Deploy Azure Sentinel

[brooke-hamilton]

Description
Deploy Azure Sentinel, making it available in Tier 1, with sensible defaults, and connected to the Log Analytics workspace in Tier 1. (Depends on finishing #128).

Acceptance Criteria

• Azure Sentinel is deployed to tier 1.
• Azure Sentinel is configured to consume logs from the Tier 1 Log Analytics workspace.

[glennmusa]

To light up Azure Sentinel with azurerm, it appears like we'll need to specify which connectors to use. The team discussed these seem like natural choices, but let's discuss if they're not the right ones:

• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sentinel_data_connector_threat_intelligence
• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sentinel_data_connector_microsoft_defender_advanced_threat_protection

Which if any of these should we enable out-of-the-box?

[glennmusa]

@Phydeauxman pointed us towards simply turning on Sentinel via the the azurerm_log_anlytics_solution resource and specifying a solution_name property of "SecurityInsights": https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution

[shawngib]

@glennmusa Lets chat since Sentinel is not something that you deploy, you deploy solutions to LA workspaces which tell LA what to collet and how to store it for sentinel, but there maybe a need to discuss workspace deployments since those may need some network and region discussions instead of just one workspace.