Hi
I’m trying to pull the version and techniques that are set on the Microsoft template, the thinking is I would have the latest version every time I deployed the script.
apart from alert_rule_template_version and techniques everything else works, but if someone has a better way to optimise the script I’m all ears, I would also like to grab the default entity mappings if that’s possible.
Thanks very much for taking your time and reading this.
data “azurerm_sentinel_alert_rule_template” “template_aad” {
for_each = toset(var.azure_sentinel_rule_template_scheduled_AAD_displaynames)
log_analytics_workspace_id = azurerm_log_analytics_solution.pc.workspace_resource_id
display_name = each.key
}
resource “azurerm_sentinel_alert_rule_scheduled” “rules_aad” {
for_each = toset(var.azure_sentinel_rule_template_scheduled_AAD_displaynames)
name = element(split(“/”, data.azurerm_sentinel_alert_rule_template.template_aad[each.key].id), length(split(“/”, data.azurerm_sentinel_alert_rule_template.template_aad[each.key].id))-1)
log_analytics_workspace_id = azurerm_log_analytics_solution.pc.workspace_resource_id
alert_rule_template_guid = element(split(“/”, data.azurerm_sentinel_alert_rule_template.template_aad[each.key].id), length(split(“/”, data.azurerm_sentinel_alert_rule_template.template_aad[each.key].id))-1)
display_name = each.key
description = data.azurerm_sentinel_alert_rule_template.template_aad[each.key].scheduled_template.0.description
severity = data.azurerm_sentinel_alert_rule_template.template_aad[each.key].scheduled_template.0.severity
query = data.azurerm_sentinel_alert_rule_template.template_aad[each.key].scheduled_template.0.query
query_frequency = data.azurerm_sentinel_alert_rule_template.template_aad[each.key].scheduled_template.0.query_frequency
query_period = data.azurerm_sentinel_alert_rule_template.template_aad[each.key].scheduled_template.0.query_period
tactics = data.azurerm_sentinel_alert_rule_template.template_aad[each.key].scheduled_template.0.tactics
trigger_operator = data.azurerm_sentinel_alert_rule_template.template_aad[each.key].scheduled_template.0.trigger_operator
trigger_threshold = data.azurerm_sentinel_alert_rule_template.template_aad[each.key].scheduled_template.0.trigger_threshold
these do not work as I would expect
techniques = data.azurerm_sentinel_alert_rule_template.template_aad[each.key].scheduled_template.0.techniques
alert_rule_template_version = data.azurerm_sentinel_alert_rule_template.template_aad[each.key].scheduled_template.alert_rule_template_version
}
variable “azure_sentinel_rule_template_scheduled_AAD_displaynames” {
description = “Displaynames for Azure Active Directory rules that want to applied”
default = [
“Modified domain federation trust settings”,
“First access credential added to Application or Service Principal where no credential was present”,
“Suspicious application consent similar to O365 Attack Toolkit”,
“Correlate Unfamiliar sign-in properties and atypical travel alerts”,
“Brute force attack against Azure Portal”,
“MFA disabled for a user”,
“Password spray attack against Azure AD application”,
“Rare application consent”,
“Credential added after admin consented to Application”,
“Mail.Read Permissions Granted to Application”,
“Sign-ins from IPs that attempt sign-ins to disabled accounts”,
“Successful logon from IP and failure from a different IP”,
“Explicit MFA Deny”,
“Failed AzureAD logons but success logon to host”,
“Anomalous sign-in location by user account and authenticating application”,
“Attempts to sign in to disabled accounts”,
“Distributed Password cracking attempts in AzureAD”,
“Anomalous login followed by Teams action”,
“User added to Azure Active Directory Privileged Groups”,
“Suspicious application consent similar to PwnAuth”,
“Failed host logons but success logon to AzureAD”,
“New access credential added to Application or Service Principal”,
“Suspicious application consent for offline access”,
“Failed login attempts to Azure Portal”,
“Azure Active Directory PowerShell accessing non-AAD resources”,
“Attempt to bypass conditional access rule in Azure AD”,
“NOBELIUM IOCs related to FoggyWeb backdoor”,
]
}