azurermSentinelAlertRuleScheduled
Manages a Sentinel Scheduled Alert Rule.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermLogAnalyticsWorkspaceExample =
new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_2", {
location: azurermResourceGroupExample.location,
name: "example-workspace",
resource_group_name: azurermResourceGroupExample.name,
sku: "PerGB2018",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermSentinelLogAnalyticsWorkspaceOnboardingExample =
new azurerm.sentinelLogAnalyticsWorkspaceOnboarding.SentinelLogAnalyticsWorkspaceOnboarding(
this,
"example_3",
{
workspace_id: azurermLogAnalyticsWorkspaceExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelLogAnalyticsWorkspaceOnboardingExample.overrideLogicalId(
"example"
);
const azurermSentinelAlertRuleScheduledExample =
new azurerm.sentinelAlertRuleScheduled.SentinelAlertRuleScheduled(
this,
"example_4",
{
display_name: "example",
log_analytics_workspace_id:
azurermSentinelLogAnalyticsWorkspaceOnboardingExample.workspaceId,
name: "example",
query:
'AzureActivity |\n where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |\n where ActivityStatus == "Succeeded" |\n make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n',
severity: "High",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelAlertRuleScheduledExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
name
- (Required) The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created. -
logAnalyticsWorkspaceId
- (Required) The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created. -
displayName
- (Required) The friendly name of this Sentinel Scheduled Alert Rule. -
severity
- (Required) The alert severity of this Sentinel Scheduled Alert Rule. Possible values arehigh
,medium
,low
andinformational
. -
query
- (Required) The query of this Sentinel Scheduled Alert Rule.
-
alertDetailsOverride
- (Optional) AnalertDetailsOverride
block as defined below. -
alertRuleTemplateGuid
- (Optional) The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created. -
alertRuleTemplateVersion
- (Optional) The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created. -
customDetails
- (Optional) A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts. -
description
- (Optional) The description of this Sentinel Scheduled Alert Rule. -
enabled
- (Optional) Should the Sentinel Scheduled Alert Rule be enabled? Defaults totrue
. -
entityMapping
- (Optional) A list ofentityMapping
blocks as defined below. -
eventGrouping
- (Optional) AeventGrouping
block as defined below. -
incidentConfiguration
- (Optional) AincidentConfiguration
block as defined below. -
queryFrequency
- (Optional) The ISO 8601 timespan duration between two consecutive queries. Defaults topt5H
. -
queryPeriod
- (Optional) The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults topt5H
.
-> NOTE queryPeriod
must larger than or equal to queryFrequency
, which ensures there is no gaps in the overall query coverage.
suppressionDuration
- (Optional) IfsuppressionEnabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults topt5H
.
-> NOTE suppressionDuration
must larger than or equal to queryFrequency
, otherwise the suppression has no actual effect since no query will happen during the suppression duration.
-
suppressionEnabled
- (Optional) Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults tofalse
. -
sentinelEntityMapping
- (Optional) A list ofsentinelEntityMapping
blocks as defined below.
-> NOTE: entityMapping
and sentinelEntityMapping
together can't exceed 5.
-
tactics
- (Optional) A list of categories of attacks by which to classify the rule. Possible values arecollection
,commandAndControl
,credentialAccess
,defenseEvasion
,discovery
,execution
,exfiltration
,impairProcessControl
,inhibitResponseFunction
,impact
,initialAccess
,lateralMovement
,persistence
,privilegeEscalation
,preAttack
,reconnaissance
andresourceDevelopment
. -
techniques
- (Optional) A list of techniques of attacks by which to classify the rule. -
triggerOperator
- (Optional) The alert trigger operator, combined withtriggerThreshold
, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areequal
,greaterThan
,lessThan
,notEqual
. -
triggerThreshold
- (Optional) The baseline number of query results generated, combined withtriggerOperator
, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0
.
An alertDetailsOverride
block supports the following:
-
descriptionFormat
- (Optional) The format containing columns name(s) to override the description of this Sentinel Alert Rule. -
displayNameFormat
- (Optional) The format containing columns name(s) to override the name of this Sentinel Alert Rule. -
severityColumnName
- (Optional) The column name to take the alert severity from. -
tacticsColumnName
- (Optional) The column name to take the alert tactics from. -
dynamicProperty
- (Optional) A list ofdynamicProperty
blocks as defined below.
A dynamicProperty
block supports the following:
-
name
- (Required) The name of the dynamic property. Possible Values arealertLink
,confidenceLevel
,confidenceScore
,extendedLinks
,productComponentName
,productName
,providerName
,remediationSteps
andtechniques
. -
value
- (Required) The value of the dynamic property. Pssible Values arecaller
,dcountResourceId
andeventSubmissionTimestamp
.
An entityMapping
block supports the following:
-
entityType
- (Required) The type of the entity. Possible values areaccount
,azureResource
,cloudApplication
,dns
,file
,fileHash
,host
,ip
,mailbox
,mailCluster
,mailMessage
,malware
,process
,registryKey
,registryValue
,securityGroup
,submissionMail
,url
. -
fieldMapping
- (Required) A list offieldMapping
blocks as defined below.
A sentinelEntityMapping
block supports the following:
columnName
- (Required) The column name to be mapped to the identifier.
A eventGrouping
block supports the following:
aggregationMethod
- (Required) The aggregation type of grouping the events. Possible values arealertPerResult
andsingleAlert
.
A fieldMapping
block supports the following:
-
identifier
- (Required) The identifier of the entity. -
columnName
- (Required) The column name to be mapped to the identifier.
A incidentConfiguration
block supports the following:
-
createIncident
- (Required) Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule? -
grouping
- (Required) Agrouping
block as defined below.
A grouping
block supports the following:
-
enabled
- (Optional) Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults totrue
. -
lookbackDuration
- (Optional) Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults topt5M
. -
reopenClosedIncidents
- (Optional) Whether to re-open closed matching incidents? Defaults tofalse
. -
entityMatchingMethod
- (Optional) The method used to group incidents. Possible values areanyAlert
,selected
andallEntities
. Defaults toanyAlert
. -
groupByEntities
- (Optional) A list of entity types to group by, only when theentityMatchingMethod
isselected
. Possible values areaccount
,azureResource
,cloudApplication
,dns
,file
,fileHash
,host
,ip
,mailbox
,mailCluster
,mailMessage
,malware
,process
,registryKey
,registryValue
,securityGroup
,submissionMail
,url
. -
groupByAlertDetails
- (Optional) A list of alert details to group by, only when theentityMatchingMethod
isselected
. Possible values aredisplayName
andseverity
. -
groupByCustomDetails
- (Optional) A list of custom details keys to group by, only when theentityMatchingMethod
isselected
. Only keys defined in thecustomDetails
may be used.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Sentinel Scheduled Alert Rule.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Sentinel Scheduled Alert Rule.read
- (Defaults to 5 minutes) Used when retrieving the Sentinel Scheduled Alert Rule.update
- (Defaults to 30 minutes) Used when updating the Sentinel Scheduled Alert Rule.delete
- (Defaults to 30 minutes) Used when deleting the Sentinel Scheduled Alert Rule.
Import
Sentinel Scheduled Alert Rules can be imported using the resourceId
, e.g.