Docs
PackagesDatadog v4.27.0 published on Thursday, Mar 14, 2024 by Pulumi
datadog.SecurityMonitoringRule
Explore with Pulumi AI
Provides a Datadog Security Monitoring Rule API resource. This can be used to create and manage Datadog security monitoring rules. To change settings for a default rule use datadog_security_default_rule instead.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as datadog from "@pulumi/datadog";
const myrule = new datadog.SecurityMonitoringRule("myrule", {
cases: [{
condition: "errors > 3 && warnings > 10",
notifications: ["@user"],
status: "high",
}],
enabled: true,
message: "The rule has triggered.",
name: "My rule",
options: {
evaluationWindow: 300,
keepAlive: 600,
maxSignalDuration: 900,
},
queries: [
{
aggregation: "count",
groupByFields: ["host"],
name: "errors",
query: "status:error",
},
{
aggregation: "count",
groupByFields: ["host"],
name: "warnings",
query: "status:warning",
},
],
tags: ["type:dos"],
});
import pulumi
import pulumi_datadog as datadog
myrule = datadog.SecurityMonitoringRule("myrule",
cases=[datadog.SecurityMonitoringRuleCaseArgs(
condition="errors > 3 && warnings > 10",
notifications=["@user"],
status="high",
)],
enabled=True,
message="The rule has triggered.",
name="My rule",
options=datadog.SecurityMonitoringRuleOptionsArgs(
evaluation_window=300,
keep_alive=600,
max_signal_duration=900,
),
queries=[
datadog.SecurityMonitoringRuleQueryArgs(
aggregation="count",
group_by_fields=["host"],
name="errors",
query="status:error",
),
datadog.SecurityMonitoringRuleQueryArgs(
aggregation="count",
group_by_fields=["host"],
name="warnings",
query="status:warning",
),
],
tags=["type:dos"])
package main
import (
"github.com/pulumi/pulumi-datadog/sdk/v4/go/datadog"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := datadog.NewSecurityMonitoringRule(ctx, "myrule", &datadog.SecurityMonitoringRuleArgs{
Cases: datadog.SecurityMonitoringRuleCaseArray{
&datadog.SecurityMonitoringRuleCaseArgs{
Condition: pulumi.String("errors > 3 && warnings > 10"),
Notifications: pulumi.StringArray{
pulumi.String("@user"),
},
Status: pulumi.String("high"),
},
},
Enabled: pulumi.Bool(true),
Message: pulumi.String("The rule has triggered."),
Name: pulumi.String("My rule"),
Options: &datadog.SecurityMonitoringRuleOptionsArgs{
EvaluationWindow: pulumi.Int(300),
KeepAlive: pulumi.Int(600),
MaxSignalDuration: pulumi.Int(900),
},
Queries: datadog.SecurityMonitoringRuleQueryArray{
&datadog.SecurityMonitoringRuleQueryArgs{
Aggregation: pulumi.String("count"),
GroupByFields: pulumi.StringArray{
pulumi.String("host"),
},
Name: pulumi.String("errors"),
Query: pulumi.String("status:error"),
},
&datadog.SecurityMonitoringRuleQueryArgs{
Aggregation: pulumi.String("count"),
GroupByFields: pulumi.StringArray{
pulumi.String("host"),
},
Name: pulumi.String("warnings"),
Query: pulumi.String("status:warning"),
},
},
Tags: pulumi.StringArray{
pulumi.String("type:dos"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Datadog = Pulumi.Datadog;
return await Deployment.RunAsync(() =>
{
var myrule = new Datadog.SecurityMonitoringRule("myrule", new()
{
Cases = new[]
{
new Datadog.Inputs.SecurityMonitoringRuleCaseArgs
{
Condition = "errors > 3 && warnings > 10",
Notifications = new[]
{
"@user",
},
Status = "high",
},
},
Enabled = true,
Message = "The rule has triggered.",
Name = "My rule",
Options = new Datadog.Inputs.SecurityMonitoringRuleOptionsArgs
{
EvaluationWindow = 300,
KeepAlive = 600,
MaxSignalDuration = 900,
},
Queries = new[]
{
new Datadog.Inputs.SecurityMonitoringRuleQueryArgs
{
Aggregation = "count",
GroupByFields = new[]
{
"host",
},
Name = "errors",
Query = "status:error",
},
new Datadog.Inputs.SecurityMonitoringRuleQueryArgs
{
Aggregation = "count",
GroupByFields = new[]
{
"host",
},
Name = "warnings",
Query = "status:warning",
},
},
Tags = new[]
{
"type:dos",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.datadog.SecurityMonitoringRule;
import com.pulumi.datadog.SecurityMonitoringRuleArgs;
import com.pulumi.datadog.inputs.SecurityMonitoringRuleCaseArgs;
import com.pulumi.datadog.inputs.SecurityMonitoringRuleOptionsArgs;
import com.pulumi.datadog.inputs.SecurityMonitoringRuleQueryArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myrule = new SecurityMonitoringRule("myrule", SecurityMonitoringRuleArgs.builder()
.cases(SecurityMonitoringRuleCaseArgs.builder()
.condition("errors > 3 && warnings > 10")
.notifications("@user")
.status("high")
.build())
.enabled(true)
.message("The rule has triggered.")
