Skip to content

azurermSentinelAlertRuleNrt

Manages a Sentinel NRT Alert Rule.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermLogAnalyticsWorkspaceExample =
  new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_2", {
    location: azurermResourceGroupExample.location,
    name: "example-workspace",
    resource_group_name: azurermResourceGroupExample.name,
    sku: "pergb2018",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermSentinelLogAnalyticsWorkspaceOnboardingExample =
  new azurerm.sentinelLogAnalyticsWorkspaceOnboarding.SentinelLogAnalyticsWorkspaceOnboarding(
    this,
    "example_3",
    {
      workspace_id: azurermLogAnalyticsWorkspaceExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelLogAnalyticsWorkspaceOnboardingExample.overrideLogicalId(
  "example"
);
const azurermSentinelAlertRuleNrtExample =
  new azurerm.sentinelAlertRuleNrt.SentinelAlertRuleNrt(this, "example_4", {
    display_name: "example",
    log_analytics_workspace_id:
      azurermSentinelLogAnalyticsWorkspaceOnboardingExample.workspaceId,
    name: "example",
    query:
      'AzureActivity |\n  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |\n  where ActivityStatus == "Succeeded" |\n  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n',
    severity: "High",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelAlertRuleNrtExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • name - (Required) The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

  • logAnalyticsWorkspaceId - (Required) The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

  • displayName - (Required) The friendly name of this Sentinel NRT Alert Rule.

  • severity - (Required) The alert severity of this Sentinel NRT Alert Rule. Possible values are high, medium, low and informational.

  • query - (Required) The query of this Sentinel NRT Alert Rule.

  • alertDetailsOverride - (Optional) An alertDetailsOverride block as defined below.

  • alertRuleTemplateGuid - (Optional) The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

  • alertRuleTemplateVersion - (Optional) The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

  • customDetails - (Optional) A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

  • description - (Optional) The description of this Sentinel NRT Alert Rule.

  • enabled - (Optional) Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

  • entityMapping - (Optional) A list of entityMapping blocks as defined below.

  • eventGrouping - (Optional) A eventGrouping block as defined below.

-> NOTE: eventGrouping will be required in the next major version of the AzureRM Provider.

  • sentinelEntityMapping - (Optional) A list of sentinelEntityMapping blocks as defined below.

-> NOTE: entityMapping and sentinelEntityMapping together can't exceed 5.

  • incident - (Optional) A incident block as defined below.

  • suppressionDuration - (Optional) If suppressionEnabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to pt5H.

  • suppressionEnabled - (Optional) Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

  • tactics - (Optional) A list of categories of attacks by which to classify the rule. Possible values are collection, commandAndControl, credentialAccess, defenseEvasion, discovery, execution, exfiltration, impact, initialAccess, lateralMovement, persistence, privilegeEscalation and preAttack.

  • techniques - (Optional) A list of techniques of attacks by which to classify the rule.

An alertDetailsOverride block supports the following:

  • descriptionFormat - (Optional) The format containing columns name(s) to override the description of this Sentinel Alert Rule.

  • displayNameFormat - (Optional) The format containing columns name(s) to override the name of this Sentinel Alert Rule.

  • severityColumnName - (Optional) The column name to take the alert severity from.

  • tacticsColumnName - (Optional) The column name to take the alert tactics from.

  • dynamicProperty - (Optional) A list of dynamicProperty blocks as defined below.

A dynamicProperty block supports the following:

  • name - (Required) The name of the dynamic property. Possible Values are alertLink, confidenceLevel, confidenceScore, extendedLinks, productComponentName, productName, providerName, remediationSteps and techniques.

  • value - (Required) The value of the dynamic property. Pssible Values are caller, dcountResourceId and eventSubmissionTimestamp.

An entityMapping block supports the following:

  • entityType - (Required) The type of the entity. Possible values are account, azureResource, cloudApplication, dns, file, fileHash, host, ip, mailbox, mailCluster, mailMessage, malware, process, registryKey, registryValue, securityGroup, submissionMail, url.

  • fieldMapping - (Required) A list of fieldMapping blocks as defined below.

A eventGrouping block supports the following:

  • aggregationMethod - (Required) The aggregation type of grouping the events. Possible values are alertPerResult and singleAlert.

A sentinelEntityMapping block supports the following:

  • columnName - (Required) The column name to be mapped to the identifier.

A fieldMapping block supports the following:

  • identifier - (Required) The identifier of the entity.

  • columnName - (Required) The column name to be mapped to the identifier.

A incident block supports the following:

  • createIncidentEnabled - (Required) Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

  • grouping - (Required) A grouping block as defined below.

A grouping block supports the following:

  • enabled - (Optional) Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

  • lookbackDuration - (Optional) Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to pt5M.

  • reopenClosedIncidents - (Optional) Whether to re-open closed matching incidents? Defaults to false.

  • entityMatchingMethod - (Optional) The method used to group incidents. Possible values are anyAlert, selected and allEntities. Defaults to anyAlert.

  • byEntities - (Optional) A list of entity types to group by, only when the entityMatchingMethod is selected. Possible values are account, azureResource, cloudApplication, dns, file, fileHash, host, ip, mailbox, mailCluster, mailMessage, malware, process, registryKey, registryValue, securityGroup, submissionMail, url.

  • byAlertDetails - (Optional) A list of alert details to group by, only when the entityMatchingMethod is selected. Possible values are displayName and severity.

  • byCustomDetails - (Optional) A list of custom details keys to group by, only when the entityMatchingMethod is selected. Only keys defined in the customDetails may be used.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Sentinel NRT Alert Rule.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Sentinel NRT Alert Rule.
  • read - (Defaults to 5 minutes) Used when retrieving the Sentinel NRT Alert Rule.
  • update - (Defaults to 30 minutes) Used when updating the Sentinel NRT Alert Rule.
  • delete - (Defaults to 30 minutes) Used when deleting the Sentinel NRT Alert Rule.

Import

Sentinel NRT Alert Rules can be imported using the resourceId, e.g.

terraform import azurerm_sentinel_alert_rule_nrt.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1