From d2a049b4a858561cc113f0834180b4e500ffa71e Mon Sep 17 00:00:00 2001
From: ziyeqf <51212351+ziyeqf@users.noreply.github.com>
Date: Sat, 12 Oct 2024 13:51:59 +0800
Subject: [PATCH 1/2] `azurerm_sentinel_alert_rule_anomaly_duplicate` - fix
 acctest

---
 ...rt_rule_anomaly_duplicate_resource_test.go | 58 ++++++++++++++-----
 1 file changed, 43 insertions(+), 15 deletions(-)

diff --git a/internal/services/sentinel/sentinel_alert_rule_anomaly_duplicate_resource_test.go b/internal/services/sentinel/sentinel_alert_rule_anomaly_duplicate_resource_test.go
index 19c6b15070d6..f176b607a9ad 100644
--- a/internal/services/sentinel/sentinel_alert_rule_anomaly_duplicate_resource_test.go
+++ b/internal/services/sentinel/sentinel_alert_rule_anomaly_duplicate_resource_test.go
@@ -76,18 +76,26 @@ func TestAccSentinelAlertRuleAnomalyDuplicate_requiresImport(t *testing.T) {
 	})
 }
 
-func TestAccSentinelAlertRuleAnomalyDuplicate_withCustomObservation(t *testing.T) {
+func TestAccSentinelAlertRuleAnomalyDuplicate_ThresholdWithCustomObservation(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_sentinel_alert_rule_anomaly_duplicate", "test")
 	r := SentinelAlertRuleAnomalyDuplicateResource{}
 
 	data.ResourceTest(t, r, []acceptance.TestStep{
 		{
+
 			Config: r.basicWithThresholdObservation(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
 			),
 		},
 		data.ImportStep(),
+	})
+}
+
+func TestAccSentinelAlertRuleAnomalyDuplicate_MultiSelectWithCustomObservation(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_sentinel_alert_rule_anomaly_duplicate", "test")
+	r := SentinelAlertRuleAnomalyDuplicateResource{}
+	data.ResourceTest(t, r, []acceptance.TestStep{
 		{
 			Config: r.basicWithMultiSelectObservation(data),
 			Check: acceptance.ComposeTestCheckFunc(
@@ -95,6 +103,13 @@ func TestAccSentinelAlertRuleAnomalyDuplicate_withCustomObservation(t *testing.T
 			),
 		},
 		data.ImportStep(),
+	})
+}
+
+func TestAccSentinelAlertRuleAnomalyDuplicate_SingleSelectWithCustomObservation(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_sentinel_alert_rule_anomaly_duplicate", "test")
+	r := SentinelAlertRuleAnomalyDuplicateResource{}
+	data.ResourceTest(t, r, []acceptance.TestStep{
 		{
 			Config: r.basicWithSingleSelectObservation(data),
 			Check: acceptance.ComposeTestCheckFunc(
@@ -102,6 +117,13 @@ func TestAccSentinelAlertRuleAnomalyDuplicate_withCustomObservation(t *testing.T
 			),
 		},
 		data.ImportStep(),
+	})
+}
+
+func TestAccSentinelAlertRuleAnomalyDuplicate_PrioritizeExcludeWithCustomObservation(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_sentinel_alert_rule_anomaly_duplicate", "test")
+	r := SentinelAlertRuleAnomalyDuplicateResource{}
+	data.ResourceTest(t, r, []acceptance.TestStep{
 		{
 			Config: r.basicWithPrioritizeExcludeObservation(data),
 			Check: acceptance.ComposeTestCheckFunc(
@@ -110,6 +132,7 @@ func TestAccSentinelAlertRuleAnomalyDuplicate_withCustomObservation(t *testing.T
 		},
 		data.ImportStep(),
 	})
+
 }
 
 func (SentinelAlertRuleAnomalyDuplicateResource) basic(data acceptance.TestData) string {
@@ -118,7 +141,7 @@ func (SentinelAlertRuleAnomalyDuplicateResource) basic(data acceptance.TestData)
 
 data "azurerm_sentinel_alert_rule_anomaly" "test" {
   log_analytics_workspace_id = azurerm_sentinel_log_analytics_workspace_onboarding.test.workspace_id
-  display_name               = "Potential data staging"
+  display_name               = "Anomalous Azure operations"
 }
 
 resource "azurerm_sentinel_alert_rule_anomaly_duplicate" "test" {
@@ -162,19 +185,29 @@ func (SentinelAlertRuleAnomalyDuplicateResource) basicWithSingleSelectObservatio
 
 data "azurerm_sentinel_alert_rule_anomaly" "test" {
   log_analytics_workspace_id = azurerm_sentinel_log_analytics_workspace_onboarding.test.workspace_id
-  display_name               = "Unusual web traffic detected with IP in URL path"
+  display_name               = "Anomalous W3CIIS logs activity"
 }
 
 resource "azurerm_sentinel_alert_rule_anomaly_duplicate" "test" {
-  display_name               = "acctest duplicate Unusual web traffic detected with IP in URL path"
+  display_name               = "acctest duplicate Anomalous W3CIIS logs activity"
   log_analytics_workspace_id = azurerm_sentinel_log_analytics_workspace_onboarding.test.workspace_id
   built_in_rule_id           = data.azurerm_sentinel_alert_rule_anomaly.test.id
   enabled                    = true
   mode                       = "Flighting"
 
