Skip to content
/ terraform-azure-sentinel Public
generated from clouddrove/terraform-module-template

This terraform module is designed to create azure Sentinel resources. Microsoft Sentinel natively incorporates proven Azure services, like Log Analytics and Logic Apps. Microsoft Sentinel enriches your investigation and detection with AI. It provides Microsoft's threat intelligence stream and enables you to bring your own threat intelligence

License

Apache-2.0 license
6 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

clouddrove/terraform-azure-sentinel

BranchesTags

Repository files navigation

Terraform AZURE SENTINEL

Terraform module to create SENTINEL resource on AZURE.

Terraform Licence

We eat, drink, sleep and most importantly love DevOps. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy Bigger problems are always solved by breaking them into smaller manageable problems. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller connected yet manageable pieces within the infrastructure.

This module is basically combination of Terraform open source and includes automatation tests and examples. It also helps to create and improve your infrastructure with minimalistic code instead of maintaining the whole infrastructure code yourself.

We have fifty plus terraform modules. A few of them are comepleted and are available for open source usage while a few others are in progress.

Prerequisites

This module has a few dependencies:

Examples

IMPORTANT: Since the master branch used in source varies based on new modifications, we suggest that you use the release versions here.

Here is an example of how you can use this module in your inventory structure:

module "defender" {
 source                       = "clouddrove/sentinel/azure"
 name                         = "app"
 environment                  = "test"
 log_analytics_workspace_id   = module.log-analytics.workspace_id
 }

Inputs

Name Description Type Default Required
alerts_enabled Should the alerts be enabled? Defaults to true. bool true no
discovery_logs_enabled Should the Discovery Logs be enabled? Defaults to true. bool true no
display_name The friendly name of this Sentinel MS Security Incident Alert Rule. list(string) 
[
  "Create incidents based on Microsoft Defender for Cloud"
]
 no
dtc_ad_enabled Set to false to prevent the module from creating any resources. bool false no
dtc_advanced_threat_protection_enabled Set to false to prevent the module from creating any resources. bool false no
dtc_iot_enabled Set to false to prevent the module from creating any resources. bool false no
dtc_ms_cloud_app_security_enabled Set to false to prevent the module from creating any resources. bool false no
dtc_ms_defender_advanced_threat_protection_enabled Set to false to prevent the module from creating any resources. bool false no
dtc_ms_threat_protection_enabled Set to false to prevent the module from creating any resources. bool false no
dtc_security_center_enabled Set to false to prevent the module from creating any resources. bool false no
dtc_threat-intelligence_enabled Set to false to prevent the module from creating any resources. bool false no
enabled Set to false to prevent the module from creating any resources. bool true no
environment Environment (e.g. prod, dev, staging). string "" no
label_order Label order, e.g. sequence of application name and environment name,environment,'attribute' [webserver,qa,devops,public,] . list(any) 
[
  "name",
  "environment"
]
 no
log_analytics_workspace_id The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. string "" no
managedby ManagedBy, eg ''. string "" no
ms_security_enabled Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to true. bool true no
ms_security_incident_enabled Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to true. bool true no
name Name (e.g. app or cluster). string "" no
product_filter The Microsoft Security Service from where the alert will be generated. Possible values are Azure Active Directory Identity Protection, Azure Advanced Threat Protection, Azure Security Center, Azure Security Center for IoT, Microsoft Cloud App Security, Microsoft Defender Advanced Threat Protection and Office 365 Advanced Threat Protection. list(string) 
[
  "Microsoft Cloud App Security"
]
 no
repository Terraform current module repo string "" no
sentinel_enabled Flag to control the module creation. bool true no
sentinel_workspace_name The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. string "" no
severity_filter Only create incidents from alerts when alert severity level is contained in this list. Possible values are High, Medium, Low and Informational. list(string) 
[
  "High"
]
 no
subscription_id The ID of the subscription that this Iot Data Connector connects to. Changing this forces a new Iot Data Connector to be created. string null no
tags A map of tags to add to all resources map(string) {} no
tenant_id The ID of the tenant that this Azure Active Directory Data Connector connects to. Changing this forces a new Azure Active Directory Data Connector to be created. string null no

Outputs

Name Description
dtc_ad_id The ID of the Azure Active Directory Data Connector.
dtc_ms_cloud_app_security_id The ID of the Microsoft Cloud App Security Data Connector.
dtc_threat_protection_id The ID of the Azure Advanced Threat Protection Data Connector.
iot_id The ID of the Iot Data Connector.
security_center_id The ID of the Azure Security Center Data Connector.
sentinel_id The ID of the Security Insights Sentinel Onboarding States.

Testing

In this module testing is performed with terratest and it creates a small piece of infrastructure, matches the output like ARN, ID and Tags name etc and destroy infrastructure in your AWS account. This testing is written in GO, so you need a GO environment in your system.

You need to run the following command in the testing folder:

  go test -run Test

Feedback

If you come accross a bug or have any feedback, please log it in our issue tracker, or feel free to drop us an email at [email protected].

If you have found it worth your time, go ahead and give us a ★ on our GitHub!

About us

At CloudDrove, we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering.

We are The Cloud Experts!

We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.

About

This terraform module is designed to create azure Sentinel resources. Microsoft Sentinel natively incorporates proven Azure services, like Log Analytics and Logic Apps. Microsoft Sentinel enriches your investigation and detection with AI. It provides Microsoft's threat intelligence stream and enables you to bring your own threat intelligence

Topics

azure terraform hcl terraform-module terraform-azure clouddrove azure-sentinel terraform-azurerm

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

6 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases 1

1.0.0 Latest
Aug 4, 2023

Packages

No packages published

Contributors 6

Languages