This module deploys Sentinel and configures it with a Log Analytics Workspace. This repo also contains a PowerShell Script to set table log retention periods and KQL example queries.
This module is used in the Coalfire-Azure-RAMPpak FedRAMP Framework.
Learn more at Coalfire OpenSource.
- Security Core
If using the Coalfire-Azure-RAMPpak FedRAMP Framework, update tstate.tf
to the appropriate version and storage accounts, see sample:
terraform {
required_version = ">= 1.1.7"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.45.0"
}
}
backend "azurerm" {
resource_group_name = "core-rg"
storage_account_name = "tfstate"
container_name = "statecontainer"
environment = "usgovernment"
key = "mgmt-sentinel.tfstate"
}
}
Change directory to the mgmt/sentinel
folder in the primary region
Run terraform init
to initialize modules and remote state.
Run terraform plan
and evaluate the plan is expected.
Run terraform apply
to deploy.
Update the remote-data.tf
file to add the policies state key
Rerun terraform apply
to update all changes
provider "azurerm" {
features {}
}
module "sentinel" {
source = "github.com/Coalfire-CF/terraform-azurerm-sentinel"
name = "${var.resource_prefix}-sentinel"
resource_group_name = azurerm_resource_group.management.name
location = var.location
log_analytics_workspace_id = data.terraform_remote_state.core.outputs.core_la_workspace_id
log_analytics_workspace_name = data.terraform_remote_state.core.outputs.core_la_workspace_name
global_tags = var.global_tags
regional_tags = var.regional_tags
}
/TableRetention/Set-TableRetention.ps1: Powershell script for setting data retention on tables to FedRAMP standards.
At the time of deployment there wasn't a lot of terraform support for configuring sentinel. Engineers need to manually configure the following:
- Azure Active Directory: enable Sign-in Logs and Audit Logs
- Microsoft Defender for Cloud: Enable incidents to generate Sentinel Incidents
- Azure Activity: Use the Azure Policy Wizard to configure all subs in the management group
- Azure Firewall
- Azure Key Vault
- Azure Kubernetes Service
- Azure SQL Databases
- Azure Web Application Firewall
- Network Security Groups
- Office 365 (if applicable)
- Security Events via Legacy Agent (if applicable)
- Syslog (if applicable)
Default pricing is free for 30 days, then PAYG per gigabyte of data processed. For more information, refer to the Azure docs. For some customers this may be sufficient, for others it may be necessary to change to a dedicated pricing model. Note most pricing models have a 30 day price fix. Meaning if you enable 100/gb day the customer will be required to pay for 100gb/day for 30 days. After 30 days the customer can change the pricing model.
Sentinel analytics are configured via the Azure Portal. For more information, refer to the Azure docs.
The default data retention is configured in the Log Analytics Workspace. The retention is set to 1 year for all data. By default, this keeps data active for live queries in Sentinel for one year. It is possible to archive data with Log Analytics. This is set on a table by table basis, see Data Retention for more information. The best way to implement this is create a powershell script to loop through the available tables and call the azcli
command to set the table archive policy.
No requirements.
Name | Version |
---|---|
azurerm | n/a |
No modules.
Name | Type |
---|---|
azurerm_log_analytics_solution.sentinel | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
global_tags | Global level tags | map(string) |
n/a | yes |
location | The Azure location/region to create resources in. | string |
n/a | yes |
log_analytics_workspace_id | ID of the Log Analytics Workspace diagnostic logs should be sent to | string |
n/a | yes |
log_analytics_workspace_name | Name of the Log Analytics Workspace Name diagnostic logs should be sent to | string |
n/a | yes |
name | Name of Sentinel | string |
n/a | yes |
regional_tags | Regional level tags | map(string) |
n/a | yes |
resource_group_name | Resouce Group of Sentinel | string |
n/a | yes |
No outputs.
Copyright © 2023 Coalfire Systems Inc.