Skip to content

Latest commit

 

History

History
133 lines (102 loc) · 7.88 KB

README.md

File metadata and controls

133 lines (102 loc) · 7.88 KB

Microsoft Sentinel

Changelog Notice Apache V2 License OpenTofu Registry

Azure module to deploy a Microsoft Sentinel.

Global versioning rule for Claranet Azure modules

Module version Terraform version OpenTofu version AzureRM version
>= 8.x.x Unverified 1.8.x >= 4.0
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.azure_region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "logs" {
  source  = "claranet/run/azurerm//modules/logs"
  version = "x.x.x"

  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.resource_group_name

  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "sentinel" {
  source  = "claranet/sentinel/azurerm"
  version = "x.x.x"

  log_analytics_workspace_id = module.logs.log_analytics_workspace_id
  logs_destinations_ids      = [module.logs.log_analytics_workspace_id]

  data_connector_aad_enabled = true
  data_connector_mti_enabled = true
}

Providers

Name Version
azapi ~> 1.12.0
azurerm ~> 3.63
time ~> 0.12

Modules

Name Source Version
diagnostic_settings claranet/diagnostic-settings/azurerm ~> 7.0.0

Resources

Name Type
azapi_resource.ueba resource
azapi_resource.ueba_entity resource
azurerm_monitor_aad_diagnostic_setting.aad_logs resource
azurerm_sentinel_data_connector_aws_s3.aws_s3 resource
azurerm_sentinel_data_connector_microsoft_threat_intelligence.mti resource
azurerm_sentinel_log_analytics_workspace_onboarding.sentinel resource
time_offset.mti resource

Inputs

Name Description Type Default Required
custom_diagnostic_settings_name Custom name of the diagnostics settings, name will be 'default' if not set. string "default" no
data_connector_aad_enabled Whether the Azure Active Directory logs are retrieved. bool false no
data_connector_aad_logs List of Azure Active Directory log category. list(string)
[
"AuditLogs",
"SignInLogs",
"NonInteractiveUserSignInLogs",
"ServicePrincipalSignInLogs",
"ManagedIdentitySignInLogs",
"ProvisioningLogs",
"ADFSSignInLogs",
"RiskyUsers",
"UserRiskEvents",
"NetworkAccessTrafficLogs",
"RiskyServicePrincipals",
"ServicePrincipalRiskEvents",
"EnrichedOffice365AuditLogs",
"MicrosoftGraphActivityLogs"
]
no
data_connector_aws_s3_configuration List of Azure Active Directory log category.
map(object({
aws_role_arn = string
destination_table = string
sqs_urls = list(string)
}))
{} no
data_connector_mti_enabled Whether the Microsoft Threat Intelligence Data Connector is enabled. bool false no
data_connector_mti_lookback_days Microsoft Threat Intelligence Data lookback days. number 7 no
log_analytics_workspace_id The Log Analytics Workspace ID. string n/a yes
logs_categories Log categories to send to destinations. list(string) null no
logs_destinations_ids List of destination resources IDs for logs diagnostic destination.
Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.
If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the `
` character. list(string) n/a
logs_metrics_categories Metrics categories to send to destinations. list(string) null no
name_prefix Optional prefix for the generated name. string "" no
name_suffix Optional suffix for the generated name. string "" no
ueba_data_sources List of UEBA (User and Entity Behavior Analytics) data sources. list(string)
[
"AuditLogs",
"AzureActivity",
"SecurityEvent",
"SigninLogs"
]
no
ueba_enabled Whether UEBA (User and Entity Behavior Analytics) feature is enabled. bool true no
ueba_entity_providers List of UEBA (User and Entity Behavior Analytics) entity providers. list(string)
[
"AzureActiveDirectory"
]
no
use_caf_naming Use the Azure CAF naming provider to generate default resource name. storage_account_custom_name override this if set. Legacy default name is used if this is set to false. bool true no

Outputs

No outputs.

Related documentation

Microsoft Azure documentation: learn.microsoft.com/en-us/azure/sentinel/overview