英文:
How to add playbook permissions in azure sentinel via terraform?
问题
I have terraformized Log Analytics Workspace, Sentinel by using below code:
resource "azurerm_log_analytics_workspace" "log_analytics_workspace" {
name = "log-test-permissions"
location = "xxx"
resource_group_name = "xxx"
sku = "PerGB2018"
retention_in_days = 90
}
resource "azurerm_log_analytics_solution" "sentinel" {
solution_name = "SecurityInsights"
location = "xxx"
resource_group_name = "xxx"
workspace_resource_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
workspace_name = azurerm_log_analytics_workspace.log_analytics_workspace.name
plan {
publisher = "Microsoft"
product = "OMSGallery/SecurityInsights"
}
depends_on = [azurerm_log_analytics_workspace.log_analytics_workspace]
}
I'm planning to terraformize the playbook permissions configuration by following below steps:
- Go to Azure Sentinel -> Configuration -> Settings -> Playbook permissions -> Configure Permissions
- Check 'Current permissions' tab to see if the resource group containing the playbook is listed. Else select the required resource groups in 'Browse' tab and select 'Apply'.
英文:
I have terraformized Log Analytics Workspace, Sentinel by using below code:
resource "azurerm_log_analytics_workspace" "log_analytics_workspace" {
name = "log-test-permissions"
location = "xxx"
resource_group_name = "xxx"
sku = "PerGB2018"
retention_in_days = 90
}
resource "azurerm_log_analytics_solution" "sentinel" {
solution_name = "SecurityInsights"
location = "xxx"
resource_group_name = "xxx"
workspace_resource_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
workspace_name = azurerm_log_analytics_workspace.log_analytics_workspace.name
plan {
publisher = "Microsoft"
product = "OMSGallery/SecurityInsights"
}
depends_on = [azurerm_log_analytics_workspace.log_analytics_workspace]
}
I'm planning to terraformize the playbook permissions configuration by following below steps.
- Go to Azure Sentinel -> Configuration -> Settings -> Playbook permissions -> Configure Permissions
- Check 'Current permissions' tab to see if the resource group containing the playbook is listed. Else select the required resource groups in 'Browse' tab and select 'Apply'.
Can anyone please help me out regarding how can we terraformize the playbook permissions on sentinel for a specific resourcegroup ?
答案1
得分: 1
以下是您提供的代码的翻译:
检查以下代码:
terraform {
backend "azurerm" {
resource_group_name = "XXX"
storage_account_name = "remteccc1"
container_name = "terraform"
key = "terraform.tfstate"
}
}
resource "azurerm_log_analytics_workspace" "exm" {
name = "dsd"
location = "xx"
resource_group_name = "xxx"
sku = "PerGB2018"
retention_in_days = 90
}
resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
solution_name = "SecurityInsights"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
workspace_resource_id = azurerm_log_analytics_workspace.exm.id
workspace_name = azurerm_log_analytics_workspace.exm.name
plan {
publisher = "Microsoft"
product = "OMSGallery/SecurityInsights"
}
depends_on = [azurerm_log_analytics_workspace.rgcore-management-la]
}
可以授予Playbook的权限如下:
***您需要对Playbook拥有权限,我们可以将角色添加到资源上,例如Microsoft Sentinel Automation Contributor角色,以允许访问Sentinel。***
resource "azurerm_role_assignment" "sentinel_contributor" {
scope = "/subscriptions/<subId>/resourceGroups/<rg>"
role_definition_name = "Azure Sentinel Contributor"
principal_id = "3367a746-xxx18686" # Azure Security Insights应用程序的对象ID或Service Principal
data.azurerm_client_config.current.object_id
}
这些角色应分配给包含Microsoft Sentinel工作区的安全性洞察或资源组。
[![输入图像描述][1]][1]
拥有权限后,自动化规则将在Microsoft Sentinel下创建并在门户中反映出来。
resource "azurerm_sentinel_automation_rule" "example" {
name = "56094f72-ac3f-40e7-a0c0-47bd95f70336"
log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
display_name = "automation_rule1"
order = 1
action_incident {
order = 1
status = "Active"
}
}
[![输入图像描述][2]][2]
[1]: https://i.stack.imgur.com/b520K.png
[2]: https://i.stack.imgur.com/MUMAs.png
这是您提供的代码的翻译部分。如果您需要进一步的帮助或有其他问题,请随时提出。
英文:
Check the following code :
terraform {
backend "azurerm" {
resource_group_name = "XXX"
storage_account_name = "remteccc1"
container_name = "terraform"
key = "terraform.tfstate"
}
}
resource "azurerm_log_analytics_workspace" "exm" {
name = "dsd"
location = xx
resource_group_name = xxx
sku = "PerGB2018"
retention_in_days = 90
}
resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
solution_name = "SecurityInsights"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
workspace_resource_id = azurerm_log_analytics_workspace. exm.id
workspace_name = azurerm_log_analytics_workspace. exm.name
plan {
publisher = "Microsoft"
product = "OMSGallery/SecurityInsights"
}
depends_on = [azurerm_log_analytics_workspace.rgcore-management-la]
}
The permissions to playbook can be given is as follows.
You need to have Permissions to playbook for which we can add roles like Microsoft Sentinel Automation Contributor role to the resource which allows the access on sentinel.
resource "azurerm_role_assignment" "sentinel_contributor" {
scope = "/subscriptions/<subId>/resourceGroups/<rg>"
// role_definition_id = azurerm_role_definition.sentinelcontributor.id
role_definition_name = "Azure Sentinel Contributor"
principal_id = "3367a746-xxx18686"#objectid of azure security insights app objectId or servicepincipal
data.azurerm_client_config.current.object_id
}
These roles are to be assigned to the security insights or resource group that contains the Microsoft Sentinel workspace.
With the permissions , automation rule is created and is reflected in portal under microsoft Sentinel.
resource "azurerm_sentinel_automation_rule" "example" {
name = "56094f72-ac3f-40e7-a0c0-47bd95f70336"
log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
display_name = "automation_rule1"
order = 1
action_incident {
order = 1
status = "Active"
}
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论