AI - 61002 - Microsoft Sentinel is onboarded on at least one Log Analytics workspace#1241
AI - 61002 - Microsoft Sentinel is onboarded on at least one Log Analytics workspace#1241Manoj-Kesana wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new AI pillar assessment (61002) to verify Microsoft Sentinel is onboarded on at least one Log Analytics workspace, providing reporting output and remediation guidance.
Changes:
- Introduces
Test-Assessment-61002PowerShell test to enumerate Log Analytics workspaces via Azure Resource Graph and check Sentinel onboarding state per workspace via ARM. - Generates markdown reporting summarizing workspaces and onboarding status with Azure portal links.
- Adds companion markdown description/remediation content for assessment 61002.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/powershell/tests/Test-Assessment.61002.ps1 | Implements the Sentinel onboarding assessment logic and report output. |
| src/powershell/tests/Test-Assessment.61002.md | Provides end-user description and remediation links, with %TestResult% insertion point. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
alexandair
left a comment
alexandair
left a comment
There was a problem hiding this comment.
@Manoj-Kesana Please, address my feedback.
|
|
||
| $sentinelOnboarded = $false | ||
| try { | ||
| $sentinelResponse = Invoke-ZtAzureRequest -Path $sentinelPath -FullResponse -ErrorAction Stop |
There was a problem hiding this comment.
403 is silently treated as 404 in Q3 loop (false-negative risk)
The Invoke-ZtAzureRequest -FullResponse documentation explicitly states it does not throw on non-2xx status codes. This means both HTTP 403 (access denied) and HTTP 404 (Sentinel not onboarded) fall through to the same code path:
$sentinelOnboarded = ($sentinelResponse.StatusCode -eq 200) # $false for both 403 AND 404If the scan identity lacks the Microsoft Sentinel Reader role on one or more workspaces, those workspaces are silently reported as "Sentinel not onboarded" — a false negative with no trace in the output. The spec requires Sentinel Reader for Q3, and this permission is easy to miss.
Recommendation: Check $sentinelResponse.StatusCode explicitly and track 403s separately. If at least one workspace returns 403 and none passes, use CustomStatus = 'Investigate':
$sentinelOnboarded = $false
$accessDenied = $false
if ($sentinelResponse.StatusCode -eq 200) {
$sentinelOnboarded = $true
}
elseif ($sentinelResponse.StatusCode -eq 403) {
$accessDenied = $true
Write-PSFMessage "Access denied checking Sentinel onboarding for '$($workspace.workspaceName)' (403)" -Tag Test -Level Warning
}Then in Assessment Logic, if $passed -eq $false and any workspace returned 403, set $customStatus = 'Investigate' and surface an explanation in the result.
Microsoft Sentinel is onboarded on at least one Log Analytics workspace