.name("My rule")
.options(SecurityMonitoringRuleOptionsArgs.builder()
.evaluationWindow(300)
.keepAlive(600)
.maxSignalDuration(900)
.build())
.queries(
SecurityMonitoringRuleQueryArgs.builder()
.aggregation("count")
.groupByFields("host")
.name("errors")
.query("status:error")
.build(),
SecurityMonitoringRuleQueryArgs.builder()
.aggregation("count")
.groupByFields("host")
.name("warnings")
.query("status:warning")
.build())
.tags("type:dos")
.build());
}
}
resources:
myrule:
type: datadog:SecurityMonitoringRule
properties:
cases:
- condition: errors > 3 && warnings > 10
notifications:
- '@user'
status: high
enabled: true
message: The rule has triggered.
name: My rule
options:
evaluationWindow: 300
keepAlive: 600
maxSignalDuration: 900
queries:
- aggregation: count
groupByFields:
- host
name: errors
query: status:error
- aggregation: count
groupByFields:
- host
name: warnings
query: status:warning
tags:
- type:dos
Create SecurityMonitoringRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecurityMonitoringRule(name: string, args: SecurityMonitoringRuleArgs, opts?: CustomResourceOptions);@overload
def SecurityMonitoringRule(resource_name: str,
args: SecurityMonitoringRuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SecurityMonitoringRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
message: Optional[str] = None,
name: Optional[str] = None,
cases: Optional[Sequence[SecurityMonitoringRuleCaseArgs]] = None,
enabled: Optional[bool] = None,
filters: Optional[Sequence[SecurityMonitoringRuleFilterArgs]] = None,
has_extended_title: Optional[bool] = None,
options: Optional[SecurityMonitoringRuleOptionsArgs] = None,
queries: Optional[Sequence[SecurityMonitoringRuleQueryArgs]] = None,
signal_queries: Optional[Sequence[SecurityMonitoringRuleSignalQueryArgs]] = None,
tags: Optional[Sequence[str]] = None,
third_party_cases: Optional[Sequence[SecurityMonitoringRuleThirdPartyCaseArgs]] = None,
type: Optional[str] = None)func NewSecurityMonitoringRule(ctx *Context, name string, args SecurityMonitoringRuleArgs, opts ...ResourceOption) (*SecurityMonitoringRule, error)public SecurityMonitoringRule(string name, SecurityMonitoringRuleArgs args, CustomResourceOptions? opts = null)
public SecurityMonitoringRule(String name, SecurityMonitoringRuleArgs args)
public SecurityMonitoringRule(String name, SecurityMonitoringRuleArgs args, CustomResourceOptions options)
type: datadog:SecurityMonitoringRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecurityMonitoringRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecurityMonitoringRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecurityMonitoringRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecurityMonitoringRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecurityMonitoringRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Example
The following reference example uses placeholder values for all input properties.
var securityMonitoringRuleResource = new Datadog.SecurityMonitoringRule("securityMonitoringRuleResource", new()
{
Message = "string",
Name = "string",
Cases = new[]
{
new Datadog.Inputs.SecurityMonitoringRuleCaseArgs
{
Status = "string",
Condition = "string",
Name = "string",
Notifications = new[]
{
"string",
},
},
},
Enabled = false,
Filters = new[]
{
new Datadog.Inputs.SecurityMonitoringRuleFilterArgs
{
Action = "string",
Query = "string",
},
},
HasExtendedTitle = false,
Options = new Datadog.Inputs.SecurityMonitoringRuleOptionsArgs
{
DecreaseCriticalityBasedOnEnv = false,
DetectionMethod = "string",
EvaluationWindow = 0,
ImpossibleTravelOptions = new Datadog.Inputs.SecurityMonitoringRuleOptionsImpossibleTravelOptionsArgs
{
BaselineUserLocations = false,
},
KeepAlive = 0,
MaxSignalDuration = 0,
NewValueOptions = new Datadog.Inputs.SecurityMonitoringRuleOptionsNewValueOptionsArgs
{
ForgetAfter = 0,
LearningDuration = 0,
LearningMethod = "string",
LearningThreshold = 0,
},
ThirdPartyRuleOptions = new Datadog.Inputs.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsArgs
{
DefaultStatus = "string",
RootQueries = new[]
{
new Datadog.Inputs.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArgs
{
Query = "string",
GroupByFields = new[]
{
"string",
},
},
},
DefaultNotifications = new[]
{
"string",
},
SignalTitleTemplate = "string",
},
},
Queries = new[]
{
new Datadog.Inputs.SecurityMonitoringRuleQueryArgs
{
Query = "string",
Aggregation = "string",
DistinctFields = new[]
{
"string",
},
GroupByFields = new[]
{
"string",
},
Metrics = new[]
{
"string",
},
Name = "string",
},
},
SignalQueries = new[]
{
new Datadog.Inputs.SecurityMonitoringRuleSignalQueryArgs
{
RuleId = "string",
Aggregation = "string",
CorrelatedByFields = new[]
{
"string",
},
CorrelatedQueryIndex = "string",
DefaultRuleId = "string",
Name = "string",
},
},
Tags = new[]
{
"string",
},
ThirdPartyCases = new[]
{
new Datadog.Inputs.SecurityMonitoringRuleThirdPartyCaseArgs
{
Status = "string",
Name = "string",
Notifications = new[]
{
"string",
},
Query = "string",
},
},
Type = "string",
});
example, err := datadog.NewSecurityMonitoringRule(ctx, "securityMonitoringRuleResource", &datadog.SecurityMonitoringRuleArgs{
Message: pulumi.String("string"),
Name: pulumi.String("string"),
Cases: datadog.SecurityMonitoringRuleCaseArray{
&datadog.SecurityMonitoringRuleCaseArgs{
Status: pulumi.String("string"),
Condition: pulumi.String("string"),
Name: pulumi.String("string"),
Notifications: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Enabled: pulumi.Bool(false),
Filters: datadog.SecurityMonitoringRuleFilterArray{
&datadog.SecurityMonitoringRuleFilterArgs{
Action: pulumi.String("string"),
Query: pulumi.String("string"),
},
},
HasExtendedTitle: pulumi.Bool(false),
Options: &datadog.SecurityMonitoringRuleOptionsArgs{
DecreaseCriticalityBasedOnEnv: pulumi.Bool(false),
DetectionMethod: pulumi.String("string"),
EvaluationWindow: pulumi.Int(0),
ImpossibleTravelOptions: &datadog.SecurityMonitoringRuleOptionsImpossibleTravelOptionsArgs{