   single_select_observation {
-    name  = "Device vendor"
-    value = "Zscaler"
+    name  = "Number of reasons for anomalous activity"
+    value = "1"
+  }
+
+  single_select_observation {
+    name  = "Display anomalies for a specific top reason"
+    value = "None"
+  }
+
+  single_select_observation {
+    name  = "Display anomalies for public, private, or all IPs"
+    value = "Public IPs"
   }
 }
 `, SecurityInsightsSentinelOnboardingStateResource{}.basic(data))
@@ -209,24 +242,19 @@ func (SentinelAlertRuleAnomalyDuplicateResource) basicWithPrioritizeExcludeObser
 
 data "azurerm_sentinel_alert_rule_anomaly" "test" {
   log_analytics_workspace_id = azurerm_sentinel_log_analytics_workspace_onboarding.test.workspace_id
-  display_name               = "Anomalous web request activity"
+  display_name               = "Potential domain generation algorithm (DGA) on next-level DNS Domains"
 }
 
 resource "azurerm_sentinel_alert_rule_anomaly_duplicate" "test" {
-  display_name               = "acctest duplicate Anomalous web request activity"
+  display_name               = "acctest Potential domain generation algorithm (DGA) on next-level DNS Domains"
   log_analytics_workspace_id = azurerm_sentinel_log_analytics_workspace_onboarding.test.workspace_id
   built_in_rule_id           = data.azurerm_sentinel_alert_rule_anomaly.test.id
   enabled                    = true
   mode                       = "Flighting"
 
   prioritized_exclude_observation {
-    name       = "Prioritize script suffixes of the URI stems"
-    prioritize = ".asp, .aspx, .armx, .asax, .ashz"
-  }
-
-  prioritized_exclude_observation {
-    name    = "Exclude noisy URI stems"
-    exclude = "test.com"
+    name    = "Domain suffixes"
+    exclude = ".lan, .home, .test"
   }
 
 }

From 1b2fd04f57dabe7e3306ee40c1fba4ffa2c21026 Mon Sep 17 00:00:00 2001
From: ziyeqf <51212351+ziyeqf@users.noreply.github.com>
Date: Wed, 16 Oct 2024 09:43:16 +0800
Subject: [PATCH 2/2] update per comments

---
 ...inel_alert_rule_anomaly_duplicate_resource_test.go | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/internal/services/sentinel/sentinel_alert_rule_anomaly_duplicate_resource_test.go b/internal/services/sentinel/sentinel_alert_rule_anomaly_duplicate_resource_test.go
index f176b607a9ad..31c5e883381d 100644
--- a/internal/services/sentinel/sentinel_alert_rule_anomaly_duplicate_resource_test.go
+++ b/internal/services/sentinel/sentinel_alert_rule_anomaly_duplicate_resource_test.go
@@ -76,13 +76,12 @@ func TestAccSentinelAlertRuleAnomalyDuplicate_requiresImport(t *testing.T) {
 	})
 }
 
-func TestAccSentinelAlertRuleAnomalyDuplicate_ThresholdWithCustomObservation(t *testing.T) {
+func TestAccSentinelAlertRuleAnomalyDuplicate_thresholdWithCustomObservation(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_sentinel_alert_rule_anomaly_duplicate", "test")
 	r := SentinelAlertRuleAnomalyDuplicateResource{}
 
 	data.ResourceTest(t, r, []acceptance.TestStep{
 		{
-
 			Config: r.basicWithThresholdObservation(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
@@ -92,7 +91,7 @@ func TestAccSentinelAlertRuleAnomalyDuplicate_ThresholdWithCustomObservation(t *
 	})
 }
 
-func TestAccSentinelAlertRuleAnomalyDuplicate_MultiSelectWithCustomObservation(t *testing.T) {
+func TestAccSentinelAlertRuleAnomalyDuplicate_multiSelectWithCustomObservation(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_sentinel_alert_rule_anomaly_duplicate", "test")
 	r := SentinelAlertRuleAnomalyDuplicateResource{}
 	data.ResourceTest(t, r, []acceptance.TestStep{
@@ -106,7 +105,7 @@ func TestAccSentinelAlertRuleAnomalyDuplicate_MultiSelectWithCustomObservation(t
 	})
 }
 
-func TestAccSentinelAlertRuleAnomalyDuplicate_SingleSelectWithCustomObservation(t *testing.T) {
+func TestAccSentinelAlertRuleAnomalyDuplicate_singleSelectWithCustomObservation(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_sentinel_alert_rule_anomaly_duplicate", "test")
 	r := SentinelAlertRuleAnomalyDuplicateResource{}
 	data.ResourceTest(t, r, []acceptance.TestStep{
@@ -120,7 +119,7 @@ func TestAccSentinelAlertRuleAnomalyDuplicate_SingleSelectWithCustomObservation(
 	})
 }
 
-func TestAccSentinelAlertRuleAnomalyDuplicate_PrioritizeExcludeWithCustomObservation(t *testing.T) {
+func TestAccSentinelAlertRuleAnomalyDuplicate_prioritizeExcludeWithCustomObservation(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_sentinel_alert_rule_anomaly_duplicate", "test")
 	r := SentinelAlertRuleAnomalyDuplicateResource{}
 	data.ResourceTest(t, r, []acceptance.TestStep{
@@ -132,7 +131,6 @@ func TestAccSentinelAlertRuleAnomalyDuplicate_PrioritizeExcludeWithCustomObserva
 		},
 		data.ImportStep(),
 	})
-
 }
 
 func (SentinelAlertRuleAnomalyDuplicateResource) basic(data acceptance.TestData) string {
@@ -236,6 +234,7 @@ resource "azurerm_sentinel_alert_rule_anomaly_duplicate" "test" {
 }
 `, SecurityInsightsSentinelOnboardingStateResource{}.basic(data))
 }
+
 func (SentinelAlertRuleAnomalyDuplicateResource) basicWithPrioritizeExcludeObservation(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %s