azurermSentinelAlertRuleAnomalyDuplicate
Manages a Duplicated Anomaly Alert Rule.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermLogAnalyticsWorkspaceExample =
new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_1", {
location: azurermResourceGroupExample.location,
name: "example-law",
resource_group_name: azurermResourceGroupExample.name,
sku: "PerGB2018",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermSecurityInsightsSentinelOnboardingExample =
new azurerm.securityInsightsSentinelOnboarding.SecurityInsightsSentinelOnboarding(
this,
"example_2",
{
customer_managed_key_enabled: false,
resource_group_name: azurermResourceGroupExample.name,
workspace_name: azurermLogAnalyticsWorkspaceExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSecurityInsightsSentinelOnboardingExample.overrideLogicalId("example");
const dataAzurermSentinelAlertRuleAnomalyExample =
new azurerm.dataAzurermSentinelAlertRuleAnomaly.DataAzurermSentinelAlertRuleAnomaly(
this,
"example_3",
{
depends_on: [
"${azurerm_sentinel_log_analytics_workspace_onboarding.example}",
],
display_name: "UEBA Anomalous Sign In",
log_analytics_workspace_id: azurermLogAnalyticsWorkspaceExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzurermSentinelAlertRuleAnomalyExample.overrideLogicalId("example");
const azurermSentinelAlertRuleAnomalyDuplicateExample =
new azurerm.sentinelAlertRuleAnomalyDuplicate.SentinelAlertRuleAnomalyDuplicate(
this,
"example_4",
{
built_in_rule_id: dataAzurermSentinelAlertRuleAnomalyExample.id,
display_name: "example duplicated UEBA Anomalous Sign In",
enabled: true,
log_analytics_workspace_id: azurermLogAnalyticsWorkspaceExample.id,
mode: "Flighting",
threshold_observation: [
{
name: "Anomaly score threshold",
value: "0.6",
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelAlertRuleAnomalyDuplicateExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
displayName
- (Required) The Display Name of the built-in Anomaly Alert Rule. Changing this forces a new Duplicated Anomaly Alert Rule to be created. -
builtInRuleId
- (Required) The ID of the built-in Anomaly Alert Rule. Changing this forces a new Duplicated Anomaly Alert Rule to be created. -
logAnalyticsWorkspaceId
- (Required) The ID of the Log Analytics Workspace. Changing this forces a new Duplicated Anomaly Alert Rule to be created. -
enabled
- (Required) Should the Duplicated Anomaly Alert Rule be enabled? -
mode
- (Required) mode of the Duplicated Anomaly Alert Rule. Possible Values areproduction
andflighting
. -
multiSelectObservation
- (Optional) A list ofmultiSelectObservation
blocks as defined below. -
singleSelectObservation
- (Optional) A list ofsingleSelectObservation
blocks as defined below. -
prioritizedExcludeObservation
- (Optional) A list ofprioritizedExcludeObservation
blocks as defined below. -
thresholdObservation
- (Optional) A list ofthresholdObservation
blocks as defined below.
-> NOTE: un-specified multiSelectObservation
, singleSelectObservation
, prioritizedExcludeObservation
and thresholdObservation
will be inherited from the built-in Anomaly Alert Rule.
A multiSelectObservation
block supports the following:
-
name
- (Required) The name of the multi select observation. -
description
- The description of the multi select observation. -
supportedValues
- A list of supported values of the multi select observation. -
values
- (Required) A list of values of the multi select observation.
A singleSelectObservation
block supports the following:
-
name
- (Required) The name of the single select observation. -
description
- The description of the single select observation. -
supportedValues
- A list of supported values of the single select observation. -
value
- (Required) The value of the multi select observation.
A prioritizedExcludeObservation
block exports the following:
-
name
- (Required) The name of the prioritized exclude observation. -
description
- The description of the prioritized exclude observation. -
prioritize
- (Optional) The prioritized value perdescription
. -
exclude
- (Optional) The excluded value perdescription
.
A thresholdObservation
block exports the following:
-
name
- (Required) The name of the threshold observation. -
description
- The description of the threshold observation. -
max
- The max value of the threshold observation. -
min
- The min value of the threshold observation. -
value
- (Required) The value of the threshold observation.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
-
id
- The ID of the Built-in Anomaly Alert Rule. -
anomalySettingsVersion
- The version of the Anomaly Security ML Analytics Settings. -
anomalyVersion
- The anomaly version of the Anomaly Alert Rule. -
description
- The description of the Anomaly Alert Rule. -
frequency
- The frequency the Anomaly Alert Rule will be run, such as "P1D". -
isDefaultSettings
- Whether the current settings of the Anomaly Alert Rule equals default settings. -
requiredDataConnector
- ArequiredDataConnector
block as defined below. -
settingsDefinitionId
- The ID of the anomaly settings definition Id. -
tactics
- A list of categories of attacks by which to classify the rule. -
techniques
- A list of techniques of attacks by which to classify the rule.
A requiredDataConnector
block exports the following:
-
connectorId
- The ID of the required Data Connector. -
dataTypes
- A list of data types of the required Data Connector.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Built In Anomaly Alert Rule.read
- (Defaults to 5 minutes) Used when retrieving the Built In Anomaly Alert Rule.update
- (Defaults to 30 minutes) Used when updating the Built In Anomaly Alert Rule.delete
- (Defaults to 5 minutes) Used when deleting the Built In Anomaly Alert Rule.
Import
Built In Anomaly Alert Rules can be imported using the resourceId
, e.g.