如何通过terraform在azure sentinel中添加playbook权限？

mnemlml8 于 2023-05-18 发布在其他

关注(0)|答案(1)|浏览(103)

我已经使用以下代码将Log Analytics Workspace，Sentinel进行了改造：

resource "azurerm_log_analytics_workspace" "log_analytics_workspace" {
  name                = "log-test-permissions"
  location            = "xxx"
  resource_group_name = "xxx"
  sku                 = "PerGB2018"
  retention_in_days   = 90
}

resource "azurerm_log_analytics_solution" "sentinel" {
  solution_name         = "SecurityInsights"
  location              = "xxx"
  resource_group_name   = "xxx"
  workspace_resource_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
  workspace_name        = azurerm_log_analytics_workspace.log_analytics_workspace.name

  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }

  depends_on = [azurerm_log_analytics_workspace.log_analytics_workspace]

}

我计划通过以下步骤对playbook权限配置进行地形化。
1.转到Azure Sentinel -> Configuration -> Settings -> Playbook permissions -> Configure Permissions
1.检查“当前权限”选项卡以查看是否列出了包含剧本的资源组。否则，在“浏览”选项卡中选择所需的资源组，然后选择“应用”。

有人可以帮助我，我们如何将sentinel上的playbook权限在特定的资源组？

Azure

来源：https://stackoverflow.com/questions/76217425/how-to-add-playbook-permissions-in-azure-sentinel-via-terraform

1条答案

按热度按时间

ebdffaop1#

检查以下代码：

terraform {
      backend "azurerm" {
        resource_group_name  = "XXX"
        storage_account_name = "remteccc1"
        container_name       = "terraform"
        key                  = "terraform.tfstate"
      }
  }

resource "azurerm_log_analytics_workspace" "exm" {
  name                = "dsd"
 location                    = xx
  resource_group_name         = xxx
  sku                 = "PerGB2018"
  retention_in_days   = 90
}

resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
  solution_name         = "SecurityInsights"
 location                    = data.azurerm_resource_group.example.location
  resource_group_name         = data.azurerm_resource_group.example.name
  workspace_resource_id = azurerm_log_analytics_workspace. exm.id
  workspace_name        = azurerm_log_analytics_workspace. exm.name
  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }
  depends_on = [azurerm_log_analytics_workspace.rgcore-management-la]

}

可以给予playbook的权限如下。

您需要拥有playbook的权限，我们可以将Microsoft Sentinel Automation Contributor角色等角色添加到允许访问sentinel的资源。

resource "azurerm_role_assignment" "sentinel_contributor" {
  scope              = "/subscriptions/<subId>/resourceGroups/<rg>"
 // role_definition_id = azurerm_role_definition.sentinelcontributor.id
  role_definition_name = "Azure Sentinel Contributor"
  principal_id       =  "3367a746-xxx18686"#objectid of azure security insights app objectId or servicepincipal 
data.azurerm_client_config.current.object_id
}

这些角色将分配给包含Microsoft Sentinel工作区的安全洞察或资源组。

使用权限，自动化规则被创建并反映在microsoft Sentinel下的门户中。

resource "azurerm_sentinel_automation_rule" "example" {
  name                       = "56094f72-ac3f-40e7-a0c0-47bd95f70336"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
  display_name               = "automation_rule1"
  order                      = 1
  action_incident {
    order  = 1
    status = "Active"
  }
}

赞(0）回复(0）举报 2023-05-18

我来回答

如何通过terraform在azure sentinel中添加playbook权限？

1条答案

相关问题

热门标签

最新问答