英文:
Is there a way to change the Playbook Settings in Microsoft Sentinel through Terraform
问题
I can help you translate the relevant parts of your request. Here's the translation:
我有一个使用Terraform部署的Microsoft Sentinel解决方案。我想再次使用Terraform部署自动化规则,但需要配置Sentinel解决方案的Playbook权限以部署自动化规则。是否有办法在我的Terraform脚本中完成这部分?
当前log_analytics_solution的Terraform代码如下;
resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
solution_name = "SecurityInsights"
location = var.location
resource_group_name = module.resource-group.resource_group_name
workspace_resource_id = module.log_analytics_workspace.log_analytics_workspace_id
workspace_name = module.log_analytics_workspace.log_analytics_workspace_name
plan {
publisher = "Microsoft"
product = "OMSGallery/SecurityInsights"
}
depends_on = [module.log_analytics_workspace]
tags = local.default_tags
}
这是我想要添加到TF代码中的设置。
英文:
I have a Microsoft Sentinel solution that I deployed using Terraform. I want to deploy an automation rule again using Terraform but it requires the Sentinel Solution to have the Playbook permissions configured to deploy the automation rule. Is there any way that I can do that part also in my Terraform script?
Current Terraform code for the log_analytics_solution is as follows;
resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
solution_name = "SecurityInsights"
location = var.location
resource_group_name = module.resource-group.resource_group_name
workspace_resource_id = module.log_analytics_workspace.log_analytics_workspace_id
workspace_name = module.log_analytics_workspace.log_analytics_workspace_name
plan {
publisher = "Microsoft"
product = "OMSGallery/SecurityInsights"
}
depends_on = [module.log_analytics_workspace]
tags = local.default_tags
}
variables and other modules are in the complete TF file, just pasted the log_analytics_solution part here.
答案1
得分: 1
查看以下代码:
设置 Terraform 后端:
- 资源组名称:"XXX"
- 存储帐户名称:"remotestatekavstr231"
- 容器名称:"terraform"
- 键:"terraform.tfstate"
创建 Azure Log Analytics 工作区:
- 名称:"la-example-utv-weu"
- 位置:data.azurerm_resource_group.example.location
- 资源组名称:data.azurerm_resource_group.example.name
- SKU:"PerGB2018"
- 保留天数:90
创建 Azure Log Analytics 解决方案:
- 解决方案名称:"SecurityInsights"
- 位置:data.azurerm_resource_group.example.location
- 资源组名称:data.azurerm_resource_group.example.name
- 工作区资源 ID:azurerm_log_analytics_workspace.rgcore-management-la.id
- 工作区名称:azurerm_log_analytics_workspace.rgcore-management-la.name
- 发布者:"Microsoft"
- 产品:"OMSGallery/SecurityInsights"
- 依赖关系:azurerm_log_analytics_workspace.rgcore-management-la
创建 Azure Sentinel 警报规则(Microsoft 安全事件):
- 名称:"examplesentinelaler"
- Log Analytics 工作区 ID:azurerm_log_analytics_workspace.rgcore-management-la.id
- 产品过滤器:"Microsoft Cloud App Security"
- 显示名称:"example rule"
- 严重性过滤器:["High"]
创建定时 Azure Sentinel 警报规则:
- 名称:"examplekaalertrule"
- Log Analytics 工作区 ID:azurerm_log_analytics_workspace.rgcore-management-la.id
- 显示名称:"examplesentielrule"
- 严重性:"High"
- 查询:...
创建 Azure Sentinel 自动化规则:
- 名称:"56094f72-ac3f-40e7-a0c0-47bd95f70336"
- Log Analytics 工作区 ID:azurerm_log_analytics_workspace.rgcore-management-la.id
- 显示名称:"automation_rule1"
- 顺序:1
- 操作事件:
- 顺序:1
- 状态:"Active"
分配 Microsoft Sentinel 自动化贡献者角色到资源(需要角色 ID 或名称):
- 范围:"/subscriptions/8xxx8-xxxaa16/resourceGroups/xxx"
- 主体 ID:"3367a746-xxx18686"
创建 Azure Sentinel 贡献者角色定义:
- 名称:"Azure Sentinel Contributor"
- 描述:"可管理 Azure Sentinel 资源。"
- 权限:
- 操作:[...]