BaselineUserLocations: pulumi.Bool(false),
},
KeepAlive: pulumi.Int(0),
MaxSignalDuration: pulumi.Int(0),
NewValueOptions: &datadog.SecurityMonitoringRuleOptionsNewValueOptionsArgs{
ForgetAfter: pulumi.Int(0),
LearningDuration: pulumi.Int(0),
LearningMethod: pulumi.String("string"),
LearningThreshold: pulumi.Int(0),
},
ThirdPartyRuleOptions: &datadog.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsArgs{
DefaultStatus: pulumi.String("string"),
RootQueries: datadog.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArray{
&datadog.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArgs{
Query: pulumi.String("string"),
GroupByFields: pulumi.StringArray{
pulumi.String("string"),
},
},
},
DefaultNotifications: pulumi.StringArray{
pulumi.String("string"),
},
SignalTitleTemplate: pulumi.String("string"),
},
},
Queries: datadog.SecurityMonitoringRuleQueryArray{
&datadog.SecurityMonitoringRuleQueryArgs{
Query: pulumi.String("string"),
Aggregation: pulumi.String("string"),
DistinctFields: pulumi.StringArray{
pulumi.String("string"),
},
GroupByFields: pulumi.StringArray{
pulumi.String("string"),
},
Metrics: pulumi.StringArray{
pulumi.String("string"),
},
Name: pulumi.String("string"),
},
},
SignalQueries: datadog.SecurityMonitoringRuleSignalQueryArray{
&datadog.SecurityMonitoringRuleSignalQueryArgs{
RuleId: pulumi.String("string"),
Aggregation: pulumi.String("string"),
CorrelatedByFields: pulumi.StringArray{
pulumi.String("string"),
},
CorrelatedQueryIndex: pulumi.String("string"),
DefaultRuleId: pulumi.String("string"),
Name: pulumi.String("string"),
},
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
ThirdPartyCases: datadog.SecurityMonitoringRuleThirdPartyCaseArray{
&datadog.SecurityMonitoringRuleThirdPartyCaseArgs{
Status: pulumi.String("string"),
Name: pulumi.String("string"),
Notifications: pulumi.StringArray{
pulumi.String("string"),
},
Query: pulumi.String("string"),
},
},
Type: pulumi.String("string"),
})
var securityMonitoringRuleResource = new SecurityMonitoringRule("securityMonitoringRuleResource", SecurityMonitoringRuleArgs.builder()
.message("string")
.name("string")
.cases(SecurityMonitoringRuleCaseArgs.builder()
.status("string")
.condition("string")
.name("string")
.notifications("string")
.build())
.enabled(false)
.filters(SecurityMonitoringRuleFilterArgs.builder()
.action("string")
.query("string")
.build())
.hasExtendedTitle(false)
.options(SecurityMonitoringRuleOptionsArgs.builder()
.decreaseCriticalityBasedOnEnv(false)
.detectionMethod("string")
.evaluationWindow(0)
.impossibleTravelOptions(SecurityMonitoringRuleOptionsImpossibleTravelOptionsArgs.builder()
.baselineUserLocations(false)
.build())
.keepAlive(0)
.maxSignalDuration(0)
.newValueOptions(SecurityMonitoringRuleOptionsNewValueOptionsArgs.builder()
.forgetAfter(0)
.learningDuration(0)
.learningMethod("string")
.learningThreshold(0)
.build())
.thirdPartyRuleOptions(SecurityMonitoringRuleOptionsThirdPartyRuleOptionsArgs.builder()
.defaultStatus("string")
.rootQueries(SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArgs.builder()
.query("string")
.groupByFields("string")
.build())
.defaultNotifications("string")
.signalTitleTemplate("string")
.build())
.build())
.queries(SecurityMonitoringRuleQueryArgs.builder()
.query("string")
.aggregation("string")
.distinctFields("string")
.groupByFields("string")
.metrics("string")
.name("string")
.build())
.signalQueries(SecurityMonitoringRuleSignalQueryArgs.builder()
.ruleId("string")
.aggregation("string")
.correlatedByFields("string")
.correlatedQueryIndex("string")
.defaultRuleId("string")
.name("string")
.build())
.tags("string")
.thirdPartyCases(SecurityMonitoringRuleThirdPartyCaseArgs.builder()
.status("string")
.name("string")
.notifications("string")
.query("string")
.build())
.type("string")
.build());
security_monitoring_rule_resource = datadog.SecurityMonitoringRule("securityMonitoringRuleResource",
message="string",
name="string",
cases=[datadog.SecurityMonitoringRuleCaseArgs(
status="string",
condition="string",
name="string",
notifications=["string"],
)],
enabled=False,
filters=[datadog.SecurityMonitoringRuleFilterArgs(
action="string",
query="string",
)],
has_extended_title=False,
options=datadog.SecurityMonitoringRuleOptionsArgs(
decrease_criticality_based_on_env=False,
detection_method="string",
evaluation_window=0,
impossible_travel_options=datadog.SecurityMonitoringRuleOptionsImpossibleTravelOptionsArgs(
baseline_user_locations=False,
),
keep_alive=0,
max_signal_duration=0,
new_value_options=datadog.SecurityMonitoringRuleOptionsNewValueOptionsArgs(
forget_after=0,
learning_duration=0,
learning_method="string",
learning_threshold=0,
),
third_party_rule_options=datadog.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsArgs(
default_status="string",
root_queries=[datadog.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArgs(
query="string",
group_by_fields=["string"],
)],
default_notifications=["string"],
signal_title_template="string",
),
),
queries=[datadog.SecurityMonitoringRuleQueryArgs(
query="string",
aggregation="string",
distinct_fields=["string"],
group_by_fields=["string"],
metrics=["string"],
name="string",
)],
signal_queries=[datadog.SecurityMonitoringRuleSignalQueryArgs(
rule_id="string",
aggregation="string",
correlated_by_fields=["string"],
correlated_query_index="string",
default_rule_id="string",
name="string",
)],
tags=["string"],
third_party_cases=[datadog.SecurityMonitoringRuleThirdPartyCaseArgs(
status="string",
name="string",
notifications=["string"],
query="string",
)],
type="string")
const securityMonitoringRuleResource = new datadog.SecurityMonitoringRule("securityMonitoringRuleResource", {
message: "string",
name: "string",
cases: [{
status: "string",
condition: "string",
name: "string",
notifications: ["string"],
}],
enabled: false,
filters: [{
action: "string",
query: "string",
}],
hasExtendedTitle: false,
options: {
decreaseCriticalityBasedOnEnv: false,
