Skip to content

azurermSentinelAlertRuleFusion

Manages a Sentinel Fusion Alert Rule.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermLogAnalyticsWorkspaceExample =
  new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_1", {
    location: azurermResourceGroupExample.location,
    name: "example-workspace",
    resource_group_name: azurermResourceGroupExample.name,
    sku: "PerGB2018",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermLogAnalyticsSolutionExample =
  new azurerm.logAnalyticsSolution.LogAnalyticsSolution(this, "example_2", {
    location: azurermResourceGroupExample.location,
    plan: [
      {
        product: "OMSGallery/SecurityInsights",
        publisher: "Microsoft",
      },
    ],
    resource_group_name: azurermResourceGroupExample.name,
    solution_name: "SecurityInsights",
    workspace_name: azurermLogAnalyticsWorkspaceExample.name,
    workspace_resource_id: azurermLogAnalyticsWorkspaceExample.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsSolutionExample.overrideLogicalId("example");
const azurermSentinelAlertRuleFusionExample =
  new azurerm.sentinelAlertRuleFusion.SentinelAlertRuleFusion(
    this,
    "example_3",
    {
      alert_rule_template_guid: "f71aba3d-28fb-450b-b192-4e76a83015c8",
      log_analytics_workspace_id:
        azurermLogAnalyticsSolutionExample.workspaceResourceId,
      name: "example-fusion-alert-rule",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelAlertRuleFusionExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • name - (Required) The name which should be used for this Sentinel Fusion Alert Rule. Changing this forces a new Sentinel Fusion Alert Rule to be created.

  • logAnalyticsWorkspaceId - (Required) The ID of the Log Analytics Workspace this Sentinel Fusion Alert Rule belongs to. Changing this forces a new Sentinel Fusion Alert Rule to be created.

  • alertRuleTemplateGuid - (Required) The GUID of the alert rule template which is used for this Sentinel Fusion Alert Rule. Changing this forces a new Sentinel Fusion Alert Rule to be created.

  • enabled - (Optional) Should this Sentinel Fusion Alert Rule be enabled? Defaults to true.

  • source - (Optional) One or more source blocks as defined below.

A source block supports the following:

  • name - (Required) The name of the Fusion source signal. Refer to Fusion alert rule template for supported values.

  • enabled - (Optional) Whether this source signal is enabled or disabled in Fusion detection? Defaults to true.

  • subType - (Optional) One or more subType blocks as defined below.

A subType block supports the following:

  • name - (Required) The Name of the source subtype under a given source signal in Fusion detection. Refer to Fusion alert rule template for supported values.

  • enabled - (Optional) Whether this source subtype under source signal is enabled or disabled in Fusion detection. Defaults to true.

  • severitiesAllowed - (Required) A list of severities that are enabled for this source subtype consumed in Fusion detection. Possible values for each element are high, medium, low, informational.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Sentinel Fusion Alert Rule.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Sentinel Fusion Alert Rule.
  • read - (Defaults to 5 minutes) Used when retrieving the Sentinel Fusion Alert Rule.
  • update - (Defaults to 30 minutes) Used when updating the Sentinel Fusion Alert Rule.
  • delete - (Defaults to 30 minutes) Used when deleting the Sentinel Fusion Alert Rule.

Import

Sentinel Fusion Alert Rules can be imported using the resourceId, e.g.

terraform import azurerm_sentinel_alert_rule_fusion.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1