SecurityInsights - Sentinel Scheduled Rules: support for entityMappings

[kaovd]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'm putting an issue here as a Todo and currently as blocked. See Azure/azure-rest-api-specs#14078 as this has not yet been implemeneted within swagger.
https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview

Recently a new preview feature has come into the creation of Azure Sentinel Scheduled rules, whereby entities are now being defined in the alert Properties rather than in the query, whereby the traditional style was to include something in the query such as | extend AccountCustomEntity = AccountName is is now defined as:

entityMappings: [ {entityType: "Type", fieldMappings: [ {identifer: "Identifer", columnName: "columnName"} ] } 
]

in properties

The 2021-03-01-preview seems to currently be in heavy dev and does not have a single SecurityInsights.json full spec yet.

We may need a dedicated issue for the eventual 2021-03-01-preview migration if this is not backported. to 2019-01-01-preview, which is what current sentinel implementation is using.

New or Affected Resource(s)

• azurerm_sentinel_alert_rule_scheduled
• azurerm_sentinel_alert_rule_template_data_source (needs upgrade as a result for new property)

Potential Terraform Configuration

resource "azurerm_sentinel_alert_rule_scheduled" "example" {
  name                       = "example"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
  display_name               = "example"
  severity                   = "High"
  query                      = <<QUERY
AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
QUERY

  entity_mapping {
    entity_type = "AzureResource" //Create a mapping for a resource id
    field_mappings {
      identifier="ResourceId" //Static options
      column_name="ResourceId" //This is the field from within the query
    }
  }

  entity_mapping {
    entity_type = "Account" //Create a mapping for an Account
    field_mappings {
      identifier="UPNSuffix" //Static options
      column_name="Caller" //This is the field from within the query
    }
    field_mappings {
      identifier="SID" //Static options
      column_name="userSID" //This is the field from within the query (Not applicable in AzureActivity but just an example)
    }
  }

}

References

Azure/azure-rest-api-specs#14078
https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview

[kaovd]

It appears this change is now in, https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/AlertRules.json

See PR Azure/azure-rest-api-specs@61e7148

Pending coming down into Go SDK, Will test a bump to Scheduled rules to this new API Version which will enable entityMappings, customDetails. Also think some of the enums / terms in grouping changed.

[kaovd]

Service request now up Azure/azure-sdk-for-go#14800

[github-actions]

This functionality has been released in v3.0.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.