diff --git a/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go b/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go index ce9c09cd8404..9163aa56c071 100644 --- a/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go +++ b/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go @@ -119,6 +119,15 @@ func resourceSentinelAlertRuleNrt() *pluginsdk.Resource { }, }, + "techniques": { + Type: pluginsdk.TypeSet, + Optional: true, + Elem: &pluginsdk.Schema{ + Type: pluginsdk.TypeString, + ValidateFunc: validation.StringIsNotEmpty, + }, + }, + "incident": { Type: pluginsdk.TypeList, Optional: true, @@ -341,6 +350,7 @@ func resourceSentinelAlertRuleNrtCreateUpdate(d *pluginsdk.ResourceData, meta in NrtAlertRuleProperties: &securityinsight.NrtAlertRuleProperties{ Description: utils.String(d.Get("description").(string)), DisplayName: utils.String(d.Get("display_name").(string)), + Techniques: expandAlertRuleTechnicals(d.Get("techniques").(*pluginsdk.Set).List()), Tactics: expandAlertRuleTactics(d.Get("tactics").(*pluginsdk.Set).List()), IncidentConfiguration: expandAlertRuleIncidentConfiguration(d.Get("incident").([]interface{}), "create_incident_enabled", false), Severity: securityinsight.AlertSeverity(d.Get("severity").(string)), @@ -426,6 +436,9 @@ func resourceSentinelAlertRuleNrtRead(d *pluginsdk.ResourceData, meta interface{ if err := d.Set("tactics", flattenAlertRuleTactics(prop.Tactics)); err != nil { return fmt.Errorf("setting `tactics`: %+v", err) } + if err := d.Set("techniques", prop.Techniques); err != nil { + return fmt.Errorf("setting `techniques`: %+v", err) + } if err := d.Set("incident", flattenAlertRuleIncidentConfiguration(prop.IncidentConfiguration, "create_incident_enabled", false)); err != nil { return fmt.Errorf("setting `incident`: %+v", err) } diff --git a/internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go b/internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go index f8f55c5d72f9..ce0e824758a6 100644 --- a/internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go +++ b/internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go @@ -153,6 +153,7 @@ resource "azurerm_sentinel_alert_rule_nrt" "test" { display_name = "Complete Rule" description = "Some Description" tactics = ["Collection", "CommandAndControl"] + techniques = ["T1560", "T1123"] severity = "Low" enabled = false incident { diff --git a/website/docs/r/sentinel_alert_rule_nrt.html.markdown b/website/docs/r/sentinel_alert_rule_nrt.html.markdown index 8816d055f9c5..98a4a0d20d29 100644 --- a/website/docs/r/sentinel_alert_rule_nrt.html.markdown +++ b/website/docs/r/sentinel_alert_rule_nrt.html.markdown @@ -94,6 +94,8 @@ The following arguments are supported: * `tactics` - (Optional) A list of categories of attacks by which to classify the rule. Possible values are `Collection`, `CommandAndControl`, `CredentialAccess`, `DefenseEvasion`, `Discovery`, `Execution`, `Exfiltration`, `Impact`, `InitialAccess`, `LateralMovement`, `Persistence` and `PrivilegeEscalation`. +* `techniques` - (Optional) A list of techniques of attacks by which to classify the rule. + --- An `alert_details_override` block supports the following: