Azure Security Center Automation
This page shows how to write Terraform and Azure Resource Manager for Security Center Automation and write them securely.
azurerm_security_center_automation (Terraform)
The Automation in Security Center can be configured in Terraform with the resource name azurerm_security_center_automation
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
* }
* actions = {
* a1 = {
* type = "EventHub"
* resource_id = xx
* connection_string = xx
resource "azurerm_security_center_automation" "sec_cen_automation" {
count = var.sec_cen_setting_enabled ? 1 : 0
name = var.sec_cen_auto_name
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
scopes = [data.azurerm_subscription.current_sub.id]
Parameters
-
description
optional - string -
enabled
optional - bool -
id
optional computed - string -
location
required - string -
name
required - string -
resource_group_name
required - string -
scopes
required - list of string -
tags
optional - map from string to string -
action
list block-
connection_string
optional - string -
resource_id
required - string -
trigger_url
optional - string -
type
required - string
-
-
source
list block-
event_source
required - string -
rule_set
list block-
rule
list block-
expected_value
required - string -
operator
required - string -
property_path
required - string -
property_type
required - string
-
-
-
-
timeouts
single block
Explanation in Terraform Registry
Manages Security Center Automation and Continuous Export. This resource supports three types of destination in the
action
, Logic Apps, Log Analytics and Event Hubs
Tips: Best Practices for The Other Azure Security Center Resources
In addition to the azurerm_security_center_contact, Azure Security Center has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_security_center_contact
Ensure to enable alert notifications
It is better to configure at least one valid contact for the security center. Microsoft will inform you directly in the event of a security incident using emails.
azurerm_security_center_subscription_pricing
Ensure to enable alert notifications
It is better to enable Azure Defender, which is a cloud workload protection service for App Services. In addition, It is also able to analyze non-Azure resources, utilizing Azure Arc, including those on-premises and in both AWS and GCP.
Microsoft.Security/automations (Azure Resource Manager)
The automations in Microsoft.Security can be configured in Azure Resource Manager with the resource name Microsoft.Security/automations
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Security/automations",
"existenceCondition": {
"allOf": [
{
"field": "name",
"equals": "ExportToWorkspace"
"type": "Microsoft.Security/automations",
"existenceCondition": {
"allOf": [
{
"field": "name",
"equals": "exportToEventHub"
"type": "Microsoft.Security/automations",
"existenceCondition": {
"allOf": [
{
"field": "name",
"notIn": [
"type": "Microsoft.Security/automations",
"existenceCondition": {
"allOf": [
{
"field": "name",
"notIn": [
"type": "Microsoft.Security/automations",
"name": "ExportToWorkspace",
"existenceScope": "resourcegroup",
"ResourceGroupName": "[concat(subscription().displayName, '-asc')]",
"deploymentScope": "subscription",
"roleDefinitionIds": [
"type": "Microsoft.Security/automations",
"apiVersion": "2019-01-01-preview",
"name": "exportToWorkspace2",
"location": "[parameters('workspaceRegion')]",
"dependsOn": [],
"properties": {
"type": "Microsoft.Security/automations",
"etag": "etag value",
"location": "Central US",
"tags": {},
"properties": {
"description": "An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment of type customAssessment",
"type": "Microsoft.Security/automations",
"name": "ExportToWorkspace",
"existenceScope": "resourcegroup",
"ResourceGroupName": "[concat(subscription().displayName, '-asc')]",
"deploymentScope": "subscription",
"roleDefinitionIds": [
"type": "Microsoft.Security/automations",
"properties": {
"description": "[format(variables('automationDescription'),'{0}', parameters('subscriptionId'))]",
"isEnabled": true,
"actions": [
{
"type": "Microsoft.Security/automations",
"properties": {
"description": "[format(variables('automationDescription'),'{0}', parameters('subscriptionId'))]",
"isEnabled": true,
"actions": [
{
Frequently asked questions
What is Azure Security Center Automation?
Azure Security Center Automation is a resource for Security Center of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Security Center Automation?
For Terraform, the hassepaul/tgtest and murali198/azure-terraform source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the nkcodegit/Azure-Security-Center, nkcodegit/Azure-Security-Center and nkcodegit/Azure-Security-Center source code examples are useful. See the Azure Resource Manager Example section for further details.