azurermSentinelAutomationRule
Manages a Sentinel Automation Rule.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "west europe",
name: "example-rg",
}
);
const azurermLogAnalyticsWorkspaceExample =
new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_2", {
location: azurermResourceGroupExample.location,
name: "example-workspace",
resource_group_name: azurermResourceGroupExample.name,
sku: "PerGB2018",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermSentinelLogAnalyticsWorkspaceOnboardingExample =
new azurerm.sentinelLogAnalyticsWorkspaceOnboarding.SentinelLogAnalyticsWorkspaceOnboarding(
this,
"example_3",
{
workspace_id: azurermLogAnalyticsWorkspaceExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelLogAnalyticsWorkspaceOnboardingExample.overrideLogicalId(
"example"
);
const azurermSentinelAutomationRuleExample =
new azurerm.sentinelAutomationRule.SentinelAutomationRule(this, "example_4", {
action_incident: [
{
order: 1,
status: "Active",
},
],
display_name: "automation_rule1",
log_analytics_workspace_id:
azurermSentinelLogAnalyticsWorkspaceOnboardingExample.workspaceId,
name: "56094f72-ac3f-40e7-a0c0-47bd95f70336",
order: 1,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelAutomationRuleExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
name
- (Required) The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created. -
logAnalyticsWorkspaceId
- (Required) The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created. -
displayName
- (Required) The display name which should be used for this Sentinel Automation Rule. -
order
- (Required) The order of this Sentinel Automation Rule. Possible values varies between1
and1000
.
-
actionIncident
- (Optional) One or moreactionIncident
blocks as defined below. -
actionPlaybook
- (Optional) One or moreactionPlaybook
blocks as defined below.
\~> Note: Either one actionIncident
block or actionPlaybook
block has to be specified.
condition
- (Optional / Deprecated ) One or morecondition
blocks as defined below.
\~> Note: condition
only supports the property
condition type. Please use conditionJson
if you want other condition types.
-
conditionJson
- (Optional) A JSON array of one or more condition JSON objects as is defined here. -
enabled
- (Optional) Whether this Sentinel Automation Rule is enabled? Defaults totrue
. -
expiration
- (Optional) The time in RFC3339 format of kindutc
that determines when this Automation Rule should expire and be disabled. -
triggersOn
- (Optional) Specifies what triggers this automation rule. Possible values arealerts
andincidents
. Defaults toincidents
. -
triggersWhen
- (Optional) Specifies when will this automation rule be triggered. Possible values arecreated
andupdated
. Defaults tocreated
.
A actionIncident
block supports the following:
-
order
- (Required) The execution order of this action. -
status
- (Optional) The status to set to the incident. Possible values are:active
,closed
,new
. -
classification
- (Optional) The classification of the incident, when closing it. Possible values are:benignPositiveSuspiciousButExpected
,falsePositiveInaccurateData
,falsePositiveIncorrectAlertLogic
,truePositiveSuspiciousActivity
andundetermined
.\~> Note: The
classification
is required whenstatus
isclosed
. -
classificationComment
- (Optional) The comment why the incident is to be closed.\~> Note: The
classificationComment
is allowed to set only whenstatus
isclosed
. -
labels
- (Optional) Specifies a list of labels to add to the incident. -
ownerId
- (Optional) The object ID of the entity this incident is assigned to. -
severity
- (Optional) The severity to add to the incident. Possible values arehigh
,informational
,low
andmedium
.
\~> Note:: At least one of status
, labels
, ownerId
and severity
has to be set.
A actionPlaybook
block supports the following:
-
logicAppId
- (Required) The ID of the Logic App that defines the playbook's logic. -
order
- (Required) The execution order of this action. -
tenantId
- (Optional) The ID of the Tenant that owns the playbook.
A condition
block supports the following:
-
operator
- (Required) The operator to use for evaluate the condition. Possible values include:equals
,notEquals
,contains
,notContains
,startsWith
,notStartsWith
,endsWith
,notEndsWith
. -
property
- (Required) The property to use for evaluate the condition. Possible values include:accountAadTenantId
,accountAadUserId
,accountNtDomain
,accountName
,accountObjectGuid
,accountPuid
,accountSid
,accountUpnSuffix
,azureResourceResourceId
,azureResourceSubscriptionId
,cloudApplicationAppId
,cloudApplicationAppName
,dnsDomainName
,fileDirectory
,fileHashValue
,fileName
,hostAzureId
,hostNtDomain
,hostName
,hostNetBiosName
,hostOsVersion
,ipAddress
,incidentDescription
,incidentProviderName
,incidentRelatedAnalyticRuleIds
,incidentSeverity
,incidentStatus
,incidentTactics
,incidentTitle
,ioTDeviceId
,ioTDeviceModel
,ioTDeviceName
,ioTDeviceOperatingSystem
,ioTDeviceType
,ioTDeviceVendor
,mailMessageDeliveryAction
,mailMessageDeliveryLocation
,mailMessageP1Sender
,mailMessageP2Sender
,mailMessageRecipient
,mailMessageSenderIp
,mailMessageSubject
,mailboxDisplayName
,mailboxPrimaryAddress
,mailboxUpn
,malwareCategory
,malwareName
,processCommandLine
,processId
,registryKey
,registryValueData
,url
. -
values
- (Required) Specifies a list of values to use for evaluate the condition.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Sentinel Automation Rule.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 5 minutes) Used when creating the Sentinel Automation Rule.read
- (Defaults to 5 minutes) Used when retrieving the Sentinel Automation Rule.update
- (Defaults to 5 minutes) Used when updating the Sentinel Automation Rule.delete
- (Defaults to 5 minutes) Used when deleting the Sentinel Automation Rule.
Import
Sentinel Automation Rules can be imported using the resourceId
, e.g.