kogunlowo123/terraform-azure-sentinel-ai
GitHub: kogunlowo123/terraform-azure-sentinel-ai
一个用于自动化部署 Microsoft Sentinel 的 Terraform 模块,整合了 AI 驱动的事件分类、SOAR Playbook 和威胁情报管理能力。
Stars: 0 | Forks: 0
# terraform-azure-sentinel-ai
用于部署 Azure Sentinel (Microsoft Sentinel) 的 Terraform 模块,具备 AI 驱动的 SOC 自动化、计划分析规则、SOAR Playbook 和威胁情报集成功能。
## 架构
```
graph TB
subgraph DataSources["Data Sources"]
style DataSources fill:#4A90D9,stroke:#2C5F8A,color:#FFFFFF
AAD["Azure Active Directory"]
ASC["Azure Security Center"]
MDATP["Microsoft Defender ATP"]
end
subgraph SentinelCore["Microsoft Sentinel"]
style SentinelCore fill:#E74C3C,stroke:#C0392B,color:#FFFFFF
LAW["Log Analytics Workspace"]
ONBOARD["Sentinel Onboarding"]
ANALYTICS["Scheduled Analytics Rules"]
MS_RULE["MS Security Incident Rule"]
end
subgraph Automation["AI-Powered Automation"]
style Automation fill:#27AE60,stroke:#1E8449,color:#FFFFFF
AUTO_RULES["Automation Rules"]
PLAYBOOK["SOAR Playbooks
(Logic Apps)"] AI_TRIAGE["AI Triage Endpoint"] end subgraph ThreatIntel["Threat Intelligence"] style ThreatIntel fill:#F39C12,stroke:#D68910,color:#FFFFFF WATCHLIST["Watchlists"] TI_IND["TI Indicators"] end AAD --> LAW ASC --> LAW MDATP --> LAW LAW --> ONBOARD ONBOARD --> ANALYTICS ONBOARD --> MS_RULE ANALYTICS --> AUTO_RULES MS_RULE --> AUTO_RULES AUTO_RULES --> PLAYBOOK PLAYBOOK --> AI_TRIAGE ONBOARD --> WATCHLIST ONBOARD --> TI_IND ``` ## 文档 - [Microsoft Sentinel 概述](https://learn.microsoft.com/en-us/azure/sentinel/overview) - [使用 Playbook 自动化响应](https://learn.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks) - [Terraform azurerm_sentinel_log_analytics_workspace_onboarding](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sentinel_log_analytics_workspace_onboarding) - [Sentinel 分析规则](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-built-in) - [Sentinel 自动化规则](https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules) ## 前置条件 - Terraform >= 1.5.0 - AzureRM provider >= 3.80.0 - 一个现有的 Azure Resource Group - 已启用 Microsoft Sentinel 的 Azure 订阅 - 适当的 RBAC 权限:Microsoft Sentinel Contributor,Logic App Contributor - 对于 AI 驱动的分类:一个可访问的 AI/ML endpoint(例如 Azure OpenAI Service) ## 部署指南 ### 步骤 1:配置 provider ``` provider "azurerm" { features {} subscription_id = "your-subscription-id" } ``` ### 步骤 2:创建资源组(如果不存在) ``` resource "azurerm_resource_group" "sentinel" { name = "rg-sentinel-soc" location = "East US" } ``` ### 步骤 3:调用模块 ``` module "sentinel_ai" { source = "github.com/kogunlowo123/terraform-azure-sentinel-ai" name_prefix = "prod-soc" location = azurerm_resource_group.sentinel.location resource_group_name = azurerm_resource_group.sentinel.name retention_in_days = 180 enable_aad_connector = true enable_asc_connector = true enable_mdatp_connector = true analytics_rules = [ { name = "brute-force-ssh" severity = "High" query = <<-QUERY Syslog | where Facility == "auth" and SyslogMessage has "Failed password" | summarize count() by SrcIP = extract("from ([0-9.]