Skip to content

Disclaimers

\~> Note: A Built-in Anomaly Alert Rule could not be deleted. delete a Terraform managed Built-in Anomaly Alert Rule will cause the Built-in Anomaly Alert Rule to be disabled.

azurermSentinelAlertRuleAnomalyBuiltIn

Manages a Built-in Anomaly Alert Rule.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermLogAnalyticsWorkspaceExample =
  new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_1", {
    location: azurermResourceGroupExample.location,
    name: "example-law",
    resource_group_name: azurermResourceGroupExample.name,
    sku: "PerGB2018",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermSecurityInsightsSentinelOnboardingExample =
  new azurerm.securityInsightsSentinelOnboarding.SecurityInsightsSentinelOnboarding(
    this,
    "example_2",
    {
      customer_managed_key_enabled: false,
      resource_group_name: azurermResourceGroupExample.name,
      workspace_name: azurermLogAnalyticsWorkspaceExample.name,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSecurityInsightsSentinelOnboardingExample.overrideLogicalId("example");
const azurermSentinelAlertRuleAnomalyBuiltInExample =
  new azurerm.sentinelAlertRuleAnomalyBuiltIn.SentinelAlertRuleAnomalyBuiltIn(
    this,
    "example_3",
    {
      display_name: "UEBA Anomalous Sign In",
      enabled: false,
      log_analytics_workspace_id: azurermLogAnalyticsWorkspaceExample.id,
      mode: "Production",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelAlertRuleAnomalyBuiltInExample.overrideLogicalId("example");
const dataAzurermSentinelAlertRuleAnomalyExample =
  new azurerm.dataAzurermSentinelAlertRuleAnomaly.DataAzurermSentinelAlertRuleAnomaly(
    this,
    "example_4",
    {
      depends_on: [
        "${azurerm_sentinel_log_analytics_workspace_onboarding.example}",
      ],
      display_name: "UEBA Anomalous Sign In",
      log_analytics_workspace_id: azurermLogAnalyticsWorkspaceExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzurermSentinelAlertRuleAnomalyExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • name - (Optional) The Name of the built-in Anomaly Alert Rule. Changing this forces a new Built-in Anomaly Alert Rule to be created.

  • displayName - (Optional) The Display Name of the built-in Anomaly Alert Rule. Changing this forces a new Built-in Anomaly Alert Rule to be created.

\~> Note: One of name or displayName block must be specified.

  • logAnalyticsWorkspaceId - (Required) The ID of the Log Analytics Workspace. Changing this forces a new Built-in Anomaly Alert Rule to be created.

  • enabled - (Required) Should the Built-in Anomaly Alert Rule be enabled?

  • mode - (Required) mode of the Built-in Anomaly Alert Rule. Possible Values are production and flighting.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Built-in Anomaly Alert Rule.

  • anomalySettingsVersion - The version of the Anomaly Security ML Analytics Settings.

  • anomalyVersion - The anomaly version of the Anomaly Alert Rule.

  • description - The description of the Anomaly Alert Rule.

  • frequency - The frequency the Anomaly Alert Rule will be run.

  • requiredDataConnector - A requiredDataConnector block as defined below.

  • settingsDefinitionId - The ID of the anomaly settings definition Id.

  • tactics - A list of categories of attacks by which to classify the rule.

  • techniques - A list of techniques of attacks by which to classify the rule.

  • multiSelectObservation - A list of multiSelectObservation blocks as defined below.

  • singleSelectObservation - A list of singleSelectObservation blocks as defined below.

  • prioritizedExcludeObservation - A list of prioritizedExcludeObservation blocks as defined below.

  • thresholdObservation - A list of thresholdObservation blocks as defined below.

A requiredDataConnector block exports the following:

  • connectorId - The ID of the required Data Connector.

  • dataTypes - A list of data types of the required Data Connector.

A multiSelectObservation block exports the following:

  • name - The name of the multi select observation.

  • description - The description of the multi select observation.

  • supportedValues - A list of supported values of the multi select observation.

  • values - A list of values of the single select observation.

A singleSelectObservation block exports the following:

  • name - The name of the single select observation.

  • description - The description of the single select observation.

  • supportedValues - A list of supported values of the single select observation.

  • value - The value of the multi select observation.

A prioritizedExcludeObservation block exports the following:

  • name - The name of the prioritized exclude observation.

  • description - The description of the prioritized exclude observation.

  • prioritize - The prioritized value per description.

  • exclude - The excluded value per description.

A thresholdObservation block exports the following:

  • name - The name of the threshold observation.

  • description - The description of the threshold observation.

  • max - The max value of the threshold observation.

  • min - The min value of the threshold observation.

  • value - The value of the threshold observation.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Built In Anomaly Alert Rule.
  • read - (Defaults to 5 minutes) Used when retrieving the Built In Anomaly Alert Rule.
  • update - (Defaults to 30 minutes) Used when updating the Built In Anomaly Alert Rule.
  • delete - (Defaults to 5 minutes) Used when deleting the Built In Anomaly Alert Rule.

Import

Built In Anomaly Alert Rules can be imported using the resourceId, e.g.

terraform import azurerm_sentinel_alert_rule_anomaly_built_in.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/setting1