Support for Azure Sentinel Automation Rules

[kaovd]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

With the current blocked limbo that is the request for sentinel alert rule playbook actions (see Azure/azure-rest-api-specs#9424 spawned from #6820) - I believe rather than actually implementing this original feature, it is more likely that the new automations framework that will be coming out (currently in preview) is more favourable (mentioned on a duplicate complaint about triggerUrl not returning here.

As this is currently available and uses the preview API Spec instead, this might be implementable while still in its preview state via the 2019-01-01 Preview api here - however I'm not sure if the functionality from the automationRules api is actually implemented within this repository yet, while I can make it out in watching the API Calls, a ctrl f for an example containing this cannot be found... The feature is accessible through visiting aka.ms/incidenttrigger (prepends ?Feature.IncidentTriggering=true before #blade) and visiting an azure sentinel workspace. I don't believe this requires a preview sign up as from a fresh account I tested, this is accessible.

Shortly after I originally made this request, the features went public preview and an API Spec is now available here

The functionality is under Microsoft.SecurityInsights/AutomationRules

New or Affected Resource(s)

• azurerm_sentinel_automation_rule

Potential Terraform Configuration

data "azurerm_log_analytics_workspace" "example" {
  name                = "log-analytics1"
  resource_group_name = "my-resource-group"
}

data "azurerm_logic_app_workflow" "example" {
  name                = "workflow1"
  resource_group_name = "my-resource-group"
}

resource "azurerm_sentinel_automation_rule" "example" {
  name                       = "example"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
  display_name               = "examplerule"
  conditions {
    rule_name { 
      contains = ["Rule1", "Rule2", "Rule3"] //make ability to all assign non array "All" for all rules
      //not_contains = ["Rule4"] 
      },
    severity { 
      equals = ["Medium", "High", "Low"] 
      //not_equals= ["Informational"] 
      }
  }
  actions {
    run_playbook {
      playbook = [data.azurerm_logic_app_workflow.example.id, "resource_id_here"] //One or multiple
    },
    add_tag {
      tags = ["tag1", "tag2"]
    }
  }
  order = 1
  rule_expiration = "2021-05-15T10:00:00Z"
  enabled = true
}

References

• Security insight Alert rule Action requires triggerUrl Azure/azure-rest-api-specs#11192
• https://github.com/Azure/azure-rest-api-specs/tree/master/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview
• new resource: azurerm_sentinel_alert_rule_action #6820
• https://aka.ms/incidenttrigger

[kaovd]

Since creating my issue, it appears automation rules have gone public preview, with the relevant API Specs updated. I believe the issues that where previously encountered by @magodo have been solved in this API Spec, I see a very verbose response, with trigger Uri's for playbooks that where the previous blocking issue. New Specs here

[thomasknowles]

+1 This'll enhance our workflow and finally stop half of the manual editing of rules after running the pipeline.

[magodo]

Just asked for a Go SDK release for this. Once it is done, we can move on.

[kaovd]

Just asked for a Go SDK release for this. Once it is done, we can move on.

Got an issue link?

[magodo]

@kaovd Unfortunately, this is driven by some internal infra. I've seen the release request issue has already been created, should be available in https://github.com/azure/azure-sdk-for-go soon. You can subscribe the release notification for that repo.

[kaovd]

Could this be it? @magodo - Looks promising on this release git diff Azure/azure-sdk-for-go@b7b1995
type AutomationRulesClientAPI is being defined.

[nescafe-gold]

+1 this should make a world of difference to my organisations workflow.

[github-actions]

This functionality has been released in v2.83.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.