azurerm_sentinel_alert_rule_anomaly_duplicate

Manages a Duplicated Anomaly Alert Rule.

Example Usage

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_log_analytics_workspace" "example" {
  name                = "example-law"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku                 = "PerGB2018"
}

resource "azurerm_sentinel_log_analytics_workspace_onboarding" "example" {
  workspace_id                 = azurerm_log_analytics_workspace.example.id
  customer_managed_key_enabled = false
}

data "azurerm_sentinel_alert_rule_anomaly" "example" {
  log_analytics_workspace_id = azurerm_sentinel_log_analytics_workspace_onboarding.example.workspace_id
  display_name               = "UEBA Anomalous Sign In"
}

resource "azurerm_sentinel_alert_rule_anomaly_duplicate" "example" {
  display_name               = "example duplicated UEBA Anomalous Sign In"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
  built_in_rule_id           = data.azurerm_sentinel_alert_rule_anomaly.example.id
  enabled                    = true
  mode                       = "Flighting"

  threshold_observation {
    name  = "Anomaly score threshold"
    value = "0.6"
  }
}

Arguments Reference

The following arguments are supported:


A multi_select_observation block supports the following:


A single_select_observation block supports the following:


A prioritized_exclude_observation block exports the following:


A threshold_observation block exports the following:

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:


A required_data_connector block exports the following:

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

Import

Built In Anomaly Alert Rules can be imported using the resource id, e.g.

terraform import azurerm_sentinel_alert_rule_anomaly_duplicate.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/setting1