Support for sentinel data connectors

[davidlife52]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Support stable sentinel data connector resources.

New or Affected Resource(s)/Data Source(s)

azurerm_sentinel_data_connector_microsoft_defender_for_endpoint azurerm_sentinel_data_connector_microsoft_defender_for_office365 azurerm_sentinel_data_connector_microsoft_defender_for_identity azurerm_sentinel_data_connector_microsoft_defender_for_cloud_apps azurerm_sentinel_data_connector_azure_ad_identity_protection

[magodo]

@davidlife52 Thank you for submitting this! Looking into the latest stable version of sentinel API, looks like all of the DCs defined are supported:

• AmazonWebServicesCloudTrail
• AzureActiveDirectory
• AzureAdvancedThreatProtection
• AzureSecurityCenter
• MicrosoftCloudAppSecurity
• MicrosoftDefenderAdvancedThreatProtection
• Office365
• ThreatIntelligence

Would you please kindly point out the API definitions for above resources that want to be supported?

[davidlife52]

I learned that Microsoft changed some connector names. In their API definition, they are still using the old names. For people like me, who do not know old names for the data connectors, this link should help. https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/advanced-hunting-product-name-changes/ba-p/2009233 Microsoft Defender for Endpoint is already implemented as azurerm_sentinel_data_connector_microsoft_defender_advanced_threat_protection. Microsoft Defender for Cloud Apps is as well implemented as azurerm_sentinel_data_connector_microsoft_cloud_app_security. Microsoft Defender for Identity is also implemented as azurerm_sentinel_data_connector_azure_advanced_threat_protection.

All that's left is:

• Microsoft Defender for Office 365 (preview)
• Windows Security Events for AMA

I couldn't find the Windows Security Events for AMA, but for Defender for Office 365 it used to be called Office 365 Advanced Threat Protection. The definition: https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/data-connectors/create-or-update?tabs=HTTP#officeatpdataconnector.

[cshea-msft]

Still missing modules for

• AAD Defender for Identity
• O365 ATP
• AAD Identity Protection

[cshea-msft]

@magodo is there any update on this? I have been having issues deploying out connectors. A couple of times it has failed then I deploy again and it shows up. Some of the recent errors, I have received are below.

Error: Provider produced inconsistent result after apply │ │ When applying changes to module.sentinel.azurerm_sentinel_data_connector_azure_active_directory.aad, provider "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced an unexpected new value: Root resource was present, but now absent. │ │ This is a bug in the provider, which should be reported in the provider's own issue tracker.

│ Error: Provider produced inconsistent result after apply │ │ When applying changes to module.sentinel.azurerm_sentinel_data_connector_microsoft_cloud_app_security.microsoft_cloud_app_security, provider "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced an unexpected new value: Root resource was present, but now absent. │ │ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Error: Provider produced inconsistent result after apply │ │ When applying changes to module.sentinel.azurerm_sentinel_data_connector_azure_advanced_threat_protection.aad_advanced_threat_protection, provider "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced an unexpected new value: Root resource was present, but now absent.
│ │ This is a bug in the provider, which should be reported in the provider's own issue tracker.

│ Error: creating Data Connector: (Name "microsoft_defender_advanced_threat_protection" / Workspace Name "law-sentinel-eastus" / Resource Group "rg-law-sentinel-eastus"): securityinsight.DataConnectorsClient#CreateOrUpdate: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="InvalidLicense" Message="Missing consent" │ │ with module.sentinel.azurerm_sentinel_data_connector_microsoft_defender_advanced_threat_protection.microsoft_defender_advanced_threat_protection, │ on modules\connectors.tf line 53, in resource "azurerm_sentinel_data_connector_microsoft_defender_advanced_threat_protection" "microsoft_defender_advanced_threat_protection": │ 53: resource "azurerm_sentinel_data_connector_microsoft_defender_advanced_threat_protection" "microsoft_defender_advanced_threat_protection" { │

[magodo]

Ping @ziyeqf