Disclaimers
\~> Note: A Built-in Anomaly Alert Rule could not be deleted. delete a Terraform managed Built-in Anomaly Alert Rule will cause the Built-in Anomaly Alert Rule to be disabled.
azurermSentinelAlertRuleAnomalyBuiltIn
Manages a Built-in Anomaly Alert Rule.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermLogAnalyticsWorkspaceExample =
new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_1", {
location: azurermResourceGroupExample.location,
name: "example-law",
resource_group_name: azurermResourceGroupExample.name,
sku: "PerGB2018",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermSecurityInsightsSentinelOnboardingExample =
new azurerm.securityInsightsSentinelOnboarding.SecurityInsightsSentinelOnboarding(
this,
"example_2",
{
customer_managed_key_enabled: false,
resource_group_name: azurermResourceGroupExample.name,
workspace_name: azurermLogAnalyticsWorkspaceExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSecurityInsightsSentinelOnboardingExample.overrideLogicalId("example");
const azurermSentinelAlertRuleAnomalyBuiltInExample =
new azurerm.sentinelAlertRuleAnomalyBuiltIn.SentinelAlertRuleAnomalyBuiltIn(
this,
"example_3",
{
display_name: "UEBA Anomalous Sign In",
enabled: false,
log_analytics_workspace_id: azurermLogAnalyticsWorkspaceExample.id,
mode: "Production",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelAlertRuleAnomalyBuiltInExample.overrideLogicalId("example");
const dataAzurermSentinelAlertRuleAnomalyExample =
new azurerm.dataAzurermSentinelAlertRuleAnomaly.DataAzurermSentinelAlertRuleAnomaly(
this,
"example_4",
{
depends_on: [
"${azurerm_sentinel_log_analytics_workspace_onboarding.example}",
],
display_name: "UEBA Anomalous Sign In",
log_analytics_workspace_id: azurermLogAnalyticsWorkspaceExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzurermSentinelAlertRuleAnomalyExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
name
- (Optional) The Name of the built-in Anomaly Alert Rule. Changing this forces a new Built-in Anomaly Alert Rule to be created. -
displayName
- (Optional) The Display Name of the built-in Anomaly Alert Rule. Changing this forces a new Built-in Anomaly Alert Rule to be created.
\~> Note: One of name
or displayName
block must be specified.
-
logAnalyticsWorkspaceId
- (Required) The ID of the Log Analytics Workspace. Changing this forces a new Built-in Anomaly Alert Rule to be created. -
enabled
- (Required) Should the Built-in Anomaly Alert Rule be enabled? -
mode
- (Required) mode of the Built-in Anomaly Alert Rule. Possible Values areproduction
andflighting
.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
-
id
- The ID of the Built-in Anomaly Alert Rule. -
anomalySettingsVersion
- The version of the Anomaly Security ML Analytics Settings. -
anomalyVersion
- The anomaly version of the Anomaly Alert Rule. -
description
- The description of the Anomaly Alert Rule. -
frequency
- The frequency the Anomaly Alert Rule will be run. -
requiredDataConnector
- ArequiredDataConnector
block as defined below. -
settingsDefinitionId
- The ID of the anomaly settings definition Id. -
tactics
- A list of categories of attacks by which to classify the rule. -
techniques
- A list of techniques of attacks by which to classify the rule. -
multiSelectObservation
- A list ofmultiSelectObservation
blocks as defined below. -
singleSelectObservation
- A list ofsingleSelectObservation
blocks as defined below. -
prioritizedExcludeObservation
- A list ofprioritizedExcludeObservation
blocks as defined below. -
thresholdObservation
- A list ofthresholdObservation
blocks as defined below.
A requiredDataConnector
block exports the following:
-
connectorId
- The ID of the required Data Connector. -
dataTypes
- A list of data types of the required Data Connector.
A multiSelectObservation
block exports the following:
-
name
- The name of the multi select observation. -
description
- The description of the multi select observation. -
supportedValues
- A list of supported values of the multi select observation. -
values
- A list of values of the single select observation.
A singleSelectObservation
block exports the following:
-
name
- The name of the single select observation. -
description
- The description of the single select observation. -
supportedValues
- A list of supported values of the single select observation. -
value
- The value of the multi select observation.
A prioritizedExcludeObservation
block exports the following:
-
name
- The name of the prioritized exclude observation. -
description
- The description of the prioritized exclude observation. -
prioritize
- The prioritized value perdescription
. -
exclude
- The excluded value perdescription
.
A thresholdObservation
block exports the following:
-
name
- The name of the threshold observation. -
description
- The description of the threshold observation. -
max
- The max value of the threshold observation. -
min
- The min value of the threshold observation. -
value
- The value of the threshold observation.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Built In Anomaly Alert Rule.read
- (Defaults to 5 minutes) Used when retrieving the Built In Anomaly Alert Rule.update
- (Defaults to 30 minutes) Used when updating the Built In Anomaly Alert Rule.delete
- (Defaults to 5 minutes) Used when deleting the Built In Anomaly Alert Rule.
Import
Built In Anomaly Alert Rules can be imported using the resourceId
, e.g.