detectionMethod: "string",
evaluationWindow: 0,
impossibleTravelOptions: {
baselineUserLocations: false,
},
keepAlive: 0,
maxSignalDuration: 0,
newValueOptions: {
forgetAfter: 0,
learningDuration: 0,
learningMethod: "string",
learningThreshold: 0,
},
thirdPartyRuleOptions: {
defaultStatus: "string",
rootQueries: [{
query: "string",
groupByFields: ["string"],
}],
defaultNotifications: ["string"],
signalTitleTemplate: "string",
},
},
queries: [{
query: "string",
aggregation: "string",
distinctFields: ["string"],
groupByFields: ["string"],
metrics: ["string"],
name: "string",
}],
signalQueries: [{
ruleId: "string",
aggregation: "string",
correlatedByFields: ["string"],
correlatedQueryIndex: "string",
defaultRuleId: "string",
name: "string",
}],
tags: ["string"],
thirdPartyCases: [{
status: "string",
name: "string",
notifications: ["string"],
query: "string",
}],
type: "string",
});
type: datadog:SecurityMonitoringRule
properties:
cases:
- condition: string
name: string
notifications:
- string
status: string
enabled: false
filters:
- action: string
query: string
hasExtendedTitle: false
message: string
name: string
options:
decreaseCriticalityBasedOnEnv: false
detectionMethod: string
evaluationWindow: 0
impossibleTravelOptions:
baselineUserLocations: false
keepAlive: 0
maxSignalDuration: 0
newValueOptions:
forgetAfter: 0
learningDuration: 0
learningMethod: string
learningThreshold: 0
thirdPartyRuleOptions:
defaultNotifications:
- string
defaultStatus: string
rootQueries:
- groupByFields:
- string
query: string
signalTitleTemplate: string
queries:
- aggregation: string
distinctFields:
- string
groupByFields:
- string
metrics:
- string
name: string
query: string
signalQueries:
- aggregation: string
correlatedByFields:
- string
correlatedQueryIndex: string
defaultRuleId: string
name: string
ruleId: string
tags:
- string
thirdPartyCases:
- name: string
notifications:
- string
query: string
status: string
type: string
SecurityMonitoringRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The SecurityMonitoringRule resource accepts the following input properties:
- Message string
- Message for generated signals.
- Name string
- Name of the case.
- Cases
List<Security
Monitoring Rule Case> - Cases for generating signals.
- Enabled bool
- Whether the rule is enabled. Defaults to
true. - Filters
List<Security
Monitoring Rule Filter> - Additional queries to filter matched events before they are processed.
- Has
Extended boolTitle - Whether the notifications include the triggering group-by values in their title. Defaults to
false. - Options
Security
Monitoring Rule Options - Options on rules.
- Queries
List<Security
Monitoring Rule Query> - Query for selecting logs to apply the filtering action.
- Signal
Queries List<SecurityMonitoring Rule Signal Query> - Queries for selecting logs which are part of the rule.
- List<string>
- Tags for generated signals.
- Third
Party List<SecurityCases Monitoring Rule Third Party Case> - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- Type string
- The rule type. Valid values are
application_security,log_detection,workload_security,signal_correlation. Defaults to"log_detection".
- Message string
- Message for generated signals.
- Name string
- Name of the case.
- Cases
[]Security
Monitoring Rule Case Args - Cases for generating signals.
- Enabled bool
- Whether the rule is enabled. Defaults to
true. - Filters
[]Security
Monitoring Rule Filter Args - Additional queries to filter matched events before they are processed.
- Has
Extended boolTitle - Whether the notifications include the triggering group-by values in their title. Defaults to
false. - Options
Security
Monitoring Rule Options Args - Options on rules.
- Queries
[]Security
Monitoring Rule Query Args - Query for selecting logs to apply the filtering action.
- Signal
Queries []SecurityMonitoring Rule Signal Query Args - Queries for selecting logs which are part of the rule.
- []string
- Tags for generated signals.
- Third
Party []SecurityCases Monitoring Rule Third Party Case Args - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- Type string
- The rule type. Valid values are
application_security,log_detection,workload_security,signal_correlation. Defaults to"log_detection".
- message String
- Message for generated signals.
- name String
- Name of the case.
- cases
List<Security
Monitoring Rule Case> - Cases for generating signals.
- enabled Boolean
- Whether the rule is enabled. Defaults to
true. - filters
List<Security
Monitoring Rule Filter> - Additional queries to filter matched events before they are processed.
- has
Extended BooleanTitle - Whether the notifications include the triggering group-by values in their title. Defaults to
false. - options
Security
Monitoring Rule Options - Options on rules.
- queries
List<Security
Monitoring Rule Query> - Query for selecting logs to apply the filtering action.
- signal
Queries List<SecurityMonitoring Rule Signal Query> - Queries for selecting logs which are part of the rule.
- List<String>
- Tags for generated signals.
- third
Party List<SecurityCases Monitoring Rule Third Party Case> - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- type String
- The rule type. Valid values are
application_security,log_detection,workload_security,signal_correlation. Defaults to"log_detection".
- message string
- Message for generated signals.
- name string
- Name of the case.
- cases
Security
Monitoring Rule Case[] - Cases for generating signals.
- enabled boolean
- Whether the rule is enabled. Defaults to
true. - filters
Security
Monitoring Rule Filter[] - Additional queries to filter matched events before they are processed.
- has
Extended booleanTitle - Whether the notifications include the triggering group-by values in their title. Defaults to
false. - options
Security
Monitoring Rule Options - Options on rules.
- queries
Security
Monitoring Rule Query[] - Query for selecting logs to apply the filtering action.
