Ready to level-up your engineering skills? Join a Pulumi Workshop. Register Now

SecurityMonitoringRule

Provides a Datadog Security Monitoring Rule API resource. This can be used to create and manage Datadog security monitoring rules. To change settings for a default rule use datadog_security_default_rule instead.

Example Usage

using Pulumi;
using Datadog = Pulumi.Datadog;

class MyStack : Stack
{
    public MyStack()
    {
        var myrule = new Datadog.SecurityMonitoringRule("myrule", new Datadog.SecurityMonitoringRuleArgs
        {
            Cases = 
            {
                new Datadog.Inputs.SecurityMonitoringRuleCaseArgs
                {
                    Condition = "errors > 3 && warnings > 10",
                    Notifications = 
                    {
                        "@user",
                    },
                    Status = "high",
                },
            },
            Enabled = true,
            Message = "The rule has triggered.",
            Name = "My rule",
            Options = new Datadog.Inputs.SecurityMonitoringRuleOptionsArgs
            {
                EvaluationWindow = 300,
                KeepAlive = 600,
                MaxSignalDuration = 900,
            },
            Queries = 
            {
                new Datadog.Inputs.SecurityMonitoringRuleQueryArgs
                {
                    Aggregation = "count",
                    GroupByFields = 
                    {
                        "host",
                    },
                    Name = "errors",
                    Query = "status:error",
                },
                new Datadog.Inputs.SecurityMonitoringRuleQueryArgs
                {
                    Aggregation = "count",
                    GroupByFields = 
                    {
                        "host",
                    },
                    Name = "warnings",
                    Query = "status:warning",
                },
            },
            Tags = 
            {
                "type:dos",
            },
        });
    }

}
package main

import (
    "github.com/pulumi/pulumi-datadog/sdk/v2/go/datadog"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := datadog.NewSecurityMonitoringRule(ctx, "myrule", &datadog.SecurityMonitoringRuleArgs{
            Cases: datadog.SecurityMonitoringRuleCaseArray{
                &datadog.SecurityMonitoringRuleCaseArgs{
                    Condition: pulumi.String("errors > 3 && warnings > 10"),
                    Notifications: pulumi.StringArray{
                        pulumi.String("@user"),
                    },
                    Status: pulumi.String("high"),
                },
            },
            Enabled: pulumi.Bool(true),
            Message: pulumi.String("The rule has triggered."),
            Name:    pulumi.String("My rule"),
            Options: &datadog.SecurityMonitoringRuleOptionsArgs{
                EvaluationWindow:  pulumi.Int(300),
                KeepAlive:         pulumi.Int(600),
                MaxSignalDuration: pulumi.Int(900),
            },
            Queries: datadog.SecurityMonitoringRuleQueryArray{
                &datadog.SecurityMonitoringRuleQueryArgs{
                    Aggregation: pulumi.String("count"),
                    GroupByFields: pulumi.StringArray{
                        pulumi.String("host"),
                    },
                    Name:  pulumi.String("errors"),
                    Query: pulumi.String("status:error"),
                },
                &datadog.SecurityMonitoringRuleQueryArgs{
                    Aggregation: pulumi.String("count"),
                    GroupByFields: pulumi.StringArray{
                        pulumi.String("host"),
                    },
                    Name:  pulumi.String("warnings"),
                    Query: pulumi.String("status:warning"),
                },
            },
            Tags: pulumi.StringArray{
                pulumi.String("type:dos"),
            },
        })
        if err != nil {
            return err
        }
        return nil
    })
}
import pulumi
import pulumi_datadog as datadog