- 排除操作:[]
- 可分配范围:"/subscriptions/${var.subscription_id}"
分配这些角色到资源组或包含 Microsoft Sentinel 工作区的安全见解:
- 详情见图像
可创建自动化规则:
- 详情见图像
指定这些角色到包含 Microsoft Sentinel 工作区的资源组或安全见解。可创建自动化规则。
英文:
Check the following code :
terraform {
backend "azurerm" {
resource_group_name = "XXX"
storage_account_name = "remotestatekavstr231"
container_name = "terraform"
key = "terraform.tfstate"
}
}
resource "azurerm_log_analytics_workspace" "rgcore-management-la" {
name = "la-example-utv-weu"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
sku = "PerGB2018"
retention_in_days = 90
}
resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
solution_name = "SecurityInsights"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
workspace_resource_id = azurerm_log_analytics_workspace.rgcore-management-la.id
workspace_name = azurerm_log_analytics_workspace.rgcore-management-la.name
plan {
publisher = "Microsoft"
product = "OMSGallery/SecurityInsights"
}
depends_on = [azurerm_log_analytics_workspace.rgcore-management-la]
}
resource "azurerm_sentinel_alert_rule_ms_security_incident" "example" {
name = "examplesentinelaler"
log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
product_filter = "Microsoft Cloud App Security"
display_name = "example rule"
severity_filter = ["High"]
}
resource "azurerm_sentinel_alert_rule_scheduled" "example" {
name = "examplekaalertrule"
log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
display_name = "examplesentielrule"
severity = "High"
query = <<QUERY
AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
QUERY
}
resource "azurerm_sentinel_automation_rule" "example" {
name = "56094f72-ac3f-40e7-a0c0-47bd95f70336"
log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
display_name = "automation_rule1"
order = 1
action_incident {
order = 1
status = "Active"
}
}
You need to have Microsoft Sentinel Automation Contributor role assigned to the resource where the sentinal workspace is goint to be created
resource "azurerm_role_assignment" "sentinel_contributor" {
scope = "/subscriptions/8xxx8-xxxaa16/resourceGroups/xxx"
// role_definition_id = azurerm_role_definition.sentinel_contributor.id
// role_definition_name = "Azure Sentinel Contributor"
principal_id = "3367a746-xxx18686"#this is azure security insights app objectId or you can use current user/servicepincipal data.azurerm_client_config.current.object_id
}
}
> In the above principal_id "3367a746-xxx18686" is azure security
> insights app objectId or you can use current user/servicepincipal
> data.azurerm_client_config.current.object_id.
Or else custom role can be created using
resource "azurerm_role_definition" "sentinel_contributor" {
name = "Azure Sentinel Contributor"
description = "Can manage Azure Sentinel resources."
permissions {
actions = [
"Microsoft.Devices/IotHubs/read",
"Microsoft.Devices/IotHubs/devices/read",
"Microsoft.Devices/IotHubs/devices/write",
"Microsoft.Devices/DeviceProvisioningServices/enrollments/write",
"Microsoft.Devices/OperationsMonitoring/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.SecurityInsights/*"
]
not_actions = []
}
assignable_scopes = [
"/subscriptions/${var.subscription_id}"
]
}
resource "azurerm_role_assignment" "sentinel_contributor" {
scope = "/subscriptions/${var.subscription_id}/resourceGroups/${var.resource_group_name}"
role_definition_id = azurerm_role_definition.sentinel_contributor.id
principal_id = var.principal_id
}
Assign these roles to the resource group or security insights that contains the Microsoft Sentinel workspace
Automation rule can be created .
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论