+)", 1, SyslogMessage), bin(TimeGenerated, 1h) | where count_ > 20 QUERY frequency = "PT1H" lookback = "PT1H" } ] automation_rules = [ { name = "escalate-critical" order = 1 change_severity = "High" condition_severities = ["Medium", "High"] } ] enable_playbooks = true playbook_configs = [ { name = "incident-triage" enable_ai_triage = true ai_endpoint_url = "https://my-openai.openai.azure.com/openai/deployments/gpt-4/chat/completions?api-version=2024-02-01" } ] watchlist_items = [ { indicator = "203.0.113.50" type = "ip" confidence = 90 description = "Known C2 server" }, { indicator = "malicious-domain.example.com" type = "domain" confidence = 85 description = "Phishing domain" } ] tags = { Environment = "production" Team = "security-operations" } } ``` ### 步骤 4:部署 ``` terraform init terraform plan -out=tfplan terraform apply tfplan ``` ### 步骤 5:在 Azure Portal 中验证 在 Azure Portal 中导航到 Microsoft Sentinel 以验证: - 数据连接器处于活动状态并正在摄入日志 - 分析规则已启用并正在运行 - 自动化规则已配置 - Playbook 已部署并准备好应对事件触发 ## 输入 | 名称 | 描述 | 类型 | 默认值 | 必需 | |------|-------------|------|---------|:--------:| | `name_prefix` | 所有资源名称的前缀 | `string` | n/a | yes | | `location` | 所有资源的 Azure 区域 | `string` | n/a | yes | | `resource_group_name` | 资源组的名称 | `string` | n/a | yes | | `log_analytics_sku` | Log Analytics 工作区的 SKU | `string` | `"PerGB2018"` | no | | `retention_in_days` | 数据保留期(天) | `number` | `90` | no | | `enable_aad_connector` | 启用 Azure AD 数据连接器 | `bool` | `true` | no | | `enable_asc_connector` | 启用 Azure Security Center 数据连接器 | `bool` | `true` | no | | `enable_mdatp_connector` | 启用 Microsoft Defender ATP 连接器 | `bool` | `false` | no | | `analytics_rules` | 计划分析规则列表 | `list(object)` | 见 variables.tf | no | | `automation_rules` | 自动化规则列表 | `list(object)` | 见 variables.tf | no | | `enable_playbooks` | 通过 Logic Apps 启用 SOAR Playbook | `bool` | `true` | no | | `playbook_configs` | SOAR Playbook 的配置 | `list(object)` | 见 variables.tf | no | | `watchlist_items` | 威胁情报监视列表项列表 | `list(object)` | `[]` | no | | `tags` | 应用于所有资源的标签 | `map(string)` | `{}` | no | ## 输出 | 名称 | 描述 | |------|-------------| | `workspace_id` | Log Analytics 工作区的 ID | | `workspace_name` | Log Analytics 工作区的名称 | | `sentinel_id` | Sentinel 入门资源的 ID | | `analytics_rule_ids` | 分析规则名称到其 ID 的映射 | | `automation_rule_ids` | 自动化规则名称到其 ID 的映射 | | `playbook_ids` | Playbook 名称到其 Logic App 工作流 ID 的映射 | | `data_connector_ids` | 已启用数据连接器 ID 的映射 | ## 许可证 MIT License - 详情见 [LICENSE](LICENSE)。
(Logic Apps)"] AI_TRIAGE["AI Triage Endpoint"] end subgraph ThreatIntel["Threat Intelligence"] style ThreatIntel fill:#F39C12,stroke:#D68910,color:#FFFFFF WATCHLIST["Watchlists"] TI_IND["TI Indicators"] end AAD --> LAW ASC --> LAW MDATP --> LAW LAW --> ONBOARD ONBOARD --> ANALYTICS ONBOARD --> MS_RULE ANALYTICS --> AUTO_RULES MS_RULE --> AUTO_RULES AUTO_RULES --> PLAYBOOK PLAYBOOK --> AI_TRIAGE ONBOARD --> WATCHLIST ONBOARD --> TI_IND ``` ## 文档 - [Microsoft Sentinel 概述](https://learn.microsoft.com/en-us/azure/sentinel/overview) - [使用 Playbook 自动化响应](https://learn.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks) - [Terraform azurerm_sentinel_log_analytics_workspace_onboarding](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sentinel_log_analytics_workspace_onboarding) - [Sentinel 分析规则](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-built-in) - [Sentinel 自动化规则](https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules) ## 前置条件 - Terraform >= 1.5.0 - AzureRM provider >= 3.80.0 - 一个现有的 Azure Resource Group - 已启用 Microsoft Sentinel 的 Azure 订阅 - 适当的 RBAC 权限:Microsoft Sentinel Contributor,Logic App Contributor - 对于 AI 驱动的分类:一个可访问的 AI/ML endpoint(例如 Azure OpenAI Service) ## 部署指南 ### 步骤 1:配置 provider ``` provider "azurerm" { features {} subscription_id = "your-subscription-id" } ``` ### 步骤 2:创建资源组(如果不存在) ``` resource "azurerm_resource_group" "sentinel" { name = "rg-sentinel-soc" location = "East US" } ``` ### 步骤 3:调用模块 ``` module "sentinel_ai" { source = "github.com/kogunlowo123/terraform-azure-sentinel-ai" name_prefix = "prod-soc" location = azurerm_resource_group.sentinel.location resource_group_name = azurerm_resource_group.sentinel.name retention_in_days = 180 enable_aad_connector = true enable_asc_connector = true enable_mdatp_connector = true analytics_rules = [ { name = "brute-force-ssh" severity = "High" query = <<-QUERY Syslog | where Facility == "auth" and SyslogMessage has "Failed password" | summarize count() by SrcIP = extract("from ([0-9.]+)", 1, SyslogMessage), bin(TimeGenerated, 1h) | where count_ > 20 QUERY frequency = "PT1H" lookback = "PT1H" } ] automation_rules = [ { name = "escalate-critical" order = 1 change_severity = "High" condition_severities = ["Medium", "High"] } ] enable_playbooks = true playbook_configs = [ { name = "incident-triage" enable_ai_triage = true ai_endpoint_url = "https://my-openai.openai.azure.com/openai/deployments/gpt-4/chat/completions?api-version=2024-02-01" } ] watchlist_items = [ { indicator = "203.0.113.50" type = "ip" confidence = 90 description = "Known C2 server" }, { indicator = "malicious-domain.example.com" type = "domain" confidence = 85 description = "Phishing domain" } ] tags = { Environment = "production" Team = "security-operations" } } ``` ### 步骤 4:部署 ``` terraform init terraform plan -out=tfplan terraform apply tfplan ``` ### 步骤 5:在 Azure Portal 中验证 在 Azure Portal 中导航到 Microsoft Sentinel 以验证: - 数据连接器处于活动状态并正在摄入日志 - 分析规则已启用并正在运行 - 自动化规则已配置 - Playbook 已部署并准备好应对事件触发 ## 输入 | 名称 | 描述 | 类型 | 默认值 | 必需 | |------|-------------|------|---------|:--------:| | `name_prefix` | 所有资源名称的前缀 | `string` | n/a | yes | | `location` | 所有资源的 Azure 区域 | `string` | n/a | yes | | `resource_group_name` | 资源组的名称 | `string` | n/a | yes | | `log_analytics_sku` | Log Analytics 工作区的 SKU | `string` | `"PerGB2018"` | no | | `retention_in_days` | 数据保留期(天) | `number` | `90` | no | | `enable_aad_connector` | 启用 Azure AD 数据连接器 | `bool` | `true` | no | | `enable_asc_connector` | 启用 Azure Security Center 数据连接器 | `bool` | `true` | no | | `enable_mdatp_connector` | 启用 Microsoft Defender ATP 连接器 | `bool` | `false` | no | | `analytics_rules` | 计划分析规则列表 | `list(object)` | 见 variables.tf | no | | `automation_rules` | 自动化规则列表 | `list(object)` | 见 variables.tf | no | | `enable_playbooks` | 通过 Logic Apps 启用 SOAR Playbook | `bool` | `true` | no | | `playbook_configs` | SOAR Playbook 的配置 | `list(object)` | 见 variables.tf | no | | `watchlist_items` | 威胁情报监视列表项列表 | `list(object)` | `[]` | no | | `tags` | 应用于所有资源的标签 | `map(string)` | `{}` | no | ## 输出 | 名称 | 描述 | |------|-------------| | `workspace_id` | Log Analytics 工作区的 ID | | `workspace_name` | Log Analytics 工作区的名称 | | `sentinel_id` | Sentinel 入门资源的 ID | | `analytics_rule_ids` | 分析规则名称到其 ID 的映射 | | `automation_rule_ids` | 自动化规则名称到其 ID 的映射 | | `playbook_ids` | Playbook 名称到其 Logic App 工作流 ID 的映射 | | `data_connector_ids` | 已启用数据连接器 ID 的映射 | ## 许可证 MIT License - 详情见 [LICENSE](LICENSE)。
标签:AI 分析, Azure, Azure 安全中心, Defender ATP, DevSecOps, ECS, FTP漏洞扫描, Log Analytics, Microsoft Sentinel, PFX证书, Shodan, SOAR, Terraform, 上游代理, 人工智能, 威胁情报, 安全编排, 开发者工具, 攻击检测, 用户模式Hook绕过, 网络安全, 网络调试, 自动化, 逻辑应用, 隐私保护