diff --git a/internal/services/sentinel/sentinel_alert_rule.go b/internal/services/sentinel/sentinel_alert_rule.go index 272ba444b19b..d9d96f1df729 100644 --- a/internal/services/sentinel/sentinel_alert_rule.go +++ b/internal/services/sentinel/sentinel_alert_rule.go @@ -268,6 +268,9 @@ func expandAlertRuleAlertDetailsOverride(input []interface{}) *securityinsight.A if v := b["tactics_column_name"]; v != "" { output.AlertTacticsColumnName = utils.String(v.(string)) } + if v := b["dynamic_property"]; v != nil && len(v.([]interface{})) > 0 { + output.AlertDynamicProperties = expandAlertRuleAlertDynamicProperties(v.([]interface{})) + } return output } @@ -297,16 +300,56 @@ func flattenAlertRuleAlertDetailsOverride(input *securityinsight.AlertDetailsOve tacticsColumnName = *input.AlertTacticsColumnName } + var dynamicProperties []interface{} + if input.AlertDynamicProperties != nil { + dynamicProperties = flattenAlertRuleAlertDynamicProperties(input.AlertDynamicProperties) + } + return []interface{}{ map[string]interface{}{ "description_format": descriptionFormat, "display_name_format": displayNameFormat, "severity_column_name": severityColumnName, "tactics_column_name": tacticsColumnName, + "dynamic_property": dynamicProperties, }, } } +func expandAlertRuleAlertDynamicProperties(input []interface{}) *[]securityinsight.AlertPropertyMapping { + if len(input) == 0 || input[0] == nil { + return nil + } + + var output []securityinsight.AlertPropertyMapping + + for _, v := range input { + b := v.(map[string]interface{}) + output = append(output, securityinsight.AlertPropertyMapping{ + AlertProperty: securityinsight.AlertProperty(b["name"].(string)), + Value: utils.String(b["value"].(string)), + }) + } + + return &output +} + +func flattenAlertRuleAlertDynamicProperties(input *[]securityinsight.AlertPropertyMapping) []interface{} { + output := make([]interface{}, 0) + if input == nil || len(*input) == 0 { + return output + } + + for _, i := range *input { + output = append(output, map[string]interface{}{ + "name": string(i.AlertProperty), + "value": i.Value, + }) + } + + return output +} + func expandAlertRuleEntityMapping(input []interface{}) *[]securityinsight.EntityMapping { if len(input) == 0 { return nil diff --git a/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go b/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go index eeeeb9a60498..05d2821e0043 100644 --- a/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go +++ b/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go @@ -6,6 +6,7 @@ import ( "time" "github.com/hashicorp/go-azure-sdk/resource-manager/operationalinsights/2020-08-01/workspaces" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-provider-azurerm/helpers/tf" "github.com/hashicorp/terraform-provider-azurerm/helpers/validate" "github.com/hashicorp/terraform-provider-azurerm/internal/clients" @@ -267,6 +268,35 @@ func resourceSentinelAlertRuleNrt() *pluginsdk.Resource { Optional: true, ValidateFunc: validation.StringIsNotEmpty, }, + "dynamic_property": { + Type: pluginsdk.TypeList, + Optional: true, + Elem: &pluginsdk.Resource{ + Schema: map[string]*schema.Schema{ + "name": { + Type: pluginsdk.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice( + []string{ + string(securityinsight.AlertPropertyAlertLink), + string(securityinsight.AlertPropertyConfidenceLevel), + string(securityinsight.AlertPropertyConfidenceScore), + string(securityinsight.AlertPropertyExtendedLinks), + string(securityinsight.AlertPropertyProductComponentName), + string(securityinsight.AlertPropertyProductName), + string(securityinsight.AlertPropertyProviderName), + string(securityinsight.AlertPropertyRemediationSteps), + string(securityinsight.AlertPropertyTechniques), + }, false), + }, + "value": { + Type: pluginsdk.TypeString, + Required: true, + ValidateFunc: validation.StringIsNotEmpty, + }, + }, + }, + }, }, }, }, diff --git a/internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go b/internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go index e3d3244d7b7e..a55a467cb697 100644 --- a/internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go +++ b/internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go @@ -176,6 +176,10 @@ resource "azurerm_sentinel_alert_rule_nrt" "test" { display_name_format = "Suspicious activity was made by {{ComputerIP}}" severity_column_name = "Computer" tactics_column_name = "Computer" + dynamic_property { + name = "AlertLink" + value = "dcount_ResourceId" + } } entity_mapping { entity_type = "Host" diff --git a/internal/services/sentinel/sentinel_alert_rule_scheduled_resource.go b/internal/services/sentinel/sentinel_alert_rule_scheduled_resource.go index 18a0fdea0977..ba712ebfad2c 100644 --- a/internal/services/sentinel/sentinel_alert_rule_scheduled_resource.go +++ b/internal/services/sentinel/sentinel_alert_rule_scheduled_resource.go @@ -6,6 +6,7 @@ import ( "time" "github.com/hashicorp/go-azure-sdk/resource-manager/operationalinsights/2020-08-01/workspaces" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-provider-azurerm/helpers/tf" "github.com/hashicorp/terraform-provider-azurerm/helpers/validate" "github.com/hashicorp/terraform-provider-azurerm/internal/clients" @@ -328,6 +329,35 @@ func resourceSentinelAlertRuleScheduled() *pluginsdk.Resource { Optional: true, ValidateFunc: validation.StringIsNotEmpty, }, + "dynamic_property": { + Type: pluginsdk.TypeList, + Optional: true, + Elem: &pluginsdk.Resource{ + Schema: map[string]*schema.Schema{ + "name": { + Type: pluginsdk.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice( + []string{ + string(securityinsight.AlertPropertyAlertLink), + string(securityinsight.AlertPropertyConfidenceLevel), + string(securityinsight.AlertPropertyConfidenceScore), + string(securityinsight.AlertPropertyExtendedLinks), + string(securityinsight.AlertPropertyProductComponentName), + string(securityinsight.AlertPropertyProductName), + string(securityinsight.AlertPropertyProviderName), + string(securityinsight.AlertPropertyRemediationSteps), + string(securityinsight.AlertPropertyTechniques), + }, false), + }, + "value": { + Type: pluginsdk.TypeString, + Required: true, + ValidateFunc: validation.StringIsNotEmpty, + }, + }, + }, + }, }, }, }, diff --git a/internal/services/sentinel/sentinel_alert_rule_scheduled_resource_test.go b/internal/services/sentinel/sentinel_alert_rule_scheduled_resource_test.go index 1305e632ae97..52f89971ad1b 100644 --- a/internal/services/sentinel/sentinel_alert_rule_scheduled_resource_test.go +++ b/internal/services/sentinel/sentinel_alert_rule_scheduled_resource_test.go @@ -202,6 +202,10 @@ resource "azurerm_sentinel_alert_rule_scheduled" "test" { display_name_format = "Suspicious activity was made by {{ComputerIP}}" severity_column_name = "Computer" tactics_column_name = "Computer" + dynamic_property { + name = "AlertLink" + value = "dcount_ResourceId" + } } entity_mapping { entity_type = "Host" diff --git a/website/docs/r/sentinel_alert_rule_nrt.html.markdown b/website/docs/r/sentinel_alert_rule_nrt.html.markdown index 4779e5b9015e..99b6ddee9250 100644 --- a/website/docs/r/sentinel_alert_rule_nrt.html.markdown +++ b/website/docs/r/sentinel_alert_rule_nrt.html.markdown @@ -108,6 +108,16 @@ An `alert_details_override` block supports the following: * `tactics_column_name` - (Optional) The column name to take the alert tactics from. +* `dynamic_property` - (Optional) A list of `dynamic_property` blocks as defined below. + +--- + +A `dynamic_property` block supports the following: + +* `name` - (Required) The name of the dynamic property. Possible Values are `AlertLink`, `ConfidenceLevel`, `ConfidenceScore`, `ExtendedLinks`, `ProductComponentName`, `ProductName`, `ProviderName`, `RemediationSteps` and `Techniques`. + +* `value` - (Required) The value of the dynamic property. Pssible Values are `Caller`, `dcount_ResourceId` and `EventSubmissionTimestamp`. + --- An `entity_mapping` block supports the following: diff --git a/website/docs/r/sentinel_alert_rule_scheduled.html.markdown b/website/docs/r/sentinel_alert_rule_scheduled.html.markdown index d9675052a9bc..908ff002ac5d 100644 --- a/website/docs/r/sentinel_alert_rule_scheduled.html.markdown +++ b/website/docs/r/sentinel_alert_rule_scheduled.html.markdown @@ -122,6 +122,16 @@ An `alert_details_override` block supports the following: * `tactics_column_name` - (Optional) The column name to take the alert tactics from. +* `dynamic_property` - (Optional) A list of `dynamic_property` blocks as defined below. + +--- + +A `dynamic_property` block supports the following: + +* `name` - (Required) The name of the dynamic property. Possible Values are `AlertLink`, `ConfidenceLevel`, `ConfidenceScore`, `ExtendedLinks`, `ProductComponentName`, `ProductName`, `ProviderName`, `RemediationSteps` and `Techniques`. + +* `value` - (Required) The value of the dynamic property. Pssible Values are `Caller`, `dcount_ResourceId` and `EventSubmissionTimestamp`. + --- An `entity_mapping` block supports the following: