This module deploys Microsoft Sentinel Solutions but also the rules embedded in the product solution.
Solutions and rules are directly retrieved from the Microsoft Sentinel Content Hub catalog.
Current log sources supported :
- aws
- azure_activity
- azure_firewall
- azure_keyvault
- azure_nsg
- azure_waf
- cef
- cisco_meraki
- cyberark_pam
- darktrace
- entra_id
- fortigate
- gworkspace
- m365
- okta
- sentinelone
- syslog
- ti
- windows_security
- xdr
- zscaler_internet_access
- zscaler_private_access
These are the values that can be set in the log_sources variable.
Some solutions don't embed rules.
| Module version | Terraform version | OpenTofu version | AzureRM version |
|---|---|---|---|
| >= 8.x.x | Unverified | 1.8.x | >= 4.0 |
| >= 7.x.x | 1.3.x | >= 3.0 | |
| >= 6.x.x | 1.x | >= 3.0 | |
| >= 5.x.x | 0.15.x | >= 2.0 | |
| >= 4.x.x | 0.13.x / 0.14.x | >= 2.0 | |
| >= 3.x.x | 0.12.x | >= 2.0 | |
| >= 2.x.x | 0.12.x | < 2.0 | |
| < 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper available in the documentation.
module "azure_region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
location = module.azure_region.location
client_name = var.client_name
environment = var.environment
stack = var.stack
}
module "logs" {
source = "claranet/run/azurerm//modules/logs"
version = "x.x.x"
location = module.azure_region.location
location_short = module.azure_region.location_short
resource_group_name = module.rg.resource_group_name
client_name = var.client_name
environment = var.environment
stack = var.stack
}
module "sentinel" {
source = "claranet/sentinel/azurerm"
version = "x.x.x"
log_analytics_workspace_id = module.logs.log_analytics_workspace_id
logs_destinations_ids = [module.logs.log_analytics_workspace_id]
data_connector_aad_enabled = true
}
module "sentinel_content" {
source = "claranet/sentinel-content/azurerm"
version = "x.x.x"
location = module.azure_region.location
resource_group_name = module.rg.resource_group_name
log_analytics_workspace_id = module.logs.log_analytics_workspace_id
log_analytics_workspace_name = module.logs.log_analytics_workspace_name
log_sources = ["entra_id", "ti", "xdr"]
}No providers.
| Name | Source | Version |
|---|---|---|
| rules | ./modules/rules/ | n/a |
| solutions | ./modules/solutions/ | n/a |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| location | Azure location. | string |
n/a | yes |
| log_analytics_workspace_id | The Log Analytics Workspace ID. | string |
n/a | yes |
| log_analytics_workspace_name | The Log Analytics Workspace name. | string |
n/a | yes |
| log_sources | Log sources retrieved in Microsoft Sentinel. | list(string) |
n/a | yes |
| resource_group_name | Resource Group the resources will belong to | string |
n/a | yes |
| rules_enable | Whether the Rules should be deployed. | bool |
false |
no |
| rules_excluded | Rules that will not be deployed in Microsoft Sentinel. | list(string) |
[] |
no |
| solutions_enable | Whether the Solutions should be deployed. | bool |
true |
no |
No outputs.
Microsoft Sentinel Content Hub: learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog
Microsoft Sentinel Rules: learn.microsoft.com/en-us/azure/sentinel/detect-threats-built-in