Azure Sentinel: How to install 'Solution' either using a CLI or Terraform

Question

I have created an Azure Sentinel using the following terraform code

### Sentinel workspace ###
resource "azurerm_sentinel_data_connector_azure_security_center" "main" {
  name                       = "data-connector-azure-security-center"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.ws.id
  subscription_id            = data.azurerm_subscription.current.subscription_id
}

and connected with various data sources like mentioned below

### Data Connector for Active Directory ###
resource "azurerm_sentinel_data_connector_azure_active_directory" "aad" {
  name                       = "Microsoft Entra ID"
  log_analytics_workspace_id = azurerm_sentinel_log_analytics_workspace_onboarding.sential.workspace_id
}

I need to create an Active Rule based on the existing Rule Templates, like mentioned below

### Create a Rule based on the existing Rules Template, you need to install Azure Activity Solution before this ###
data "azurerm_sentinel_alert_rule_template" "analytics_rule_template" {
  log_analytics_workspace_id = azurerm_log_analytics_workspace.ws.id
  display_name               = "Rare subscription-level operations in Azure"
}

resource "azurerm_sentinel_alert_rule_scheduled" "rare_operations" {
  name                       = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.name
  log_analytics_workspace_id = azurerm_log_analytics_workspace.ws.id
  alert_rule_template_guid   = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.name
  display_name               = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.display_name
  severity                   = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.severity
  query                      = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.query
  description                = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.description
  query_frequency            = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.query_frequency
  query_period               = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.query_period
  tactics                    = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.tactics
  trigger_operator           = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.trigger_operator
  trigger_threshold          = data.azurerm_sentinel_alert_rule_template.analytics_rule_template.scheduled_template.0.trigger_threshold
}

However, this needs an Azure Activity Solution to be installed. I don't see any option to install the solution(s) using a CLI or Terraform

I don't want to manually install these solutions. Is there a way to install these solutions using either a CLI or terraform?

Answer 1

Use Azure PowerShell: Create an Azure PowerShell script to install the required solution. This script can use the Add-AzSentinelSolution cmdlet to install the solution by its name or ID. Execute the script within your Terraform workflow using the local-exec provisioner. This allows you to run arbitrary commands within your Terraform configuration.

Example PowerShell script: PowerShell

Add-AzSentinelSolution -WorkspaceName "<workspace_name>" -SolutionName "Azure Activity"

• Terraform configuration:

resource "azurerm_sentinel_data_connector_azure_security_center" "main" {
  ... existing configuration ...
}

provisioner "local-exec" {
  command = <<EOF
  powershell.exe -ExecutionPolicy Bypass -File ./install_solution.ps1
  EOF
}

resource "azurerm_sentinel_alert_rule_scheduled" "rare_operations" {
  ... existing configuration ...
}

check this link from terraform too. terraform-azure