- signal
Queries SecurityMonitoring Rule Signal Query[] - Queries for selecting logs which are part of the rule.
- string[]
- Tags for generated signals.
- third
Party SecurityCases Monitoring Rule Third Party Case[] - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- type string
- The rule type. Valid values are
application_security,log_detection,workload_security,signal_correlation. Defaults to"log_detection".
- message str
- Message for generated signals.
- name str
- Name of the case.
- cases
Sequence[Security
Monitoring Rule Case Args] - Cases for generating signals.
- enabled bool
- Whether the rule is enabled. Defaults to
true. - filters
Sequence[Security
Monitoring Rule Filter Args] - Additional queries to filter matched events before they are processed.
- has_
extended_ booltitle - Whether the notifications include the triggering group-by values in their title. Defaults to
false. - options
Security
Monitoring Rule Options Args - Options on rules.
- queries
Sequence[Security
Monitoring Rule Query Args] - Query for selecting logs to apply the filtering action.
- signal_
queries Sequence[SecurityMonitoring Rule Signal Query Args] - Queries for selecting logs which are part of the rule.
- Sequence[str]
- Tags for generated signals.
- third_
party_ Sequence[Securitycases Monitoring Rule Third Party Case Args] - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- type str
- The rule type. Valid values are
application_security,log_detection,workload_security,signal_correlation. Defaults to"log_detection".
- message String
- Message for generated signals.
- name String
- Name of the case.
- cases List<Property Map>
- Cases for generating signals.
- enabled Boolean
- Whether the rule is enabled. Defaults to
true. - filters List<Property Map>
- Additional queries to filter matched events before they are processed.
- has
Extended BooleanTitle - Whether the notifications include the triggering group-by values in their title. Defaults to
false. - options Property Map
- Options on rules.
- queries List<Property Map>
- Query for selecting logs to apply the filtering action.
- signal
Queries List<Property Map> - Queries for selecting logs which are part of the rule.
- List<String>
- Tags for generated signals.
- third
Party List<Property Map>Cases - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- type String
- The rule type. Valid values are
application_security,log_detection,workload_security,signal_correlation. Defaults to"log_detection".
Outputs
All input properties are implicitly available as output properties. Additionally, the SecurityMonitoringRule resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing SecurityMonitoringRule Resource
Get an existing SecurityMonitoringRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecurityMonitoringRuleState, opts?: CustomResourceOptions): SecurityMonitoringRule@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
cases: Optional[Sequence[SecurityMonitoringRuleCaseArgs]] = None,
enabled: Optional[bool] = None,
filters: Optional[Sequence[SecurityMonitoringRuleFilterArgs]] = None,
has_extended_title: Optional[bool] = None,
message: Optional[str] = None,
name: Optional[str] = None,
options: Optional[SecurityMonitoringRuleOptionsArgs] = None,
queries: Optional[Sequence[SecurityMonitoringRuleQueryArgs]] = None,
signal_queries: Optional[Sequence[SecurityMonitoringRuleSignalQueryArgs]] = None,
tags: Optional[Sequence[str]] = None,
third_party_cases: Optional[Sequence[SecurityMonitoringRuleThirdPartyCaseArgs]] = None,
type: Optional[str] = None) -> SecurityMonitoringRulefunc GetSecurityMonitoringRule(ctx *Context, name string, id IDInput, state *SecurityMonitoringRuleState, opts ...ResourceOption) (*SecurityMonitoringRule, error)public static SecurityMonitoringRule Get(string name, Input<string> id, SecurityMonitoringRuleState? state, CustomResourceOptions? opts = null)public static SecurityMonitoringRule get(String name, Output<String> id, SecurityMonitoringRuleState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Cases
List<Security
Monitoring Rule Case> - Cases for generating signals.
- Enabled bool
- Whether the rule is enabled. Defaults to
true. - Filters
List<Security
Monitoring Rule Filter> - Additional queries to filter matched events before they are processed.
- Has
Extended boolTitle - Whether the notifications include the triggering group-by values in their title. Defaults to
false. - Message string
- Message for generated signals.
- Name string
- Name of the case.
- Options
Security
Monitoring Rule Options - Options on rules.
- Queries
List<Security
Monitoring Rule Query> - Query for selecting logs to apply the filtering action.
- Signal
Queries List<SecurityMonitoring Rule Signal Query> - Queries for selecting logs which are part of the rule.
- List<string>
- Tags for generated signals.
- Third
Party List<SecurityCases Monitoring Rule Third Party Case> - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- Type string
- The rule type. Valid values are
application_security,log_detection,workload_security,signal_correlation. Defaults to"log_detection".
- Cases
[]Security
Monitoring Rule Case Args - Cases for generating signals.
- Enabled bool
- Whether the rule is enabled. Defaults to
true. - Filters
[]Security
Monitoring Rule Filter Args - Additional queries to filter matched events before they are processed.
- Has
Extended boolTitle - Whether the notifications include the triggering group-by values in their title. Defaults to
false. - Message string
- Message for generated signals.
- Name string
- Name of the case.
- Options
Security
Monitoring Rule Options Args - Options on rules.
- Queries
[]Security
Monitoring Rule Query Args - Query for selecting logs to apply the filtering action.
- Signal
Queries []SecurityMonitoring Rule Signal Query Args - Queries for selecting logs which are part of the rule.
- []string
- Tags for generated signals.
- Third
Party []SecurityCases Monitoring Rule Third Party Case Args - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- Type string
- The rule type. Valid values are
application_security,log_detection,workload_security,signal_correlation. Defaults to"log_detection".
- cases
List<Security
Monitoring Rule Case> - Cases for generating signals.
- enabled Boolean
- Whether the rule is enabled. Defaults to
true. - filters
List<Security
Monitoring Rule Filter> - Additional queries to filter matched events before they are processed.
- has
Extended BooleanTitle - Whether the notifications include the triggering group-by values in their title. Defaults to
false. - message String
- Message for generated signals.
- name String
- Name of the case.
- options
Security
Monitoring Rule Options - Options on rules.
- queries
List<Security
Monitoring Rule Query> - Query for selecting logs to apply the filtering action.
- signal
Queries List<SecurityMonitoring Rule Signal Query> - Queries for selecting logs which are part of the rule.
- List<String>
- Tags for generated signals.
- third
Party List<SecurityCases Monitoring Rule Third Party Case> - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- type String
- The rule type. Valid values are
application_security,log_detection,workload_security,signal_correlation. Defaults to"log_detection".
- cases
Security
Monitoring Rule Case[] - Cases for generating signals.
- enabled boolean
- Whether the rule is enabled. Defaults to
true. - filters
Security
Monitoring Rule Filter[] - Additional queries to filter matched events before they are processed.
- has
Extended booleanTitle - Whether the notifications include the triggering group-by values in their title. Defaults to
false. - message string
- Message for generated signals.
- name string
- Name of the case.
- options
Security
Monitoring Rule Options - Options on rules.
- queries
Security
Monitoring Rule Query[] - Query for selecting logs to apply the filtering action.
- signal
Queries SecurityMonitoring Rule Signal Query[] - Queries for selecting logs which are part of the rule.
- string[]
- Tags for generated signals.
- third
Party SecurityCases Monitoring Rule Third Party Case[] - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- type string
- The rule type. Valid values are
application_security,log_detection,workload_security,signal_correlation. Defaults to"log_detection".
- cases
Sequence[Security
Monitoring Rule Case Args] - Cases for generating signals.
- enabled bool
- Whether the rule is enabled. Defaults to
true. - filters
Sequence[Security
Monitoring Rule Filter Args] - Additional queries to filter matched events before they are processed.
- has_
extended_ booltitle - Whether the notifications include the triggering group-by values in their title. Defaults to
false. - message str
- Message for generated signals.
- name str
- Name of the case.
- options
Security
Monitoring Rule Options Args - Options on rules.
- queries
Sequence[Security
Monitoring Rule Query Args] - Query for selecting logs to apply the filtering action.
- signal_
queries Sequence[SecurityMonitoring Rule Signal Query Args] - Queries for selecting logs which are part of the rule.
- Sequence[str]
- Tags for generated signals.
- third_
party_ Sequence[Securitycases Monitoring Rule Third Party Case Args] - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- type str
- The rule type. Valid values are
application_security,log_detection,workload_security,signal_correlation. Defaults to"log_detection".
- cases List<Property Map>
- Cases for generating signals.
- enabled Boolean
- Whether the rule is enabled. Defaults to
true. - filters List<Property Map>
- Additional queries to filter matched events before they are processed.
- has
Extended BooleanTitle - Whether the notifications include the triggering group-by values in their title. Defaults to
false. - message String
- Message for generated signals.
- name String
- Name of the case.
- options Property Map
- Options on rules.
- queries List<Property Map>
- Query for selecting logs to apply the filtering action.
- signal
Queries List<Property Map> - Queries for selecting logs which are part of the rule.
- List<String>
- Tags for generated signals.
- third
Party List<Property Map>Cases - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- type String
- The rule type. Valid values are
application_security,log_detection,workload_security,signal_correlation. Defaults to"log_detection".
Supporting Types
SecurityMonitoringRuleCase, SecurityMonitoringRuleCaseArgs
- Status string
- Severity of the Security Signal. Valid values are
info,low,medium,high,critical. - Condition string
- A rule case contains logical operations (
>,>=,&&,||) to determine if a signal should be generated based on the event counts in the previously defined queries. - Name string
- Name of the case.
- Notifications List<string>
- Notification targets for each rule case.
- Status string
- Severity of the Security Signal. Valid values are
info,low,medium,high,critical. - Condition string
- A rule case contains logical operations (
>,>=,&&,||) to determine if a signal should be generated based on the event counts in the previously defined queries. - Name string
- Name of the case.
- Notifications []string
- Notification targets for each rule case.
- status String
- Severity of the Security Signal. Valid values are
info,low,medium,high,critical. - condition String
- A rule case contains logical operations (
>,>=,&&,||) to determine if a signal should be generated based on the event counts in the previously defined queries. - name String
- Name of the case.
- notifications List<String>
- Notification targets for each rule case.
- status string
- Severity of the Security Signal. Valid values are
info,low,medium,high,critical. - condition string
- A rule case contains logical operations (
>,>=,&&,||) to determine if a signal should be generated based on the event counts in the previously defined queries. - name string
- Name of the case.
- notifications string[]
- Notification targets for each rule case.
- status str
- Severity of the Security Signal. Valid values are
info,low,medium,high,critical. - condition str
- A rule case contains logical operations (
>,>=,&&,||) to determine if a signal should be generated based on the event counts in the previously defined queries. - name str
- Name of the case.
- notifications Sequence[str]
- Notification targets for each rule case.
- status String
- Severity of the Security Signal. Valid values are
info,low,medium,high,critical. - condition String
- A rule case contains logical operations (
>,>=,&&,||) to determine if a signal should be generated based on the event counts in the previously defined queries. - name String
- Name of the case.
- notifications List<String>
- Notification targets for each rule case.
SecurityMonitoringRuleFilter, SecurityMonitoringRuleFilterArgs
SecurityMonitoringRuleOptions, SecurityMonitoringRuleOptionsArgs
- Decrease
Criticality boolBased On Env - If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging,test, ordev. Only available when the rule type islog_detection. Defaults tofalse. - Detection
Method string - The detection method. Valid values are
threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party. Defaults to"threshold". - Evaluation
Window int - A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are
0,60,300,600,900,1800,3600,7200. - Impossible
Travel SecurityOptions Monitoring Rule Options Impossible Travel Options - Options for rules using the impossible travel detection method.
- Keep
Alive int - Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600. - Max
Signal intDuration - A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400. - New
Value SecurityOptions Monitoring Rule Options New Value Options - New value rules specific options.
- Third
Party SecurityRule Options Monitoring Rule Options Third Party Rule Options - Options for rules using the third-party detection method.
