Data Source: azurermSentinelAlertRuleAnomaly
Use this data source to access information about an existing Anomaly Alert Rule.
Example Usage
import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermLogAnalyticsWorkspaceExample =
new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_1", {
location: azurermResourceGroupExample.location,
name: "example-law",
resource_group_name: azurermResourceGroupExample.name,
sku: "PerGB2018",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermSecurityInsightsSentinelOnboardingExample =
new azurerm.securityInsightsSentinelOnboarding.SecurityInsightsSentinelOnboarding(
this,
"example_2",
{
customer_managed_key_enabled: false,
resource_group_name: azurermResourceGroupExample.name,
workspace_name: azurermLogAnalyticsWorkspaceExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSecurityInsightsSentinelOnboardingExample.overrideLogicalId("example");
const dataAzurermSentinelAlertRuleAnomalyExample =
new azurerm.dataAzurermSentinelAlertRuleAnomaly.DataAzurermSentinelAlertRuleAnomaly(
this,
"example_3",
{
depends_on: [
"${azurerm_sentinel_log_analytics_workspace_onboarding.example}",
],
display_name: "UEBA Anomalous Sign In",
log_analytics_workspace_id: azurermLogAnalyticsWorkspaceExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzurermSentinelAlertRuleAnomalyExample.overrideLogicalId("example");
new cdktf.TerraformOutput(this, "id", {
value: dataAzurermSentinelAlertRuleAnomalyExample.id,
});
Arguments Reference
The following arguments are supported:
-
logAnalyticsWorkspaceId
- (Required) The ID of the Log Analytics Workspace. -
name
- (Optional) The guid of this Sentinel Alert Rule Template. EitherdisplayName
orname
have to be specified. -
displayName
- (Optional) The display name of this Sentinel Alert Rule Template. EitherdisplayName
orname
have to be specified.
\~> NOTE One of name
or displayName
must be specified.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
-
id
- The ID of the Anomaly Alert Rule. -
anomalySettingsVersion
- The version of the Anomaly Security ML Analytics Settings. -
anomalyVersion
- The anomaly version of the Anomaly Alert Rule. -
description
- The description of the Anomaly Alert Rule. -
enabled
- Is the Anomaly Alert Rule enabled? -
frequency
- The frequency the Anomaly Alert Rule will be run. -
requiredDataConnector
- ArequiredDataConnector
block as defined below. -
settingsDefinitionId
- The ID of the anomaly settings definition Id. -
mode
- The Mode of the Anomaly Alert Rule. -
tactics
- A list of categories of attacks by which to classify the rule. -
techniques
- A list of techniques of attacks by which to classify the rule. -
multiSelectObservation
- A list ofmultiSelectObservation
blocks as defined below. -
singleSelectObservation
- A list ofsingleSelectObservation
blocks as defined below. -
prioritizedExcludeObservation
- A list ofprioritizedExcludeObservation
blocks as defined below. -
thresholdObservation
- A list ofthresholdObservation
blocks as defined below.
A requiredDataConnector
block exports the following:
-
connectorId
- The ID of the required Data Connector. -
dataTypes
- A list of data types of the required Data Connector.
A multiSelectObservation
block exports the following:
-
name
- The name of the multi select observation. -
description
- The description of the multi select observation. -
supportedValues
- A list of supported values of the multi select observation. -
values
- A list of values of the single select observation.
A singleSelectObservation
block exports the following:
-
name
- The name of the single select observation. -
description
- The description of the single select observation. -
supportedValues
- A list of supported values of the single select observation. -
value
- The value of the multi select observation.
A prioritizedExcludeObservation
block exports the following:
-
name
- The name of the prioritized exclude observation. -
description
- The description of the prioritized exclude observation. -
prioritize
- The prioritized value perdescription
. -
exclude
- The excluded value perdescription
.
A thresholdObservation
block exports the following:
-
name
- The name of the threshold observation. -
description
- The description of the threshold observation. -
max
- The max value of the threshold observation. -
min
- The min value of the threshold observation. -
value
- The value of the threshold observation.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
read
- (Defaults to 5 minutes) Used when retrieving the Anomaly Alert Rule.