Skip to content

azurermSentinelAlertRuleMsSecurityIncident

Manages a Sentinel MS Security Incident Alert Rule.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermLogAnalyticsWorkspaceExample =
  new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_2", {
    location: azurermResourceGroupExample.location,
    name: "example-workspace",
    resource_group_name: azurermResourceGroupExample.name,
    sku: "PerGB2018",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermSentinelLogAnalyticsWorkspaceOnboardingExample =
  new azurerm.sentinelLogAnalyticsWorkspaceOnboarding.SentinelLogAnalyticsWorkspaceOnboarding(
    this,
    "example_3",
    {
      workspace_id: azurermLogAnalyticsWorkspaceExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelLogAnalyticsWorkspaceOnboardingExample.overrideLogicalId(
  "example"
);
const azurermSentinelAlertRuleMsSecurityIncidentExample =
  new azurerm.sentinelAlertRuleMsSecurityIncident.SentinelAlertRuleMsSecurityIncident(
    this,
    "example_4",
    {
      display_name: "example rule",
      log_analytics_workspace_id:
        azurermSentinelLogAnalyticsWorkspaceOnboardingExample.workspaceId,
      name: "example-ms-security-incident-alert-rule",
      product_filter: "Microsoft Cloud App Security",
      severity_filter: ["High"],
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelAlertRuleMsSecurityIncidentExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • name - (Required) The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

  • logAnalyticsWorkspaceId - (Required) The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

  • displayName - (Required) The friendly name of this Sentinel MS Security Incident Alert Rule.

  • productFilter - (Required) The Microsoft Security Service from where the alert will be generated. Possible values are azureActiveDirectoryIdentityProtection, azureAdvancedThreatProtection, azureSecurityCenter, azureSecurityCenterForIoT, microsoftCloudAppSecurity, microsoftDefenderAdvancedThreatProtection and office365AdvancedThreatProtection.

  • severityFilter - (Required) Only create incidents from alerts when alert severity level is contained in this list. Possible values are high, medium, low and informational.

\~> NOTE At least one of the severity filters need to be set.

  • alertRuleTemplateGuid - (Optional) The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

  • description - (Optional) The description of this Sentinel MS Security Incident Alert Rule.

  • enabled - (Optional) Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to true.

  • displayNameFilter - (Optional) Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.

  • displayNameExcludeFilter - (Optional) Only create incidents when the alert display name doesn't contain text from this list.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Sentinel MS Security Incident Alert Rule.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Sentinel MS Security Incident Alert Rule.
  • read - (Defaults to 5 minutes) Used when retrieving the Sentinel MS Security Incident Alert Rule.
  • update - (Defaults to 30 minutes) Used when updating the Sentinel MS Security Incident Alert Rule.
  • delete - (Defaults to 30 minutes) Used when deleting the Sentinel MS Security Incident Alert Rule.

Import

Sentinel MS Security Incident Alert Rules can be imported using the resourceId, e.g.

terraform import azurerm_sentinel_alert_rule_ms_security_incident.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1