- Decrease
Criticality boolBased On Env - If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging,test, ordev. Only available when the rule type islog_detection. Defaults tofalse. - Detection
Method string - The detection method. Valid values are
threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party. Defaults to"threshold". - Evaluation
Window int - A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are
0,60,300,600,900,1800,3600,7200. - Impossible
Travel SecurityOptions Monitoring Rule Options Impossible Travel Options - Options for rules using the impossible travel detection method.
- Keep
Alive int - Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600. - Max
Signal intDuration - A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400. - New
Value SecurityOptions Monitoring Rule Options New Value Options - New value rules specific options.
- Third
Party SecurityRule Options Monitoring Rule Options Third Party Rule Options - Options for rules using the third-party detection method.
- decrease
Criticality BooleanBased On Env - If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging,test, ordev. Only available when the rule type islog_detection. Defaults tofalse. - detection
Method String - The detection method. Valid values are
threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party. Defaults to"threshold". - evaluation
Window Integer - A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are
0,60,300,600,900,1800,3600,7200. - impossible
Travel SecurityOptions Monitoring Rule Options Impossible Travel Options - Options for rules using the impossible travel detection method.
- keep
Alive Integer - Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600. - max
Signal IntegerDuration - A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400. - new
Value SecurityOptions Monitoring Rule Options New Value Options - New value rules specific options.
- third
Party SecurityRule Options Monitoring Rule Options Third Party Rule Options - Options for rules using the third-party detection method.
- decrease
Criticality booleanBased On Env - If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging,test, ordev. Only available when the rule type islog_detection. Defaults tofalse. - detection
Method string - The detection method. Valid values are
threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party. Defaults to"threshold". - evaluation
Window number - A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are
0,60,300,600,900,1800,3600,7200. - impossible
Travel SecurityOptions Monitoring Rule Options Impossible Travel Options - Options for rules using the impossible travel detection method.
- keep
Alive number - Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600. - max
Signal numberDuration - A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400. - new
Value SecurityOptions Monitoring Rule Options New Value Options - New value rules specific options.
- third
Party SecurityRule Options Monitoring Rule Options Third Party Rule Options - Options for rules using the third-party detection method.
- decrease_
criticality_ boolbased_ on_ env - If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging,test, ordev. Only available when the rule type islog_detection. Defaults tofalse. - detection_
method str - The detection method. Valid values are
threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party. Defaults to"threshold". - evaluation_
window int - A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are
0,60,300,600,900,1800,3600,7200. - impossible_
travel_ Securityoptions Monitoring Rule Options Impossible Travel Options - Options for rules using the impossible travel detection method.
- keep_
alive int - Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600. - max_
signal_ intduration - A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400. - new_
value_ Securityoptions Monitoring Rule Options New Value Options - New value rules specific options.
- third_
party_ Securityrule_ options Monitoring Rule Options Third Party Rule Options - Options for rules using the third-party detection method.
- decrease
Criticality BooleanBased On Env - If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging,test, ordev. Only available when the rule type islog_detection. Defaults tofalse. - detection
Method String - The detection method. Valid values are
threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party. Defaults to"threshold". - evaluation
Window Number - A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are
0,60,300,600,900,1800,3600,7200. - impossible
Travel Property MapOptions - Options for rules using the impossible travel detection method.
- keep
Alive Number - Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600. - max
Signal NumberDuration - A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400. - new
Value Property MapOptions - New value rules specific options.
- third
Party Property MapRule Options - Options for rules using the third-party detection method.
SecurityMonitoringRuleOptionsImpossibleTravelOptions, SecurityMonitoringRuleOptionsImpossibleTravelOptionsArgs
- Baseline
User boolLocations - If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to
false.
- Baseline
User boolLocations - If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to
false.
- baseline
User BooleanLocations - If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to
false.
- baseline
User booleanLocations - If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to
false.
- baseline_
user_ boollocations - If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to
false.
- baseline
User BooleanLocations - If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to
false.
SecurityMonitoringRuleOptionsNewValueOptions, SecurityMonitoringRuleOptionsNewValueOptionsArgs
- Forget
After int - The duration in days after which a learned value is forgotten. Valid values are
1,2,7,14,21,28. - Learning
Duration int - The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are
0,1,7. Defaults to1. - Learning
Method string - The learning method used to determine when signals should be generated for values that weren't learned. Valid values are
duration,threshold. Defaults to"duration". - Learning
Threshold int - A number of occurrences after which signals are generated for values that weren't learned. Valid values are
0,1. Defaults to0.
- Forget
After int - The duration in days after which a learned value is forgotten. Valid values are
1,2,7,14,21,28. - Learning
Duration int - The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are
0,1,7. Defaults to1. - Learning
Method string - The learning method used to determine when signals should be generated for values that weren't learned. Valid values are
duration,threshold. Defaults to"duration". - Learning
Threshold int - A number of occurrences after which signals are generated for values that weren't learned. Valid values are
0,1. Defaults to0.
- forget
After Integer - The duration in days after which a learned value is forgotten. Valid values are
1,2,7,14,21,28. - learning
Duration Integer - The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are
0,1,7. Defaults to1. - learning
Method String - The learning method used to determine when signals should be generated for values that weren't learned. Valid values are
duration,threshold. Defaults to"duration". - learning
Threshold Integer - A number of occurrences after which signals are generated for values that weren't learned. Valid values are
0,1. Defaults to0.
- forget
After number - The duration in days after which a learned value is forgotten. Valid values are
1,2,7,14,21,28. - learning
Duration number - The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are
0,1,7. Defaults to1. - learning
Method string - The learning method used to determine when signals should be generated for values that weren't learned. Valid values are
duration,threshold. Defaults to"duration". - learning
Threshold number - A number of occurrences after which signals are generated for values that weren't learned. Valid values are
0,1. Defaults to0.
