As part of an on-going project I was tasked with to automate a Sentinel setup using Terraform and PowerShell. Now if you haven’t read about Sentinel before, here is a bit more information available –> https://msandbu.org/designing-an-azure-sentinel-solution/ one of the current limitations as of now with Sentinel is that it does not support any form av automation from a query perspective, so if you want to inject hunting queries or analytics queries you need to use a 3.party powershell module from Wortell https://github.com/wortell/AZSentinel which can be used to inject the different queries.
Now since Sentinel is just a module on top of Log Analytics it is easily automated with just using Terraform. This is an example to setup a resource group with Log Analytics and the Sentinel module
Create the resource group with log analytics and then add the security insight module.
resource "azurerm_resource_group" "rgcore-example-management" {
name = "rg-example-management"
location = "westeurope"
}
resource "azurerm_log_analytics_workspace" "rgcore-management-la" {
name = "la-example-utv-weu"
location = "${azurerm_resource_group.rgcore-example-management.location}"
resource_group_name = "${azurerm_resource_group.rgcore-example-management.name}"
sku = "PerGB2018"
retention_in_days = 90
}
resource "azurerm_log_analytics_solution" "la-opf-solution-sentinel" {
solution_name = "SecurityInsights"
location = "${azurerm_resource_group.rgcore-example-management.location}"
resource_group_name = "${azurerm_resource_group.rgcore-example-management.name}"
workspace_resource_id = "${azurerm_log_analytics_workspace.rgcore-management-la.id}"
workspace_name = "${azurerm_log_analytics_workspace.rgcore-management-la.name}"
plan {
publisher = "Microsoft"
product = "OMSGallery/SecurityInsights"
}
}
Once Sentinel is deployed you need to install the different hunting queries into the Log Analytics Workspace. To get started with the PowerShell module you need to install the module and also a YAML PowerShell module. NB: The AzSentinel module will innstall the recessery modules as part of the installation.
Install-Module AzSentinel -Scope CurrentUser -Force
The Sentinel module uses the same Azure AD token as AzConnect so can logon using a service principal as such as you use with Terraform using the following command
Connect-AzAccount -Credential $Credential -Tenant "xxxxx-xxxxxx-xxxxxxx-xxxxxx-xxxxx" -ServicePrincipal
After you have authentiated you can use the commands as documented here to do import of hunting/alert rules –> https://github.com/wortell/AZSentinel/tree/master/docs
Import-AzSentinelAlertRule -WorkspaceName la-opf-utv-weutest -SettingsFile C:\alertsrule.json
This is an example of implemented Sentinel Analytics/Alert rules. You can also import multiple JSON rules using the following
Get-Item .\examples\*.json | Import-AzSentinelAlertRule -WorkspaceName
The next piece of this blogpost is how to automate Logic Apps Playbooks attached to Sentinel to have automated ITSM integration based upon alerts.