Top / Microsoft Azure / Azure Sentinel / Automation Rule

Azure Sentinel Automation Rule

This page shows how to write Terraform and Azure Resource Manager for Sentinel Automation Rule and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_sentinel_automation_rule (Terraform)

The Automation Rule in Sentinel can be configured in Terraform with the resource name azurerm_sentinel_automation_rule. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are supported:

  • name - (Required) The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

  • log_analytics_workspace_id - (Required) The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

  • display_name - (Required) The display name which should be used for this Sentinel Automation Rule.

  • order - (Required) The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

  • action_incident - (Optional) One or more action_incident blocks as defined below.

  • action_playbook - (Optional) One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

  • condition - (Optional) One or more condition blocks as defined below.

  • enabled - (Optional) Whether this Sentinel Automation Rule is enabled? Defaults to true.

  • expiration - (Optional) The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

A action_incident block supports the following:

  • order - (Required) The execution order of this action.

  • status - (Optional) The status to set to the incident. Possible values are: Active, Closed, New.

  • classification - (Optional) The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

    Note: The classification is required when status is Closed.

  • classification_comment - (Optional) The comment why the incident is to be closed.

    Note: The classification_comment is allowed to set only when status is Closed.

  • labels - (Optional) Specifies a list of labels to add to the incident.

  • owner_id - (Optional) The object ID of the entity this incident is assigned to.

  • severity - (Optional) The severity to add to the incident.

Note:: At least one of status, labels, owner_id and severity has to be set.

A action_playbook block supports the following:

  • logic_app_id - (Required) The ID of the Logic App that defines the playbook's logic.

  • order - (Required) The execution order of this action.

  • tenant_id - (Optional) The ID of the Tenant that owns the playbook.

A condition block supports the following:

  • operator - (Required) The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.

  • property - (Required) The property to use for evaluate the condition. Possible values include: AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentDescription, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData, Url.

  • values - (Required) Specifies a list of values to use for evaluate the condition.

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Sentinel Automation Rule.

>> from Terraform Registry

Explanation in Terraform Registry

Manages a Sentinel Automation Rule.

>> from Terraform Registry

Microsoft.OperationalInsights/workspaces (Azure Resource Manager)

The workspaces in Microsoft.OperationalInsights can be configured in Azure Resource Manager with the resource name Microsoft.OperationalInsights/workspaces. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

application-gw-firewall-events.json
{
    "contentVersion": "1.0.0.0",
    "parameters": {
      "workbookDisplayName": {
        "type": "string",
workbooks.arm.template.statistics.detailed.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
workbooks.arm.template.statistics.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
application-gw-firewall-events.json
{
    "contentVersion": "1.0.0.0",
    "parameters": {
      "workbookDisplayName": {
        "type": "string",
workbook.json
{
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workbookSourceId": {
            "type": "string",
application-gw-firewall-events.json
{
    "contentVersion": "1.0.0.0",
    "parameters": {
      "workbookDisplayName": {
        "type": "string",
application-gw-firewall-events.json
{
    "contentVersion": "1.0.0.0",
    "parameters": {
      "workbookDisplayName": {
        "type": "string",
template.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
AWS_User_Activities.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
workbooks.arm.template.rag.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",

Parameters

  • apiVersion required - string
  • eTag optional - string

    The ETag of the workspace.

  • location required - string

    The geo-location where the resource lives

  • name required - string

    The name of the workspace.

  • properties required
      • features optional
          • additionalProperties optional - object

            Unmatched properties from the message are deserialized this collection

          • clusterResourceId optional - string

            Dedicated LA cluster resourceId that is linked to the workspaces.

          • disableLocalAuth optional - boolean

            Disable Non-AAD based Auth.

          • enableDataExport optional - boolean

            Flag that indicate if data should be exported.

          • enableLogAccessUsingOnlyResourcePermissions optional - boolean

            Flag that indicate which permission to use - resource or workspace or both.

          • immediatePurgeDataOn30Days optional - boolean

            Flag that describes if we want to remove the data after 30 days.

      • forceCmkForQuery optional - boolean

        Indicates whether customer managed storage is mandatory for query management.

      • provisioningState optional - string

        The provisioning state of the workspace.

      • publicNetworkAccessForIngestion optional - string

        The network access type for accessing Log Analytics ingestion.

      • publicNetworkAccessForQuery optional - string

        The network access type for accessing Log Analytics query.

      • retentionInDays optional - integer

        The workspace data retention in days. Allowed values are per pricing plan. See pricing tiers documentation for details.

      • sku optional
          • capacityReservationLevel optional - integer

            The capacity reservation level in GB for this workspace, when CapacityReservation sku is selected.

          • name required - string

            The name of the SKU.

      • workspaceCapping optional
          • dailyQuotaGb optional - number

            The workspace daily quota for ingestion.

  • tags optional - string

    Resource tags.

  • type required - string

>> from Azure Resource Manager Documentation

The Other Related Azure Sentinel Resources

Frequently asked questions

What is Azure Sentinel Automation Rule?

Azure Sentinel Automation Rule is a resource for Sentinel of Microsoft Azure. Settings can be wrote in Terraform.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents