Skip to content

azurermSentinelAutomationRule

Manages a Sentinel Automation Rule.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "west europe",
    name: "example-rg",
  }
);
const azurermLogAnalyticsWorkspaceExample =
  new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_2", {
    location: azurermResourceGroupExample.location,
    name: "example-workspace",
    resource_group_name: azurermResourceGroupExample.name,
    sku: "PerGB2018",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermSentinelLogAnalyticsWorkspaceOnboardingExample =
  new azurerm.sentinelLogAnalyticsWorkspaceOnboarding.SentinelLogAnalyticsWorkspaceOnboarding(
    this,
    "example_3",
    {
      workspace_id: azurermLogAnalyticsWorkspaceExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelLogAnalyticsWorkspaceOnboardingExample.overrideLogicalId(
  "example"
);
const azurermSentinelAutomationRuleExample =
  new azurerm.sentinelAutomationRule.SentinelAutomationRule(this, "example_4", {
    action_incident: [
      {
        order: 1,
        status: "Active",
      },
    ],
    display_name: "automation_rule1",
    log_analytics_workspace_id:
      azurermSentinelLogAnalyticsWorkspaceOnboardingExample.workspaceId,
    name: "56094f72-ac3f-40e7-a0c0-47bd95f70336",
    order: 1,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelAutomationRuleExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • name - (Required) The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

  • logAnalyticsWorkspaceId - (Required) The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

  • displayName - (Required) The display name which should be used for this Sentinel Automation Rule.

  • order - (Required) The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

  • actionIncident - (Optional) One or more actionIncident blocks as defined below.

  • actionPlaybook - (Optional) One or more actionPlaybook blocks as defined below.

\~> Note: Either one actionIncident block or actionPlaybook block has to be specified.

  • condition - (Optional / Deprecated ) One or more condition blocks as defined below.

\~> Note: condition only supports the property condition type. Please use conditionJson if you want other condition types.

  • conditionJson - (Optional) A JSON array of one or more condition JSON objects as is defined here.

  • enabled - (Optional) Whether this Sentinel Automation Rule is enabled? Defaults to true.

  • expiration - (Optional) The time in RFC3339 format of kind utc that determines when this Automation Rule should expire and be disabled.

  • triggersOn - (Optional) Specifies what triggers this automation rule. Possible values are alerts and incidents. Defaults to incidents.

  • triggersWhen - (Optional) Specifies when will this automation rule be triggered. Possible values are created and updated. Defaults to created.

A actionIncident block supports the following:

  • order - (Required) The execution order of this action.

  • status - (Optional) The status to set to the incident. Possible values are: active, closed, new.

  • classification - (Optional) The classification of the incident, when closing it. Possible values are: benignPositiveSuspiciousButExpected, falsePositiveInaccurateData, falsePositiveIncorrectAlertLogic, truePositiveSuspiciousActivity and undetermined.

    \~> Note: The classification is required when status is closed.

  • classificationComment - (Optional) The comment why the incident is to be closed.

    \~> Note: The classificationComment is allowed to set only when status is closed.

  • labels - (Optional) Specifies a list of labels to add to the incident.

  • ownerId - (Optional) The object ID of the entity this incident is assigned to.

  • severity - (Optional) The severity to add to the incident. Possible values are high, informational, low and medium.

\~> Note:: At least one of status, labels, ownerId and severity has to be set.

A actionPlaybook block supports the following:

  • logicAppId - (Required) The ID of the Logic App that defines the playbook's logic.

  • order - (Required) The execution order of this action.

  • tenantId - (Optional) The ID of the Tenant that owns the playbook.

A condition block supports the following:

  • operator - (Required) The operator to use for evaluate the condition. Possible values include: equals, notEquals, contains, notContains, startsWith, notStartsWith, endsWith, notEndsWith.

  • property - (Required) The property to use for evaluate the condition. Possible values include: accountAadTenantId, accountAadUserId, accountNtDomain, accountName, accountObjectGuid, accountPuid, accountSid, accountUpnSuffix, azureResourceResourceId, azureResourceSubscriptionId, cloudApplicationAppId, cloudApplicationAppName, dnsDomainName, fileDirectory, fileHashValue, fileName, hostAzureId, hostNtDomain, hostName, hostNetBiosName, hostOsVersion, ipAddress, incidentDescription, incidentProviderName, incidentRelatedAnalyticRuleIds, incidentSeverity, incidentStatus, incidentTactics, incidentTitle, ioTDeviceId, ioTDeviceModel, ioTDeviceName, ioTDeviceOperatingSystem, ioTDeviceType, ioTDeviceVendor, mailMessageDeliveryAction, mailMessageDeliveryLocation, mailMessageP1Sender, mailMessageP2Sender, mailMessageRecipient, mailMessageSenderIp, mailMessageSubject, mailboxDisplayName, mailboxPrimaryAddress, mailboxUpn, malwareCategory, malwareName, processCommandLine, processId, registryKey, registryValueData, url.

  • values - (Required) Specifies a list of values to use for evaluate the condition.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Sentinel Automation Rule.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 5 minutes) Used when creating the Sentinel Automation Rule.
  • read - (Defaults to 5 minutes) Used when retrieving the Sentinel Automation Rule.
  • update - (Defaults to 5 minutes) Used when updating the Sentinel Automation Rule.
  • delete - (Defaults to 5 minutes) Used when deleting the Sentinel Automation Rule.

Import

Sentinel Automation Rules can be imported using the resourceId, e.g.

terraform import azurerm_sentinel_automation_rule.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/automationRules/rule1