Microsoft Sentinel

Azure module to deploy a Microsoft Sentinel.

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.azure_region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "logs" {
  source  = "claranet/run/azurerm//modules/logs"
  version = "x.x.x"

  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.resource_group_name

  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "sentinel" {
  source  = "claranet/sentinel/azurerm"
  version = "x.x.x"

  log_analytics_workspace_id = module.logs.log_analytics_workspace_id
  logs_destinations_ids      = [module.logs.log_analytics_workspace_id]

  data_connector_aad_enabled = true
  data_connector_mti_enabled = true
}

Providers

Name	Version
azapi	~> 1.12.0
azurerm	~> 3.63
time	~> 0.12

Modules

Name	Source	Version
diagnostic_settings	claranet/diagnostic-settings/azurerm	~> 7.0.0

Resources

Name	Type
azapi_resource.ueba	resource
azapi_resource.ueba_entity	resource
azurerm_monitor_aad_diagnostic_setting.aad_logs	resource
azurerm_sentinel_data_connector_aws_s3.aws_s3	resource
azurerm_sentinel_data_connector_microsoft_threat_intelligence.mti	resource
azurerm_sentinel_log_analytics_workspace_onboarding.sentinel	resource
time_offset.mti	resource

Inputs

Name	Description	Type	Default	Required
custom_diagnostic_settings_name	Custom name of the diagnostics settings, name will be 'default' if not set.	string	"default"	no
data_connector_aad_enabled	Whether the Azure Active Directory logs are retrieved.	bool	false	no
data_connector_aad_logs	List of Azure Active Directory log category.	list(string)	[ "AuditLogs", "SignInLogs", "NonInteractiveUserSignInLogs", "ServicePrincipalSignInLogs", "ManagedIdentitySignInLogs", "ProvisioningLogs", "ADFSSignInLogs", "RiskyUsers", "UserRiskEvents", "NetworkAccessTrafficLogs", "RiskyServicePrincipals", "ServicePrincipalRiskEvents", "EnrichedOffice365AuditLogs", "MicrosoftGraphActivityLogs" ]	no
data_connector_aws_s3_configuration	List of Azure Active Directory log category.	map(object({ aws_role_arn = string destination_table = string sqs_urls = list(string) }))	{}	no
data_connector_mti_enabled	Whether the Microsoft Threat Intelligence Data Connector is enabled.	bool	false	no
data_connector_mti_lookback_days	Microsoft Threat Intelligence Data lookback days.	number	7	no
log_analytics_workspace_id	The Log Analytics Workspace ID.	string	n/a	yes
logs_categories	Log categories to send to destinations.	list(string)	null	no
logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the `	` character.	list(string)	n/a
logs_metrics_categories	Metrics categories to send to destinations.	list(string)	null	no
name_prefix	Optional prefix for the generated name.	string	""	no
name_suffix	Optional suffix for the generated name.	string	""	no
ueba_data_sources	List of UEBA (User and Entity Behavior Analytics) data sources.	list(string)	[ "AuditLogs", "AzureActivity", "SecurityEvent", "SigninLogs" ]	no
ueba_enabled	Whether UEBA (User and Entity Behavior Analytics) feature is enabled.	bool	true	no
ueba_entity_providers	List of UEBA (User and Entity Behavior Analytics) entity providers.	list(string)	[ "AzureActiveDirectory" ]	no
use_caf_naming	Use the Azure CAF naming provider to generate default resource name. storage_account_custom_name override this if set. Legacy default name is used if this is set to false.	bool	true	no

Outputs

No outputs.

Related documentation

Microsoft Azure documentation: learn.microsoft.com/en-us/azure/sentinel/overview