This module deploys Microsoft Sentinel Solutions but also the rules embedded in the product solution.
Solutions and rules are directly retrieved from the Microsoft Sentinel Content Hub catalog.
Current log sources supported :
- aws
- azure_activity
- azure_firewall
- azure_keyvault
- azure_nsg
- azure_waf
- cef
- cisco_meraki
- cloudflare
- cyberark_pam
- darktrace
- entra_id
- fortigate
- gworkspace
- m365
- okta
- proofpoint_pod
- proofpoint_tap
- sentinelone
- sonicwall_fw
- sophos_endpoint
- syslog
- ti
- windows_security
- xdr
- zscaler_internet_access
- zscaler_private_access
These are the values that can be set in the log_sources variable.
Some solutions don't embed rules.
| Module version | Terraform version | OpenTofu version | AzureRM version |
|---|---|---|---|
| >= 8.x.x | Unverified | 1.8.x | >= 4.0 |
| >= 7.x.x | 1.3.x | >= 3.0 | |
| >= 6.x.x | 1.x | >= 3.0 | |
| >= 5.x.x | 0.15.x | >= 2.0 | |
| >= 4.x.x | 0.13.x / 0.14.x | >= 2.0 | |
| >= 3.x.x | 0.12.x | >= 2.0 | |
| >= 2.x.x | 0.12.x | < 2.0 | |
| < 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper available in the documentation.
module "logs" {
source = "claranet/run/azurerm//modules/logs"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
stack = var.stack
location = module.azure_region.location
location_short = module.azure_region.location_short
resource_group_name = module.rg.name
}
module "sentinel" {
source = "claranet/sentinel/azurerm"
version = "x.x.x"
log_analytics_workspace_id = module.logs.id
logs_destinations_ids = [module.logs.id]
data_connector_aad_enabled = true
}
module "sentinel_content" {
source = "claranet/sentinel-content/azurerm"
version = "x.x.x"
location = module.azure_region.location
resource_group_name = module.rg.name
log_analytics_workspace_name = module.logs.name
log_sources = ["entra_id", "ti", "xdr"]
}| Name | Version |
|---|---|
| azurerm | ~> 4.31 |
No modules.
| Name | Type |
|---|---|
| azurerm_resource_group_template_deployment.main | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| location | Azure location. | string |
n/a | yes |
| log_analytics_workspace_name | The Log Analytics Workspace name. | string |
n/a | yes |
| log_sources | Log sources retrieved in Microsoft Sentinel. | list(string) |
n/a | yes |
| resource_group_name | Resource group name. | string |
n/a | yes |
No outputs.
Microsoft Sentinel Content Hub: learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog
Microsoft Sentinel Rules: learn.microsoft.com/en-us/azure/sentinel/detect-threats-built-in