Azure Sentinel

Last Updated on August 17, 2024 by Arnav Sharma

I recently compiled all (all of the available resources in TF) the components and deployed them using Terraform.

To deploy a complete setup, just change 3 inputs and the complete sentinel solution should be up and running in 10-15 mins.

Here’s the code to set up Sentinel using Terraform and Terragrut.

Repo: sharmaarnav/as-sentinel (github.com)

Changes needed to deploy Sentinel: Go to the terragrunt.hcl file in the production folder and modify:

  • Prefix – this sets names for all resources
  • Location
  • And set if you have enabled P2 license in AD and E5 in O365. (Set the value to 0 if you don’t have a license and set 1 if you have activated the license)

No other changes are needed apart from the basics (authentication, terraform and terragrunt)

Resources Deployed:

  • A resource group
  • Log Analytics Workspace
  • Solution – SecurityInsights
  • Sentinel Fusion Alert Rule.
  • Sentinel Machine Learning Behavior Analytics Alert Rule.
  • Sentinel MS Security Incident Alert Rule.
  • Sentinel Scheduled Alert Rule.
  • Sentinel Automation Rule.
  • Connector to O365
  • Connector to AAD
  • Connector to App Security
  • Connector to ATP
  • Connector to Microsoft Defender ATP
  • Connector to Cloud Security

The code:

Source modules: as-sentinel/Modules at main · sharmaarnav/as-sentinel (github.com)

Live Repo: as-sentinel/SentinelLiveRepo/Production at main · sharmaarnav/as-sentinel (github.com)

To Deploy:

  1. Fork the repo and clone to your system. Open the related path using VSCode or other tools.
  2. Browse to the production folder and update the terragrunt.hcl file.
  3. Use terragrunt run-all apply command to deploy.

(PS – You need to install Terragrunt and Terraform to have this up and running)

Code Structure:

Red: Modules

Yellow: Live code


FAQ:

Q: How can I deploy Microsoft Sentinel using Terraform?

To deploy Microsoft Sentinel using Terraform, you’ll need to define a Terraform module that provisions a Sentinel workspace within a Log Analytics workspace. The Terraform configuration will include the necessary resources such as azurerm_sentinel_alert_rule_template for defining alert rules and azurerm provider to interact with the Azure API. This deployment allows you to use infrastructure as code (IaC) for a consistent and repeatable Sentinel environment setup.

Q: What is the role of Terraform registry in Microsoft Sentinel deployment?

The Terraform registry serves as a repository where you can find and share Terraform modules that facilitate the deployment of Microsoft Sentinel. These modules provide pre-configured templates for Sentinel automation, including alert rules, data connectors, and other necessary resources, which can be easily integrated into your infrastructure.

Q: What are some example usages of Terraform for deploying Azure Sentinel?

Example usages of Terraform for deploying Azure Sentinel include creating a Log Analytics workspace, deploying a Sentinel instance, configuring analytics rules, and setting up data connectors for threat intelligence. You can also automate the deployment of logic apps and other integrations that are part of a fully functional Sentinel environment.

Q: How does Terraform handle timeout settings in Microsoft Sentinel deployments?

Terraform allows you to configure timeout settings for various operations during the deployment of Microsoft Sentinel. For instance, you can specify timeouts for the creation or updating of Sentinel resources. This ensures that Terraform does not hang indefinitely if there’s an issue, and it can gracefully handle long-running processes in the Azure environment.

Q: What arguments and attributes references are essential in Terraform for deploying Azure Sentinel?

Key arguments and attributes references in Terraform for deploying Azure Sentinel include the log_analytics_workspace_id, which is the ID of the Log Analytics workspace this Sentinel instance belongs to, and the azurerm_sentinel_alert_rule_template, which is used to define alert rules. Other important attributes include the workspace name, tenant ID, and the display name of the alert rules.

Q: How can Azure DevOps integrate with Terraform for deploying Microsoft Sentinel?

Azure DevOps can integrate with Terraform to automate the deployment of Microsoft Sentinel through Azure pipelines. This integration allows you to use Terraform scripts stored in your repository to manage the Sentinel deployment process, including creating resources, setting up alert rules, and configuring data connectors, all within your CI/CD workflow.

Q: What is the significance of the Log Analytics workspace in an Azure Sentinel deployment?

The Log Analytics workspace is a crucial component in an Azure Sentinel deployment, as it acts as the backend for storing and querying the logs and data collected by Sentinel. When deploying Sentinel using Terraform, the log_analytics_workspace_id is a key parameter that links Sentinel to the workspace, enabling the functionality required for threat detection and response.

Q: What does changing a Terraform code element force in Azure Sentinel?

Changing specific elements in the terraform code related to Sentinel forces a new sentinel deployment or rule to be created.

Q: What kind of rule can be created with Terraform in Azure Sentinel?

Using Terraform, you can create a rules-based alert rule that can create incidents when triggered by specific events or thresholds.

Q: What resource should be used to reference the name of an alert rule template in Azure Sentinel?

The name which should be used is referenced in the data.azurerm_sentinel_alert_rule_template.analytics_rule_template.name within your Terraform code.

Q: How does Azure Sentinel handle alert rule severity and triggers?

Azure Sentinel alert rules can be configured with various severities like data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.severity and triggers like trigger_threshold based on specific tactics.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.