Skip to content

Commit

Permalink
azurerm_sentinel_alert_rule_nrt, `azurerm_sentinel_alert_rule_sched…
Browse files Browse the repository at this point in the history
…uled`: support `dynamic_property` (#20212)
  • Loading branch information
ziyeqf authored Feb 6, 2023
1 parent ce99479 commit 2545890
Show file tree
Hide file tree
Showing 7 changed files with 131 additions and 0 deletions.
43 changes: 43 additions & 0 deletions internal/services/sentinel/sentinel_alert_rule.go
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,9 @@ func expandAlertRuleAlertDetailsOverride(input []interface{}) *securityinsight.A
if v := b["tactics_column_name"]; v != "" {
output.AlertTacticsColumnName = utils.String(v.(string))
}
if v := b["dynamic_property"]; v != nil && len(v.([]interface{})) > 0 {
output.AlertDynamicProperties = expandAlertRuleAlertDynamicProperties(v.([]interface{}))
}

return output
}
Expand Down Expand Up @@ -297,16 +300,56 @@ func flattenAlertRuleAlertDetailsOverride(input *securityinsight.AlertDetailsOve
tacticsColumnName = *input.AlertTacticsColumnName
}

var dynamicProperties []interface{}
if input.AlertDynamicProperties != nil {
dynamicProperties = flattenAlertRuleAlertDynamicProperties(input.AlertDynamicProperties)
}

return []interface{}{
map[string]interface{}{
"description_format": descriptionFormat,
"display_name_format": displayNameFormat,
"severity_column_name": severityColumnName,
"tactics_column_name": tacticsColumnName,
"dynamic_property": dynamicProperties,
},
}
}

func expandAlertRuleAlertDynamicProperties(input []interface{}) *[]securityinsight.AlertPropertyMapping {
if len(input) == 0 || input[0] == nil {
return nil
}

var output []securityinsight.AlertPropertyMapping

for _, v := range input {
b := v.(map[string]interface{})
output = append(output, securityinsight.AlertPropertyMapping{
AlertProperty: securityinsight.AlertProperty(b["name"].(string)),
Value: utils.String(b["value"].(string)),
})
}

return &output
}

func flattenAlertRuleAlertDynamicProperties(input *[]securityinsight.AlertPropertyMapping) []interface{} {
output := make([]interface{}, 0)
if input == nil || len(*input) == 0 {
return output
}

for _, i := range *input {
output = append(output, map[string]interface{}{
"name": string(i.AlertProperty),
"value": i.Value,
})
}

return output
}

func expandAlertRuleEntityMapping(input []interface{}) *[]securityinsight.EntityMapping {
if len(input) == 0 {
return nil
Expand Down
30 changes: 30 additions & 0 deletions internal/services/sentinel/sentinel_alert_rule_nrt_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"time"

"github.com/hashicorp/go-azure-sdk/resource-manager/operationalinsights/2020-08-01/workspaces"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
"github.com/hashicorp/terraform-provider-azurerm/helpers/validate"
"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
Expand Down Expand Up @@ -267,6 +268,35 @@ func resourceSentinelAlertRuleNrt() *pluginsdk.Resource {
Optional: true,
ValidateFunc: validation.StringIsNotEmpty,
},
"dynamic_property": {
Type: pluginsdk.TypeList,
Optional: true,
Elem: &pluginsdk.Resource{
Schema: map[string]*schema.Schema{
"name": {
Type: pluginsdk.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice(
[]string{
string(securityinsight.AlertPropertyAlertLink),
string(securityinsight.AlertPropertyConfidenceLevel),
string(securityinsight.AlertPropertyConfidenceScore),
string(securityinsight.AlertPropertyExtendedLinks),
string(securityinsight.AlertPropertyProductComponentName),
string(securityinsight.AlertPropertyProductName),
string(securityinsight.AlertPropertyProviderName),
string(securityinsight.AlertPropertyRemediationSteps),
string(securityinsight.AlertPropertyTechniques),
}, false),
},
"value": {
Type: pluginsdk.TypeString,
Required: true,
ValidateFunc: validation.StringIsNotEmpty,
},
},
},
},
},
},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,10 @@ resource "azurerm_sentinel_alert_rule_nrt" "test" {
display_name_format = "Suspicious activity was made by {{ComputerIP}}"
severity_column_name = "Computer"
tactics_column_name = "Computer"
dynamic_property {
name = "AlertLink"
value = "dcount_ResourceId"
}
}
entity_mapping {
entity_type = "Host"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"time"

