Skip to content

Latest commit

 

History

History

sentinel_alert_rule

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
examples/simple
examples/simple
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
input.tf
input.tf
 
 
main.tf
main.tf
 
 
output.tf
output.tf
 
 

README.md

This module deploys an analytic rule to Azure Sentinel.

You'll need to provide the following:

  • Log Analytics Workspace ID
  • Query
  • Query Frequency
  • Query Period
  • Severity
  • Tactics
  • Trigger Operator
  • Trigger Threshold
  • Entity Mapping
  • Incident Configuration

Requirements

No requirements.

Providers

Name Version
azurerm n/a
random n/a

Modules

No modules.

Resources

Name Type
azurerm_sentinel_alert_rule_scheduled.this resource
random_uuid.this resource

Inputs

Name Description Type Default Required
custom_details (Optional) The custom details of the alert rule. map(string) {} no
description (Required) The description of the alert rule. string n/a yes
display_name (Required) The display name of the alert rule. string n/a yes
enabled (Optional) The enabled status of the alert rule. Defaults to true. bool true no
entity_mapping (Optional) The entity mapping of the alert rule. 
list(object({
    entity_type = string
    field_mapping = list(object({
      column_name = string
      identifier  = string
    }))
  }))
 [] no
event_grouping (Optional) The event grouping of the alert rule. map(string) 
{
  "aggregation_method": "AlertPerResult"
}
 no
incident_configuration (Optional) The incident configuration of the alert rule. any 
{
  "create_incident": true,
  "grouping": {
    "enabled": false,
    "entity_matching_method": "AllEntities",
    "group_by_alert_details": [],
    "group_by_custom_details": [],
    "group_by_entities": [],
    "lookback_duration": "PT5M",
    "reopen_closed_incidents": false
  }
}
 no
name (Optional) The name of the azurerm_sentinel_alert_rule_scheduled. If not provided, a random UUID will be used. string "" no
query (Required) The query that will be used to create the alert rule. string n/a yes
query_frequency (Optional) The frequency of the query. Defaults to PT1H. string "PT1H" no
query_period (Optional) The period of the query. Defaults to PT1H. string "PT1H" no
severity (Optional) The severity of the alert rule. Defaults to Medium. string "Medium" no
suppression_duration (Optional) The suppression duration of the alert rule. Defaults to PT1H. string "PT1H" no
suppression_enabled (Optional) The suppression enabled of the alert rule. Defaults to false. bool false no
tactics (Optional) The tactics of the alert rule. Defaults to [InitialAccess]. list(string) 
[
  "InitialAccess"
]
 no
techniques (Optional) The techniques of the alert rule. Defaults to null list(string) null no
trigger_operator (Optional) The trigger operator of the alert rule. Defaults to GreaterThan. string "GreaterThan" no
trigger_threshold (Optional) The trigger threshold of the alert rule. Defaults to 0. number 0 no
workspace_id (Required) The workspace that the alert is going to use string n/a yes

Outputs

Name Description
alert_rule_id The ID of the alert rule.