有没有办法通过Terraform更改Microsoft Sentinel中的Playbook设置

huangapple go评论59阅读模式
英文:

Is there a way to change the Playbook Settings in Microsoft Sentinel through Terraform

问题

I can help you translate the relevant parts of your request. Here's the translation:

我有一个使用Terraform部署的Microsoft Sentinel解决方案。我想再次使用Terraform部署自动化规则,但需要配置Sentinel解决方案的Playbook权限以部署自动化规则。是否有办法在我的Terraform脚本中完成这部分?

当前log_analytics_solution的Terraform代码如下;

resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
  solution_name         = "SecurityInsights"
  location              = var.location
  resource_group_name   = module.resource-group.resource_group_name
  workspace_resource_id = module.log_analytics_workspace.log_analytics_workspace_id
  workspace_name        = module.log_analytics_workspace.log_analytics_workspace_name
  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }
  depends_on = [module.log_analytics_workspace]
  tags       = local.default_tags
}

这是我想要添加到TF代码中的设置。

有没有办法通过Terraform更改Microsoft Sentinel中的Playbook设置

英文:

I have a Microsoft Sentinel solution that I deployed using Terraform. I want to deploy an automation rule again using Terraform but it requires the Sentinel Solution to have the Playbook permissions configured to deploy the automation rule. Is there any way that I can do that part also in my Terraform script?

Current Terraform code for the log_analytics_solution is as follows;

resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
  solution_name         = "SecurityInsights"
  location              = var.location
  resource_group_name   = module.resource-group.resource_group_name
  workspace_resource_id = module.log_analytics_workspace.log_analytics_workspace_id
  workspace_name        = module.log_analytics_workspace.log_analytics_workspace_name
  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }
  depends_on = [module.log_analytics_workspace]
  tags       = local.default_tags
}

variables and other modules are in the complete TF file, just pasted the log_analytics_solution part here.

This is the setting I want to add in the TF code.
有没有办法通过Terraform更改Microsoft Sentinel中的Playbook设置

答案1

得分: 1

查看以下代码:

设置 Terraform 后端:
- 资源组名称:"XXX"
- 存储帐户名称:"remotestatekavstr231"
- 容器名称:"terraform"
- 键:"terraform.tfstate"

创建 Azure Log Analytics 工作区:
- 名称:"la-example-utv-weu"
- 位置:data.azurerm_resource_group.example.location
- 资源组名称:data.azurerm_resource_group.example.name
- SKU:"PerGB2018"
- 保留天数:90

创建 Azure Log Analytics 解决方案:
- 解决方案名称:"SecurityInsights"
- 位置:data.azurerm_resource_group.example.location
- 资源组名称:data.azurerm_resource_group.example.name
- 工作区资源 ID:azurerm_log_analytics_workspace.rgcore-management-la.id
- 工作区名称:azurerm_log_analytics_workspace.rgcore-management-la.name
- 发布者:"Microsoft"
- 产品:"OMSGallery/SecurityInsights"
- 依赖关系:azurerm_log_analytics_workspace.rgcore-management-la

创建 Azure Sentinel 警报规则(Microsoft 安全事件):
- 名称:"examplesentinelaler"
- Log Analytics 工作区 ID:azurerm_log_analytics_workspace.rgcore-management-la.id
- 产品过滤器:"Microsoft Cloud App Security"
- 显示名称:"example rule"
- 严重性过滤器:["High"]

创建定时 Azure Sentinel 警报规则:
- 名称:"examplekaalertrule"
- Log Analytics 工作区 ID:azurerm_log_analytics_workspace.rgcore-management-la.id
- 显示名称:"examplesentielrule"
- 严重性:"High"
- 查询:...

创建 Azure Sentinel 自动化规则:
- 名称:"56094f72-ac3f-40e7-a0c0-47bd95f70336"
- Log Analytics 工作区 ID:azurerm_log_analytics_workspace.rgcore-management-la.id
- 显示名称:"automation_rule1"
- 顺序:1
- 操作事件:
  - 顺序:1
  - 状态:"Active"

分配 Microsoft Sentinel 自动化贡献者角色到资源(需要角色 ID 或名称):
- 范围:"/subscriptions/8xxx8-xxxaa16/resourceGroups/xxx"
- 主体 ID:"3367a746-xxx18686"

创建 Azure Sentinel 贡献者角色定义:
- 名称:"Azure Sentinel Contributor"
- 描述:"可管理 Azure Sentinel 资源。"
- 权限:
  - 操作:[...]
  - 排除操作:[]
- 可分配范围:"/subscriptions/${var.subscription_id}"