"github.com/hashicorp/go-azure-sdk/resource-manager/operationalinsights/2020-08-01/workspaces"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
"github.com/hashicorp/terraform-provider-azurerm/helpers/validate"
"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
Expand Down Expand Up @@ -328,6 +329,35 @@ func resourceSentinelAlertRuleScheduled() *pluginsdk.Resource {
Optional: true,
ValidateFunc: validation.StringIsNotEmpty,
},
"dynamic_property": {
Type: pluginsdk.TypeList,
Optional: true,
Elem: &pluginsdk.Resource{
Schema: map[string]*schema.Schema{
"name": {
Type: pluginsdk.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice(
[]string{
string(securityinsight.AlertPropertyAlertLink),
string(securityinsight.AlertPropertyConfidenceLevel),
string(securityinsight.AlertPropertyConfidenceScore),
string(securityinsight.AlertPropertyExtendedLinks),
string(securityinsight.AlertPropertyProductComponentName),
string(securityinsight.AlertPropertyProductName),
string(securityinsight.AlertPropertyProviderName),
string(securityinsight.AlertPropertyRemediationSteps),
string(securityinsight.AlertPropertyTechniques),
}, false),
},
"value": {
Type: pluginsdk.TypeString,
Required: true,
ValidateFunc: validation.StringIsNotEmpty,
},
},
},
},
},
},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,10 @@ resource "azurerm_sentinel_alert_rule_scheduled" "test" {
display_name_format = "Suspicious activity was made by {{ComputerIP}}"
severity_column_name = "Computer"
tactics_column_name = "Computer"
dynamic_property {
name = "AlertLink"
value = "dcount_ResourceId"
}
}
entity_mapping {
entity_type = "Host"
Expand Down
10 changes: 10 additions & 0 deletions website/docs/r/sentinel_alert_rule_nrt.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,16 @@ An `alert_details_override` block supports the following:

* `tactics_column_name` - (Optional) The column name to take the alert tactics from.

* `dynamic_property` - (Optional) A list of `dynamic_property` blocks as defined below.

---

A `dynamic_property` block supports the following:

* `name` - (Required) The name of the dynamic property. Possible Values are `AlertLink`, `ConfidenceLevel`, `ConfidenceScore`, `ExtendedLinks`, `ProductComponentName`, `ProductName`, `ProviderName`, `RemediationSteps` and `Techniques`.

* `value` - (Required) The value of the dynamic property. Pssible Values are `Caller`, `dcount_ResourceId` and `EventSubmissionTimestamp`.

---

An `entity_mapping` block supports the following:
Expand Down
10 changes: 10 additions & 0 deletions website/docs/r/sentinel_alert_rule_scheduled.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,16 @@ An `alert_details_override` block supports the following:

* `tactics_column_name` - (Optional) The column name to take the alert tactics from.

* `dynamic_property` - (Optional) A list of `dynamic_property` blocks as defined below.

---

A `dynamic_property` block supports the following:

* `name` - (Required) The name of the dynamic property. Possible Values are `AlertLink`, `ConfidenceLevel`, `ConfidenceScore`, `ExtendedLinks`, `ProductComponentName`, `ProductName`, `ProviderName`, `RemediationSteps` and `Techniques`.

* `value` - (Required) The value of the dynamic property. Pssible Values are `Caller`, `dcount_ResourceId` and `EventSubmissionTimestamp`.

---

An `entity_mapping` block supports the following:
Expand Down

0 comments on commit 2545890

Please sign in to comment.