, the STAT function is protected by a unique Shared Access Signature. However, there are not any default restrictions on which IP addresses this function can be called from, and it is possible to restrict it to only allow calls from Logic Apps custom connectors.
To restrict the STAT Function to only accept calls from the Logic apps custom connector:
- Navigate in the Azure Portal to the STAT Function app
- Locate Settings -> Networking
- Click Access restriction
- Click + Add to add a new restriction
- Configure the rule with the following properties:
| Field | Value |
|---|---|
| Name | Allow LA Connector |
| Action | Allow |
| Priority | 100 |
| Description | Allow access from Logic app custom connector |
| Type | Service Tag |
| Service Tag | AzureConnector. |
- Click Add rule
Note: To maintain these IP restrictions, these steps will need to be repeated when updating the STAT solution.