分配这些角色到资源组或包含 Microsoft Sentinel 工作区的安全见解:
- 详情见图像

可创建自动化规则:
- 详情见图像

指定这些角色到包含 Microsoft Sentinel 工作区的资源组或安全见解。可创建自动化规则。

英文:

Check the following code :

 terraform {
      backend "azurerm" {
        resource_group_name  = "XXX"
        storage_account_name = "remotestatekavstr231"
        container_name       = "terraform"
        key                  = "terraform.tfstate"
      }
    }
    

resource "azurerm_log_analytics_workspace" "rgcore-management-la" {
  name                = "la-example-utv-weu"
 location                    = data.azurerm_resource_group.example.location
  resource_group_name         = data.azurerm_resource_group.example.name
  sku                 = "PerGB2018"
  retention_in_days   = 90
}


resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
  solution_name         = "SecurityInsights"
 location                    = data.azurerm_resource_group.example.location
  resource_group_name         = data.azurerm_resource_group.example.name
  workspace_resource_id = azurerm_log_analytics_workspace.rgcore-management-la.id
  workspace_name        = azurerm_log_analytics_workspace.rgcore-management-la.name
  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }
  depends_on = [azurerm_log_analytics_workspace.rgcore-management-la]

}




resource "azurerm_sentinel_alert_rule_ms_security_incident" "example" {
name = "examplesentinelaler"
log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
product_filter = "Microsoft Cloud App Security"
display_name = "example rule"
severity_filter = ["High"]
}

resource "azurerm_sentinel_alert_rule_scheduled" "example" {
name = "examplekaalertrule"
log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
display_name = "examplesentielrule"
severity = "High"
query = <<QUERY
AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
QUERY
}

resource "azurerm_sentinel_automation_rule" "example" {
  name                       = "56094f72-ac3f-40e7-a0c0-47bd95f70336"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
  display_name               = "automation_rule1"
  order                      = 1
  action_incident {
    order  = 1
    status = "Active"
  }
}

有没有办法通过Terraform更改Microsoft Sentinel中的Playbook设置

You need to have Microsoft Sentinel Automation Contributor role assigned to the resource where the sentinal workspace is goint to be created

resource "azurerm_role_assignment" "sentinel_contributor" {
  scope              = "/subscriptions/8xxx8-xxxaa16/resourceGroups/xxx"
 // role_definition_id = azurerm_role_definition.sentinel_contributor.id
 // role_definition_name = "Azure Sentinel Contributor"
  principal_id       =  "3367a746-xxx18686"#this is azure security insights app objectId or you can use current user/servicepincipal data.azurerm_client_config.current.object_id
}

}

> In the above principal_id "3367a746-xxx18686" is azure security
> insights app objectId or you can use current user/servicepincipal
> data.azurerm_client_config.current.object_id.

Or else custom role can be created using

resource "azurerm_role_definition" "sentinel_contributor" {
  name        = "Azure Sentinel Contributor"
  description = "Can manage Azure Sentinel resources."
  permissions {
    actions = [
      "Microsoft.Devices/IotHubs/read",
      "Microsoft.Devices/IotHubs/devices/read",
      "Microsoft.Devices/IotHubs/devices/write",
      "Microsoft.Devices/DeviceProvisioningServices/enrollments/write",
      "Microsoft.Devices/OperationsMonitoring/read",
      "Microsoft.Insights/alertRules/*",
      "Microsoft.Insights/diagnosticSettings/*",
      "Microsoft.SecurityInsights/*"
    ]
    not_actions = []
  }
  assignable_scopes = [
    "/subscriptions/${var.subscription_id}"
  ]
}




 resource "azurerm_role_assignment" "sentinel_contributor" {
      scope              = "/subscriptions/${var.subscription_id}/resourceGroups/${var.resource_group_name}"
      role_definition_id = azurerm_role_definition.sentinel_contributor.id
      principal_id       = var.principal_id
    }

有没有办法通过Terraform更改Microsoft Sentinel中的Playbook设置

Assign these roles to the resource group or security insights that contains the Microsoft Sentinel workspace

Automation rule can be created .

有没有办法通过Terraform更改Microsoft Sentinel中的Playbook设置

huangapple
  • 本文由 发表于 2023年4月19日 17:24:51
  • 转载请务必保留本文链接:https://go.coder-hub.com/76052854.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定