Automation Azure Sentinel and Terraform

Leave a Comment / By / 23. July 2020

In a previous blog post (https://msandbu.org/automating-azure-sentinel-deployment-using-terraform-and-powershell/)  I wrote how about you can use Terraform to automate the setup of Azure Sentinel and Log Analytics. The issue back then, was that you couldn’t automate Sentinel Analytics rules which you still needed to maintain using a third-party PowerShell module.

NOTE: I’m working on publishing a Terraform module for Azure Sentinel which can be used to automate Sentinel with the required configuration.

Now with the latest addition of the AzureRM Provider, we can now automate Sentinel rules as well using the resources

azurerm_sentinel_alert_rule_scheduled
azurerm_sentinel_alert_rule_ms_security_incident

 

Which you can see here –> https://www.terraform.io/docs/providers/azurerm/r/sentinel_alert_rule_ms_security_incident.html with these you can automate both Scheduled Analytics rules and also built-in security alert rules based upon Microsoft products.

Example Built-in incident alert rule. Where the resource supportes different type of product filters.

resource “azurerm_sentinel_alert_rule_ms_security_incident” “msrule_cloudapp” {
  name                       = “example-ms-security-incident-alert-rule”
  log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-la.id
  product_filter             = “Azure Advanced Threat Protection”
  display_name               = “Rule for AATP”

  severity_filter            = [“High”]

 

Where it supports different types of product filters (Azure Active Directory Identity Protection, Azure Advanced Threat Protection, Azure Security Center, Azure Security Center for IoT, Microsoft Cloud App Security)

And severity filter can be High, Medium, Low and Informational.

 

Example Scheduled Query Rule 
resource “azurerm_sentinel_alert_rule_scheduled” “example” {
name = “example”
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
display_name = “example”
severity = “High”
query = <<QUERY
AzureActivity |
where OperationName == “Create or Update Virtual Machine” or OperationName ==”Create Deployment” |
where ActivityStatus == “Succeeded” |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
QUERY
}
Here is an example Terraform deployment with full Log Analytics with Sentinel and Query Rule.
resource “azurerm_resource_group” “example” {
name = “example-resources”
location = “West Europe”
}resource “azurerm_log_analytics_workspace” “example” {
name = “example-workspace”
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = “pergb2018”
}resource “azurerm_sentinel_alert_rule_ms_security_incident” “example” {
name = “example-ms-security-incident-alert-rule”
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
product_filter = “Microsoft Cloud App Security”
display_name = “example rule”
severity_filter = [“High”]
}
resource “azurerm_sentinel_alert_rule_scheduled” “example” {
name = “example”
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
display_name = “example”
severity = “High”
query = <<QUERY
AzureActivity |
where OperationName == “Create or Update Virtual Machine” or OperationName ==”Create Deployment” |
where ActivityStatus == “Succeeded” |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
QUERY
}
The azurerm_sentinel_alert_rule_scheduled resource also supported other attributes, this example above we have not defined any query frequency, or period of the data look nor the tactics and trigger operation defined. However you have the defined QUERY rule (where you have a list of examples here –> https://github.com/Azure/Azure-Sentinel/tree/master/Detections)

There are still some limitations that you need to be aware of that is not supported by the Terraform resource.

– Incident Settings
– Automated Response
 Now when defining a custom query rule you can define thresholds values and the lookup time. These rules needs to be customized depending on the data source, here is an example (based upon default 5hour lookup) If you need to change the time values, you need to define it according to the ISO 8601 standard. PT0H5M etc.
resource “azurerm_sentinel_alert_rule_scheduled” “example” {
name = “customrule2”
log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-la.id
display_name = “customrule1”
severity = “High”
query_frequency = “PT5H” 
query_period = “PT5H”
tactics = [“Discovery”]
trigger_operator = “GreaterThan”
trigger_threshold = “1”query = <<QUERY
AzureActivity |
where OperationName == “Create or Update Virtual Machine” or OperationName ==”Create Deployment” |
where ActivityStatus == “Succeeded” |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
QUERY
}

Leave a Reply

Scroll to Top