azurermSentinelAlertRuleMsSecurityIncident
Manages a Sentinel MS Security Incident Alert Rule.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermLogAnalyticsWorkspaceExample =
new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_2", {
location: azurermResourceGroupExample.location,
name: "example-workspace",
resource_group_name: azurermResourceGroupExample.name,
sku: "PerGB2018",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermSentinelLogAnalyticsWorkspaceOnboardingExample =
new azurerm.sentinelLogAnalyticsWorkspaceOnboarding.SentinelLogAnalyticsWorkspaceOnboarding(
this,
"example_3",
{
workspace_id: azurermLogAnalyticsWorkspaceExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelLogAnalyticsWorkspaceOnboardingExample.overrideLogicalId(
"example"
);
const azurermSentinelAlertRuleMsSecurityIncidentExample =
new azurerm.sentinelAlertRuleMsSecurityIncident.SentinelAlertRuleMsSecurityIncident(
this,
"example_4",
{
display_name: "example rule",
log_analytics_workspace_id:
azurermSentinelLogAnalyticsWorkspaceOnboardingExample.workspaceId,
name: "example-ms-security-incident-alert-rule",
product_filter: "Microsoft Cloud App Security",
severity_filter: ["High"],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelAlertRuleMsSecurityIncidentExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
name
- (Required) The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. -
logAnalyticsWorkspaceId
- (Required) The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. -
displayName
- (Required) The friendly name of this Sentinel MS Security Incident Alert Rule. -
productFilter
- (Required) The Microsoft Security Service from where the alert will be generated. Possible values areazureActiveDirectoryIdentityProtection
,azureAdvancedThreatProtection
,azureSecurityCenter
,azureSecurityCenterForIoT
,microsoftCloudAppSecurity
,microsoftDefenderAdvancedThreatProtection
andoffice365AdvancedThreatProtection
. -
severityFilter
- (Required) Only create incidents from alerts when alert severity level is contained in this list. Possible values arehigh
,medium
,low
andinformational
.
\~> NOTE At least one of the severity filters need to be set.
-
alertRuleTemplateGuid
- (Optional) The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. -
description
- (Optional) The description of this Sentinel MS Security Incident Alert Rule. -
enabled
- (Optional) Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults totrue
. -
displayNameFilter
- (Optional) Only create incidents when the alert display name contain text from this list, leave empty to apply no filter. -
displayNameExcludeFilter
- (Optional) Only create incidents when the alert display name doesn't contain text from this list.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Sentinel MS Security Incident Alert Rule.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Sentinel MS Security Incident Alert Rule.read
- (Defaults to 5 minutes) Used when retrieving the Sentinel MS Security Incident Alert Rule.update
- (Defaults to 30 minutes) Used when updating the Sentinel MS Security Incident Alert Rule.delete
- (Defaults to 30 minutes) Used when deleting the Sentinel MS Security Incident Alert Rule.
Import
Sentinel MS Security Incident Alert Rules can be imported using the resourceId
, e.g.