myrule = datadog.SecurityMonitoringRule("myrule",
    cases=[datadog.SecurityMonitoringRuleCaseArgs(
        condition="errors > 3 && warnings > 10",
        notifications=["@user"],
        status="high",
    )],
    enabled=True,
    message="The rule has triggered.",
    name="My rule",
    options=datadog.SecurityMonitoringRuleOptionsArgs(
        evaluation_window=300,
        keep_alive=600,
        max_signal_duration=900,
    ),
    queries=[
        datadog.SecurityMonitoringRuleQueryArgs(
            aggregation="count",
            group_by_fields=["host"],
            name="errors",
            query="status:error",
        ),
        datadog.SecurityMonitoringRuleQueryArgs(
            aggregation="count",
            group_by_fields=["host"],
            name="warnings",
            query="status:warning",
        ),
    ],
    tags=["type:dos"])
import * as pulumi from "@pulumi/pulumi";
import * as datadog from "@pulumi/datadog";

const myrule = new datadog.SecurityMonitoringRule("myrule", {
    cases: [{
        condition: "errors > 3 && warnings > 10",
        notifications: ["@user"],
        status: "high",
    }],
    enabled: true,
    message: "The rule has triggered.",
    name: "My rule",
    options: {
        evaluationWindow: 300,
        keepAlive: 600,
        maxSignalDuration: 900,
    },
    queries: [
        {
            aggregation: "count",
            groupByFields: ["host"],
            name: "errors",
            query: "status:error",
        },
        {
            aggregation: "count",
            groupByFields: ["host"],
            name: "warnings",
            query: "status:warning",
        },
    ],
    tags: ["type:dos"],
});

Create a SecurityMonitoringRule Resource

new SecurityMonitoringRule(name: string, args: SecurityMonitoringRuleArgs, opts?: CustomResourceOptions);
def SecurityMonitoringRule(resource_name: str, opts: Optional[ResourceOptions] = None, cases: Optional[Sequence[SecurityMonitoringRuleCaseArgs]] = None, enabled: Optional[bool] = None, message: Optional[str] = None, name: Optional[str] = None, options: Optional[SecurityMonitoringRuleOptionsArgs] = None, queries: Optional[Sequence[SecurityMonitoringRuleQueryArgs]] = None, tags: Optional[Sequence[str]] = None)
func NewSecurityMonitoringRule(ctx *Context, name string, args SecurityMonitoringRuleArgs, opts ...ResourceOption) (*SecurityMonitoringRule, error)
public SecurityMonitoringRule(string name, SecurityMonitoringRuleArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args SecurityMonitoringRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
opts ResourceOptions
A bag of options that control this resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args SecurityMonitoringRuleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args SecurityMonitoringRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

SecurityMonitoringRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The SecurityMonitoringRule resource accepts the following input properties:

Cases List<SecurityMonitoringRuleCaseArgs>

Cases for generating signals.

Message string

Message for generated signals.

Name string

The name of the rule.

Queries List<SecurityMonitoringRuleQueryArgs>

Queries for selecting logs which are part of the rule.

Enabled bool

Whether the rule is enabled.

Options SecurityMonitoringRuleOptionsArgs

Options on rules.

Tags List<string>

Tags for generated signals.

Cases []SecurityMonitoringRuleCase

Cases for generating signals.

Message string

Message for generated signals.

Name string

The name of the rule.

Queries []SecurityMonitoringRuleQuery

Queries for selecting logs which are part of the rule.

Enabled bool

Whether the rule is enabled.

Options SecurityMonitoringRuleOptions

Options on rules.

Tags []string

Tags for generated signals.

cases SecurityMonitoringRuleCase[]

Cases for generating signals.

message string

Message for generated signals.

name string

The name of the rule.

queries SecurityMonitoringRuleQuery[]

Queries for selecting logs which are part of the rule.

enabled boolean

Whether the rule is enabled.

options SecurityMonitoringRuleOptions

Options on rules.

tags string[]

Tags for generated signals.

cases Sequence[SecurityMonitoringRuleCaseArgs]

Cases for generating signals.

message str

Message for generated signals.

name str

The name of the rule.

queries Sequence[SecurityMonitoringRuleQueryArgs]

Queries for selecting logs which are part of the rule.

enabled bool

Whether the rule is enabled.

options SecurityMonitoringRuleOptionsArgs

Options on rules.

tags Sequence[str]

Tags for generated signals.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecurityMonitoringRule resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.

Look up an Existing SecurityMonitoringRule Resource

Get an existing SecurityMonitoringRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecurityMonitoringRuleState, opts?: CustomResourceOptions): SecurityMonitoringRule
@staticmethod
def get(resource_name: str, id: str, opts: Optional[ResourceOptions] = None, cases: Optional[Sequence[SecurityMonitoringRuleCaseArgs]] = None, enabled: Optional[bool] = None, message: Optional[str] = None, name: Optional[str] = None, options: Optional[SecurityMonitoringRuleOptionsArgs] = None, queries: Optional[Sequence[SecurityMonitoringRuleQueryArgs]] = None, tags: Optional[Sequence[str]] = None) -> SecurityMonitoringRule
func GetSecurityMonitoringRule(ctx *Context, name string, id IDInput, state *SecurityMonitoringRuleState, opts ...ResourceOption) (*SecurityMonitoringRule, error)
public static SecurityMonitoringRule Get(string name, Input<string> id, SecurityMonitoringRuleState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

Cases List<SecurityMonitoringRuleCaseArgs>

Cases for generating signals.

Enabled bool

Whether the rule is enabled.

Message string

Message for generated signals.

Name string

The name of the rule.

Options SecurityMonitoringRuleOptionsArgs

Options on rules.

Queries List<SecurityMonitoringRuleQueryArgs>

Queries for selecting logs which are part of the rule.

Tags List<string>

Tags for generated signals.

Cases []SecurityMonitoringRuleCase

Cases for generating signals.

Enabled bool

Whether the rule is enabled.

Message string

Message for generated signals.

Name string

The name of the rule.

Options SecurityMonitoringRuleOptions

Options on rules.

Queries []SecurityMonitoringRuleQuery

Queries for selecting logs which are part of the rule.

Tags []string

Tags for generated signals.

cases SecurityMonitoringRuleCase[]

Cases for generating signals.

enabled boolean

Whether the rule is enabled.

message string

Message for generated signals.

name string

The name of the rule.

options SecurityMonitoringRuleOptions

Options on rules.

queries SecurityMonitoringRuleQuery[]

Queries for selecting logs which are part of the rule.

tags string[]

Tags for generated signals.

cases Sequence[SecurityMonitoringRuleCaseArgs]

Cases for generating signals.

enabled bool

Whether the rule is enabled.

message str

Message for generated signals.

name str

The name of the rule.

options SecurityMonitoringRuleOptionsArgs

Options on rules.

queries Sequence[SecurityMonitoringRuleQueryArgs]

Queries for selecting logs which are part of the rule.

tags Sequence[str]

Tags for generated signals.

Supporting Types

SecurityMonitoringRuleCase

Status string
Condition string
Name string
Notifications List<string>
Status string
Condition string
Name string
Notifications []string
status string
condition string
name string
notifications string[]
status str
condition str
name str
notifications Sequence[str]

SecurityMonitoringRuleOptions

SecurityMonitoringRuleQuery

Query string
Aggregation string
DistinctFields List<string>
GroupByFields List<string>
Metric string
Name string
Query string
Aggregation string
DistinctFields []string
GroupByFields []string
Metric string
Name string
query string
aggregation string
distinctFields string[]
groupByFields string[]
metric string
name string
query str
aggregation str
distinct_fields Sequence[str]
group_by_fields Sequence[str]
metric str
name str

Import

Security monitoring rules can be imported using ID, e.g. console

 $ pulumi import datadog:index/securityMonitoringRule:SecurityMonitoringRule my_monitor m0o-hto-lkb

Package Details

Repository
https://github.com/pulumi/pulumi-datadog
License
Apache-2.0
Notes
This Pulumi package is based on the datadog Terraform Provider.