Azure Sentinel Watchlist

This page shows how to write Terraform and Azure Resource Manager for Sentinel Watchlist and write them securely.

azurerm_sentinel_watchlist (Terraform)

The Watchlist in Sentinel can be configured in Terraform with the resource name azurerm_sentinel_watchlist. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are supported:

  • name - (Required) The name which should be used for this Sentinel Watchlist. Changing this forces a new Sentinel Watchlist to be created.

  • log_analytics_workspace_id - (Required) The ID of the Log Analytics Workspace where this Sentinel Watchlist resides in. Changing this forces a new Sentinel Watchlist to be created.

  • display_name - (Required) The display name of this Sentinel Watchlist. Changing this forces a new Sentinel Watchlist to be created.


  • default_duration - (Optional) The default duration in ISO8601 duration form of this Sentinel Watchlist. Changing this forces a new Sentinel Watchlist to be created.

  • description - (Optional) The description of this Sentinel Watchlist. Changing this forces a new Sentinel Watchlist to be created.

  • labels - (Optional) Specifies a list of labels related to this Sentinel Watchlist. Changing this forces a new Sentinel Watchlist to be created.

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Sentinel Watchlist.

Explanation in Terraform Registry

Manages a Sentinel Watchlist.

Microsoft.OperationalInsights/workspaces (Azure Resource Manager)

The workspaces in Microsoft.OperationalInsights can be configured in Azure Resource Manager with the resource name Microsoft.OperationalInsights/workspaces. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

application-gw-firewall-events.json
{
    "contentVersion": "1.0.0.0",
    "parameters": {
      "workbookDisplayName": {
        "type": "string",
workbooks.arm.template.statistics.detailed.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
workbooks.arm.template.statistics.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
application-gw-firewall-events.json
{
    "contentVersion": "1.0.0.0",
    "parameters": {
      "workbookDisplayName": {
        "type": "string",
workbook.json
{
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workbookSourceId": {
            "type": "string",
application-gw-firewall-events.json
{
    "contentVersion": "1.0.0.0",
    "parameters": {
      "workbookDisplayName": {
        "type": "string",
application-gw-firewall-events.json
{
    "contentVersion": "1.0.0.0",
    "parameters": {
      "workbookDisplayName": {
        "type": "string",
template.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
AWS_User_Activities.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
workbooks.arm.template.rag.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",

Parameters

  • apiVersion required - string
  • eTag optional - string

    The ETag of the workspace.

  • location required - string

    The geo-location where the resource lives

  • name required - string

    The name of the workspace.

  • properties required
      • features optional
          • additionalProperties optional - object

            Unmatched properties from the message are deserialized this collection

          • clusterResourceId optional - string

            Dedicated LA cluster resourceId that is linked to the workspaces.

          • disableLocalAuth optional - boolean

            Disable Non-AAD based Auth.

          • enableDataExport optional - boolean

            Flag that indicate if data should be exported.

          • enableLogAccessUsingOnlyResourcePermissions optional - boolean

            Flag that indicate which permission to use - resource or workspace or both.

          • immediatePurgeDataOn30Days optional - boolean

            Flag that describes if we want to remove the data after 30 days.

      • forceCmkForQuery optional - boolean

        Indicates whether customer managed storage is mandatory for query management.

      • provisioningState optional - string

        The provisioning state of the workspace.

      • publicNetworkAccessForIngestion optional - string

        The network access type for accessing Log Analytics ingestion.

      • publicNetworkAccessForQuery optional - string

        The network access type for accessing Log Analytics query.

      • retentionInDays optional - integer

        The workspace data retention in days. Allowed values are per pricing plan. See pricing tiers documentation for details.

      • sku optional
          • capacityReservationLevel optional - integer

            The capacity reservation level in GB for this workspace, when CapacityReservation sku is selected.

          • name required - string

            The name of the SKU.

      • workspaceCapping optional
          • dailyQuotaGb optional - number

            The workspace daily quota for ingestion.

  • tags optional - string

    Resource tags.

  • type required - string

Frequently asked questions

What is Azure Sentinel Watchlist?

Azure Sentinel Watchlist is a resource for Sentinel of Microsoft Azure. Settings can be wrote in Terraform.