azure_sentinel_alert_rules Resource

[edit on GitHub]

Use the azure_sentinel_alert_rules Chef InSpec audit resource to test properties of an Azure Sentinel alert rule for a resource group or the entire subscription.

For additional information, see the Azure Sentinel Alert Rules API documentation.

Azure REST API Version, Endpoint, and HTTP Client Parameters

This resource interacts with API versions supported by the resource provider. The api_version can be defined as a resource parameter. If not provided, this resource uses the latest version. For more information, refer to the azure_generic_resource document.

Unless defined, this resource uses the azure_cloud global endpoint and default values for the HTTP client. For more information, refer to the resource pack README.

Installation

This resource is available in the Chef InSpec Azure resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your Azure environment for InSpec and creating an InSpec profile that uses the InSpec Azure resource pack.

Syntax

An azure_sentinel_alert_rules resource block returns all Azure Sentinel alerts rules, either within a Resource Group (if provided), or within an entire Subscription.

describe azure_sentinel_alert_rules(resource_group: 'RESOURCE_GROUP', workspace_name: 'WORKSPACE_NAME') do
  #...
end

Parameters

resource_group (required): The name of the resource group.
workspace_name (required): The name of the workspace.

Properties

names: A list of the unique resource names.; Field: name
ids: A list of alert_rule IDs .; Field: id
properties: A list of properties for the resource.; Field: properties
types: A list of types for each resource.; Field: type
severities: The list of severity for alerts created by this alert rule.; Field: severity
displayNames: The List of display name for alerts created by this alert rule.; Field: displayName
enableds: The list of flags which Determines whether this alert rule is enabled or disabled.; Field: enabled
kinds: The alert rule kind.; Field: kind
alertRuleTemplateNames: The Name of the alert rule template used to create this rule.; Field: alertRuleTemplateName

Note

See the documentation on FilterTable for information on using filter criteria on plural resources.

Examples

Test if properties match.

describe azure_sentinel_alert_rules(resource_group: resource_group, workspace_name: workspace_name) do
  its('names') { should include 'BuiltInFusion' }
  its('types') { should include 'Microsoft.SecurityInsights/alertRules' }
  its('kinds') { should include 'Fusion' }
  its('severities') { should include 'High' }
  its('enableds') { should include true }
  its('displayNames') { should include 'Advanced Multistage Attack Detection' }
  its('alertRuleTemplateNames') { should include 'f71aba3d-28fb-450b-b192-4e76a83015c8' }
end

Test if any alert rules exist in the resource group.

describe azure_sentinel_alert_rules(resource_group: 'RESOURCE_GROUP', workspace_name: 'WORKSPACE_NAME') do
  it { should exist }
end

Test that there aren’t any alert rules in a resource group.

describe azure_sentinel_alert_rules(resource_group: 'RESOURCE_GROUP', workspace_name: 'WORKSPACE_NAME') do
  it { should_not exist }
end

Azure Permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Was this page helpful?