如何通过 Terraform 在 Azure Sentinel 中添加 playbook 权限?

huangapple go评论64阅读模式
英文:

How to add playbook permissions in azure sentinel via terraform?

问题

I have terraformized Log Analytics Workspace, Sentinel by using below code:

resource "azurerm_log_analytics_workspace" "log_analytics_workspace" {
  name                = "log-test-permissions"
  location            = "xxx"
  resource_group_name = "xxx"
  sku                 = "PerGB2018"
  retention_in_days   = 90
}

resource "azurerm_log_analytics_solution" "sentinel" {
  solution_name         = "SecurityInsights"
  location              = "xxx"
  resource_group_name   = "xxx"
  workspace_resource_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
  workspace_name        = azurerm_log_analytics_workspace.log_analytics_workspace.name

  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }

  depends_on = [azurerm_log_analytics_workspace.log_analytics_workspace]
}

I'm planning to terraformize the playbook permissions configuration by following below steps:

  1. Go to Azure Sentinel -> Configuration -> Settings -> Playbook permissions -> Configure Permissions
  2. Check 'Current permissions' tab to see if the resource group containing the playbook is listed. Else select the required resource groups in 'Browse' tab and select 'Apply'.
英文:

I have terraformized Log Analytics Workspace, Sentinel by using below code:

resource "azurerm_log_analytics_workspace" "log_analytics_workspace" {
  name                = "log-test-permissions"
  location            = "xxx"
  resource_group_name = "xxx"
  sku                 = "PerGB2018"
  retention_in_days   = 90
}

resource "azurerm_log_analytics_solution" "sentinel" {
  solution_name         = "SecurityInsights"
  location              = "xxx"
  resource_group_name   = "xxx"
  workspace_resource_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
  workspace_name        = azurerm_log_analytics_workspace.log_analytics_workspace.name

  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }

  depends_on = [azurerm_log_analytics_workspace.log_analytics_workspace]

}

I'm planning to terraformize the playbook permissions configuration by following below steps.

  1. Go to Azure Sentinel -> Configuration -> Settings -> Playbook permissions -> Configure Permissions
  2. Check 'Current permissions' tab to see if the resource group containing the playbook is listed. Else select the required resource groups in 'Browse' tab and select 'Apply'.

如何通过 Terraform 在 Azure Sentinel 中添加 playbook 权限?

Can anyone please help me out regarding how can we terraformize the playbook permissions on sentinel for a specific resourcegroup ?

如何通过 Terraform 在 Azure Sentinel 中添加 playbook 权限?

答案1

得分: 1

以下是您提供的代码的翻译:

检查以下代码

terraform {
    backend "azurerm" {
        resource_group_name  = "XXX"
        storage_account_name = "remteccc1"
        container_name       = "terraform"
        key                  = "terraform.tfstate"
    }
}

resource "azurerm_log_analytics_workspace" "exm" {
    name                = "dsd"
    location            = "xx"
    resource_group_name = "xxx"
    sku                 = "PerGB2018"
    retention_in_days   = 90
}

resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
    solution_name         = "SecurityInsights"
    location              = data.azurerm_resource_group.example.location
    resource_group_name   = data.azurerm_resource_group.example.name
    workspace_resource_id = azurerm_log_analytics_workspace.exm.id
    workspace_name        = azurerm_log_analytics_workspace.exm.name
    plan {
        publisher = "Microsoft"
        product   = "OMSGallery/SecurityInsights"
    }
    depends_on = [azurerm_log_analytics_workspace.rgcore-management-la]
}

可以授予Playbook的权限如下

***您需要对Playbook拥有权限我们可以将角色添加到资源上例如Microsoft Sentinel Automation Contributor角色以允许访问Sentinel。***

resource "azurerm_role_assignment" "sentinel_contributor" {
    scope                = "/subscriptions/<subId>/resourceGroups/<rg>"
    role_definition_name = "Azure Sentinel Contributor"
    principal_id         = "3367a746-xxx18686"  # Azure Security Insights应用程序的对象ID或Service Principal
    data.azurerm_client_config.current.object_id
}

这些角色应分配给包含Microsoft Sentinel工作区的安全性洞察或资源组

[![输入图像描述][1]][1]

拥有权限后自动化规则将在Microsoft Sentinel下创建并在门户中反映出来

resource "azurerm_sentinel_automation_rule" "example" {
    name                       = "56094f72-ac3f-40e7-a0c0-47bd95f70336"
    log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
    display_name               = "automation_rule1"
    order                      = 1
    action_incident {
        order  = 1
        status = "Active"
    }
}

[![输入图像描述][2]][2]

  [1]: https://i.stack.imgur.com/b520K.png
  [2]: https://i.stack.imgur.com/MUMAs.png

这是您提供的代码的翻译部分。如果您需要进一步的帮助或有其他问题,请随时提出。

英文:

Check the following code :

 terraform {
backend &quot;azurerm&quot; {
resource_group_name  = &quot;XXX&quot;
storage_account_name = &quot;remteccc1&quot;
container_name       = &quot;terraform&quot;
key                  = &quot;terraform.tfstate&quot;
}
}
resource &quot;azurerm_log_analytics_workspace&quot; &quot;exm&quot; {
name                = &quot;dsd&quot;
location                    = xx
resource_group_name         = xxx
sku                 = &quot;PerGB2018&quot;
retention_in_days   = 90
}
resource &quot;azurerm_log_analytics_solution&quot; &quot;log_analytics_solution_sentinel&quot; {
solution_name         = &quot;SecurityInsights&quot;
location                    = data.azurerm_resource_group.example.location
resource_group_name         = data.azurerm_resource_group.example.name
workspace_resource_id = azurerm_log_analytics_workspace. exm.id
workspace_name        = azurerm_log_analytics_workspace. exm.name
plan {
publisher = &quot;Microsoft&quot;
product   = &quot;OMSGallery/SecurityInsights&quot;
}
depends_on = [azurerm_log_analytics_workspace.rgcore-management-la]
}

The permissions to playbook can be given is as follows.

You need to have Permissions to playbook for which we can add roles like Microsoft Sentinel Automation Contributor role to the resource which allows the access on sentinel.

resource &quot;azurerm_role_assignment&quot; &quot;sentinel_contributor&quot; {
scope              = &quot;/subscriptions/&lt;subId&gt;/resourceGroups/&lt;rg&gt;&quot;
// role_definition_id = azurerm_role_definition.sentinelcontributor.id
role_definition_name = &quot;Azure Sentinel Contributor&quot;
principal_id       =  &quot;3367a746-xxx18686&quot;#objectid of azure security insights app objectId or servicepincipal 
data.azurerm_client_config.current.object_id
}

These roles are to be assigned to the security insights or resource group that contains the Microsoft Sentinel workspace.

如何通过 Terraform 在 Azure Sentinel 中添加 playbook 权限?

With the permissions , automation rule is created and is reflected in portal under microsoft Sentinel.

resource &quot;azurerm_sentinel_automation_rule&quot; &quot;example&quot; {
name                       = &quot;56094f72-ac3f-40e7-a0c0-47bd95f70336&quot;
log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
display_name               = &quot;automation_rule1&quot;
order                      = 1
action_incident {
order  = 1
status = &quot;Active&quot;
}
}

如何通过 Terraform 在 Azure Sentinel 中添加 playbook 权限?

huangapple
  • 本文由 发表于 2023年5月10日 18:40:21
  • 转载请务必保留本文链接:https://go.coder-hub.com/76217425.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定