azure - 如何通过 terraform 在 azure Sentinel 中添加 playbook 权限？

Question

我使用以下代码对 Log Analytics 工作区 Sentinel 进行了地形改造:

resource "azurerm_log_analytics_workspace" "log_analytics_workspace" {
  name                = "log-test-permissions"
  location            = "xxx"
  resource_group_name = "xxx"
  sku                 = "PerGB2018"
  retention_in_days   = 90
}

resource "azurerm_log_analytics_solution" "sentinel" {
  solution_name         = "SecurityInsights"
  location              = "xxx"
  resource_group_name   = "xxx"
  workspace_resource_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
  workspace_name        = azurerm_log_analytics_workspace.log_analytics_workspace.name

  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }

  depends_on = [azurerm_log_analytics_workspace.log_analytics_workspace]

}

我计划按照以下步骤对 playbook 权限配置进行地形改造。

1. 转至 Azure Sentinel -> 配置 -> 设置 -> Playbook 权限 -> 配置权限
2. 检查“当前权限”选项卡以查看是否列出了包含该 playbook 的资源组。或者，在“浏览”选项卡中选择所需的资源组，然后选择“应用”。

任何人都可以帮我解决如何针对特定资源组对哨兵上的 playbook 权限进行地形改造吗？

Answer 1

检查以下代码:

 terraform {
      backend "azurerm" {
        resource_group_name  = "XXX"
        storage_account_name = "remteccc1"
        container_name       = "terraform"
        key                  = "terraform.tfstate"
      }
  }


resource "azurerm_log_analytics_workspace" "exm" {
  name                = "dsd"
 location                    = xx
  resource_group_name         = xxx
  sku                 = "PerGB2018"
  retention_in_days   = 90
}


resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
  solution_name         = "SecurityInsights"
 location                    = data.azurerm_resource_group.example.location
  resource_group_name         = data.azurerm_resource_group.example.name
  workspace_resource_id = azurerm_log_analytics_workspace. exm.id
  workspace_name        = azurerm_log_analytics_workspace. exm.name
  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }
  depends_on = [azurerm_log_analytics_workspace.rgcore-management-la]

}

可以授予 playbook 的权限如下。

您需要拥有 playbook 的权限，我们可以将 Microsoft Sentinel Automation Contributor 角色等角色添加到允许访问 Sentinel 的资源。

resource "azurerm_role_assignment" "sentinel_contributor" {
  scope              = "/subscriptions/<subId>/resourceGroups/<rg>"
 // role_definition_id = azurerm_role_definition.sentinelcontributor.id
  role_definition_name = "Azure Sentinel Contributor"
  principal_id       =  "3367a746-xxx18686"#objectid of azure security insights app objectId or servicepincipal 
data.azurerm_client_config.current.object_id
}

这些角色将分配给包含 Microsoft Sentinel 工作区的安全见解或资源组。

使用权限，将创建自动化规则并反射(reflect)在 Microsoft Sentinel 下的门户中。

resource "azurerm_sentinel_automation_rule" "example" {
  name                       = "56094f72-ac3f-40e7-a0c0-47bd95f70336"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
  display_name               = "automation_rule1"
  order                      = 1
  action_incident {
    order  = 1
    status = "Active"
  }
}