Automating Azure Sentinel deployment using Terraform and PowerShell

As part of an on-going project I was tasked with to automate a Sentinel setup using Terraform and PowerShell. Now if you haven’t read about Sentinel before, here is a bit more information available –> https://msandbu.org/designing-an-azure-sentinel-solution/ one of the current limitations as of now with Sentinel is that it does not support any form av automation from a query perspective, so if you want to inject hunting queries or analytics queries you need to use a 3.party powershell module from Wortell https://github.com/wortell/AZSentinel which can be used to inject the different queries.

Now since Sentinel is just a module on top of Log Analytics it is easily automated with just using Terraform. This is an example to setup a resource group with Log Analytics and the Sentinel module
Create the resource group with log analytics and then add the security insight module.

resource "azurerm_resource_group" "rgcore-example-management" {
  name     = "rg-example-management"
  location = "westeurope"
}
resource "azurerm_log_analytics_workspace" "rgcore-management-la" {
  name                = "la-example-utv-weu"
  location            = "${azurerm_resource_group.rgcore-example-management.location}"
 resource_group_name = "${azurerm_resource_group.rgcore-example-management.name}"
  sku                 = "PerGB2018"
  retention_in_days   = 90
}
resource "azurerm_log_analytics_solution" "la-opf-solution-sentinel" {
  solution_name         = "SecurityInsights"
  location              = "${azurerm_resource_group.rgcore-example-management.location}"
  resource_group_name   = "${azurerm_resource_group.rgcore-example-management.name}"
  workspace_resource_id = "${azurerm_log_analytics_workspace.rgcore-management-la.id}"
  workspace_name        = "${azurerm_log_analytics_workspace.rgcore-management-la.name}"
  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }
}

Once Sentinel is deployed you need to install the different hunting queries into the Log Analytics Workspace. To get started with the PowerShell module you need to install the module and also a YAML PowerShell module. NB: The AzSentinel module will innstall the recessery modules as part of the installation.

Install-Module AzSentinel -Scope CurrentUser -Force

 

The Sentinel module uses the same Azure AD token as AzConnect so can logon using a service principal as such as you use with Terraform using the following command

Connect-AzAccount -Credential $Credential -Tenant 
"xxxxx-xxxxxx-xxxxxxx-xxxxxx-xxxxx" -ServicePrincipal

 

After you have authentiated you can use the commands as documented here to do import of hunting/alert rules –> https://github.com/wortell/AZSentinel/tree/master/docs

 

Import-AzSentinelAlertRule -WorkspaceName la-opf-utv-weutest 
 -SettingsFile C:\alertsrule.json

 

This is an example of implemented Sentinel Analytics/Alert rules. You can also import multiple JSON rules using the following

 

Get-Item .\examples\*.json | Import-AzSentinelAlertRule -WorkspaceName

The next piece of this blogpost is how to automate Logic Apps Playbooks attached to Sentinel to have automated ITSM integration based upon alerts.

You May Also Like

About the Author: Marius Sandbu

Leave a Reply

Your email address will not be published. Required fields are marked *