我使用以下 terraform 代码创建了一个 Azure Sentinel
### Sentinel workspace ###
resource "azurerm_sentinel_data_connector_azure_security_center" "main" {
name = "data-connector-azure-security-center"
log_analytics_workspace_id = azurerm_log_analytics_workspace.ws.id
subscription_id = data.azurerm_subscription.current.subscription_id
}
并与下面提到的各种数据源连接
### Data Connector for Active Directory ###
resource "azurerm_sentinel_data_connector_azure_active_directory" "aad" {
name = "Microsoft Entra ID"
log_analytics_workspace_id = azurerm_sentinel_log_analytics_workspace_onboarding.sential.workspace_id
}
我需要根据现有规则模板创建活动规则,如下所述
### Create a Rule based on the existing Rules Template, you need to install Azure Activity Solution before this ###
data "azurerm_sentinel_alert_rule_template" "analytics_rule_template" {
log_analytics_workspace_id = azurerm_log_analytics_workspace.ws.id
display_name = "Rare subscription-level operations in Azure"
}
resource "azurerm_sentinel_alert_rule_scheduled" "rare_operations" {
name = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.name
log_analytics_workspace_id = azurerm_log_analytics_workspace.ws.id
alert_rule_template_guid = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.name
display_name = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.display_name
severity = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.severity
query = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.query
description = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.description
query_frequency = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.query_frequency
query_period = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.query_period
tactics = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.tactics
trigger_operator = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.trigger_operator
trigger_threshold = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.trigger_threshold
}
但是,这需要安装 Azure 活动解决方案。我没有看到任何使用 CLI 或 Terraform 安装解决方案的选项
我不想手动安装这些解决方案。有没有办法使用 CLI 或 terraform 安装这些解决方案?
使用 Azure PowerShell: 创建 Azure PowerShell 脚本来安装所需的解决方案。此脚本可以使用 Add-AzSentinelSolution cmdlet 按名称或 ID 安装解决方案。 使用 local-exec 配置程序在 Terraform 工作流程中执行脚本。这允许您在 Terraform 配置中运行任意命令。
示例 PowerShell 脚本: PowerShell
Add-AzSentinelSolution -WorkspaceName "<workspace_name>" -SolutionName "Azure Activity"
resource "azurerm_sentinel_data_connector_azure_security_center" "main" {
... existing configuration ...
}
provisioner "local-exec" {
command = <<EOF
powershell.exe -ExecutionPolicy Bypass -File ./install_solution.ps1
EOF
}
resource "azurerm_sentinel_alert_rule_scheduled" "rare_operations" {
... existing configuration ...
}
也可以从 terraform 检查此链接。 terraform-azure