Azure Sentinel Automation Rule
This page shows how to write Terraform and Azure Resource Manager for Sentinel Automation Rule and write them securely.
azurerm_sentinel_automation_rule (Terraform)
The Automation Rule in Sentinel can be configured in Terraform with the resource name azurerm_sentinel_automation_rule
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are supported:
name
- (Required) The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.log_analytics_workspace_id
- (Required) The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.display_name
- (Required) The display name which should be used for this Sentinel Automation Rule.order
- (Required) The order of this Sentinel Automation Rule. Possible values varies between1
and1000
.
action_incident
- (Optional) One or moreaction_incident
blocks as defined below.action_playbook
- (Optional) One or moreaction_playbook
blocks as defined below.
Note: Either one
action_incident
block oraction_playbook
block has to be specified.
condition
- (Optional) One or morecondition
blocks as defined below.enabled
- (Optional) Whether this Sentinel Automation Rule is enabled? Defaults totrue
.expiration
- (Optional) The time in RFC3339 format of kindUTC
that determines when this Automation Rule should expire and be disabled.
A action_incident
block supports the following:
order
- (Required) The execution order of this action.status
- (Optional) The status to set to the incident. Possible values are:Active
,Closed
,New
.classification
- (Optional) The classification of the incident, when closing it. Possible values are:BenignPositive_SuspiciousButExpected
,FalsePositive_InaccurateData
,FalsePositive_IncorrectAlertLogic
,TruePositive_SuspiciousActivity
andUndetermined
.Note: The
classification
is required whenstatus
isClosed
.classification_comment
- (Optional) The comment why the incident is to be closed.Note: The
classification_comment
is allowed to set only whenstatus
isClosed
.labels
- (Optional) Specifies a list of labels to add to the incident.owner_id
- (Optional) The object ID of the entity this incident is assigned to.severity
- (Optional) The severity to add to the incident.
Note:: At least one of
status
,labels
,owner_id
andseverity
has to be set.
A action_playbook
block supports the following:
logic_app_id
- (Required) The ID of the Logic App that defines the playbook's logic.order
- (Required) The execution order of this action.tenant_id
- (Optional) The ID of the Tenant that owns the playbook.
A condition
block supports the following:
operator
- (Required) The operator to use for evaluate the condition. Possible values include:Equals
,NotEquals
,Contains
,NotContains
,StartsWith
,NotStartsWith
,EndsWith
,NotEndsWith
.property
- (Required) The property to use for evaluate the condition. Possible values include:AccountAadTenantId
,AccountAadUserId
,AccountNTDomain
,AccountName
,AccountObjectGuid
,AccountPUID
,AccountSid
,AccountUPNSuffix
,AzureResourceResourceId
,AzureResourceSubscriptionId
,CloudApplicationAppId
,CloudApplicationAppName
,DNSDomainName
,FileDirectory
,FileHashValue
,FileName
,HostAzureID
,HostNTDomain
,HostName
,HostNetBiosName
,HostOSVersion
,IPAddress
,IncidentDescription
,IncidentProviderName
,IncidentRelatedAnalyticRuleIds
,IncidentSeverity
,IncidentStatus
,IncidentTactics
,IncidentTitle
,IoTDeviceId
,IoTDeviceModel
,IoTDeviceName
,IoTDeviceOperatingSystem
,IoTDeviceType
,IoTDeviceVendor
,MailMessageDeliveryAction
,MailMessageDeliveryLocation
,MailMessageP1Sender
,MailMessageP2Sender
,MailMessageRecipient
,MailMessageSenderIP
,MailMessageSubject
,MailboxDisplayName
,MailboxPrimaryAddress
,MailboxUPN
,MalwareCategory
,MalwareName
,ProcessCommandLine
,ProcessId
,RegistryKey
,RegistryValueData
,Url
.values
- (Required) Specifies a list of values to use for evaluate the condition.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Sentinel Automation Rule.
Explanation in Terraform Registry
Manages a Sentinel Automation Rule.
Microsoft.OperationalInsights/workspaces (Azure Resource Manager)
The workspaces in Microsoft.OperationalInsights can be configured in Azure Resource Manager with the resource name Microsoft.OperationalInsights/workspaces
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookSourceId": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
Parameters
apiVersion
required - stringeTag
optional - stringThe ETag of the workspace.
location
required - stringThe geo-location where the resource lives
name
required - stringThe name of the workspace.
properties
requiredfeatures
optionaladditionalProperties
optional - objectUnmatched properties from the message are deserialized this collection
clusterResourceId
optional - stringDedicated LA cluster resourceId that is linked to the workspaces.
disableLocalAuth
optional - booleanDisable Non-AAD based Auth.
enableDataExport
optional - booleanFlag that indicate if data should be exported.
enableLogAccessUsingOnlyResourcePermissions
optional - booleanFlag that indicate which permission to use - resource or workspace or both.
immediatePurgeDataOn30Days
optional - booleanFlag that describes if we want to remove the data after 30 days.
forceCmkForQuery
optional - booleanIndicates whether customer managed storage is mandatory for query management.
provisioningState
optional - stringThe provisioning state of the workspace.
publicNetworkAccessForIngestion
optional - stringThe network access type for accessing Log Analytics ingestion.
publicNetworkAccessForQuery
optional - stringThe network access type for accessing Log Analytics query.
retentionInDays
optional - integerThe workspace data retention in days. Allowed values are per pricing plan. See pricing tiers documentation for details.
sku
optionalcapacityReservationLevel
optional - integerThe capacity reservation level in GB for this workspace, when CapacityReservation sku is selected.
name
required - stringThe name of the SKU.
workspaceCapping
optionaldailyQuotaGb
optional - numberThe workspace daily quota for ingestion.
tags
optional - stringResource tags.
type
required - string