- forget_
after int - The duration in days after which a learned value is forgotten. Valid values are
1,2,7,14,21,28. - learning_
duration int - The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are
0,1,7. Defaults to1. - learning_
method str - The learning method used to determine when signals should be generated for values that weren't learned. Valid values are
duration,threshold. Defaults to"duration". - learning_
threshold int - A number of occurrences after which signals are generated for values that weren't learned. Valid values are
0,1. Defaults to0.
- forget
After Number - The duration in days after which a learned value is forgotten. Valid values are
1,2,7,14,21,28. - learning
Duration Number - The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are
0,1,7. Defaults to1. - learning
Method String - The learning method used to determine when signals should be generated for values that weren't learned. Valid values are
duration,threshold. Defaults to"duration". - learning
Threshold Number - A number of occurrences after which signals are generated for values that weren't learned. Valid values are
0,1. Defaults to0.
SecurityMonitoringRuleOptionsThirdPartyRuleOptions, SecurityMonitoringRuleOptionsThirdPartyRuleOptionsArgs
- Default
Status string - Severity of the default rule case, when none of the third-party cases match. Valid values are
info,low,medium,high,critical. - Root
Queries List<SecurityMonitoring Rule Options Third Party Rule Options Root Query> - Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
- Default
Notifications List<string> - Notification targets for the default rule case, when none of the third-party cases match.
- Signal
Title stringTemplate - A template for the signal title; if omitted, the title is generated based on the case name.
- Default
Status string - Severity of the default rule case, when none of the third-party cases match. Valid values are
info,low,medium,high,critical. - Root
Queries []SecurityMonitoring Rule Options Third Party Rule Options Root Query - Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
- Default
Notifications []string - Notification targets for the default rule case, when none of the third-party cases match.
- Signal
Title stringTemplate - A template for the signal title; if omitted, the title is generated based on the case name.
- default
Status String - Severity of the default rule case, when none of the third-party cases match. Valid values are
info,low,medium,high,critical. - root
Queries List<SecurityMonitoring Rule Options Third Party Rule Options Root Query> - Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
- default
Notifications List<String> - Notification targets for the default rule case, when none of the third-party cases match.
- signal
Title StringTemplate - A template for the signal title; if omitted, the title is generated based on the case name.
- default
Status string - Severity of the default rule case, when none of the third-party cases match. Valid values are
info,low,medium,high,critical. - root
Queries SecurityMonitoring Rule Options Third Party Rule Options Root Query[] - Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
- default
Notifications string[] - Notification targets for the default rule case, when none of the third-party cases match.
- signal
Title stringTemplate - A template for the signal title; if omitted, the title is generated based on the case name.
- default_
status str - Severity of the default rule case, when none of the third-party cases match. Valid values are
info,low,medium,high,critical. - root_
queries Sequence[SecurityMonitoring Rule Options Third Party Rule Options Root Query] - Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
- default_
notifications Sequence[str] - Notification targets for the default rule case, when none of the third-party cases match.
- signal_
title_ strtemplate - A template for the signal title; if omitted, the title is generated based on the case name.
- default
Status String - Severity of the default rule case, when none of the third-party cases match. Valid values are
info,low,medium,high,critical. - root
Queries List<Property Map> - Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
- default
Notifications List<String> - Notification targets for the default rule case, when none of the third-party cases match.
- signal
Title StringTemplate - A template for the signal title; if omitted, the title is generated based on the case name.
SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQuery, SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArgs
- Query string
- Query for selecting logs to apply the filtering action.
- Group
By List<string>Fields - Fields to group by. If empty, each log triggers a signal.
- Query string
- Query for selecting logs to apply the filtering action.
- Group
By []stringFields - Fields to group by. If empty, each log triggers a signal.
- query String
- Query for selecting logs to apply the filtering action.
- group
By List<String>Fields - Fields to group by. If empty, each log triggers a signal.
- query string
- Query for selecting logs to apply the filtering action.
- group
By string[]Fields - Fields to group by. If empty, each log triggers a signal.
- query str
- Query for selecting logs to apply the filtering action.
- group_
by_ Sequence[str]fields - Fields to group by. If empty, each log triggers a signal.
- query String
- Query for selecting logs to apply the filtering action.
- group
By List<String>Fields - Fields to group by. If empty, each log triggers a signal.
SecurityMonitoringRuleQuery, SecurityMonitoringRuleQueryArgs
- Query string
- Query to run on logs.
- Agent
Rules List<SecurityMonitoring Rule Query Agent Rule> - Deprecated. It won't be applied anymore. Deprecated.
agent_rulehas been deprecated in favor of new Agent Rule resource. - Aggregation string
- The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none. Defaults to"count". - Distinct
Fields List<string> - Field for which the cardinality is measured. Sent as an array.
- Group
By List<string>Fields - Fields to group by.
- Metric string
- The target field to aggregate over when using the
sum,max, orgeo_dataaggregations. Deprecated. Configuremetricsinstead. This attribute will be removed in the next major version of the provider. - Metrics List<string>
- Group of target fields to aggregate over when using the
sum,max,geo_data, ornew_valueaggregations. Thesum,max, andgeo_dataaggregations only accept one value in this list, whereas thenew_valueaggregation accepts up to five values. - Name string
- Name of the query. Not compatible with
new_valueaggregations.
- Query string
- Query to run on logs.
- Agent
Rules []SecurityMonitoring Rule Query Agent Rule - Deprecated. It won't be applied anymore. Deprecated.
agent_rulehas been deprecated in favor of new Agent Rule resource. - Aggregation string
- The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none. Defaults to"count". - Distinct
Fields []string - Field for which the cardinality is measured. Sent as an array.
- Group
By []stringFields - Fields to group by.
- Metric string
- The target field to aggregate over when using the
sum,max, orgeo_dataaggregations. Deprecated. Configuremetricsinstead. This attribute will be removed in the next major version of the provider. - Metrics []string
- Group of target fields to aggregate over when using the
sum,max,geo_data, ornew_valueaggregations. Thesum,max, andgeo_dataaggregations only accept one value in this list, whereas thenew_valueaggregation accepts up to five values. - Name string
- Name of the query. Not compatible with
new_valueaggregations.
- query String
- Query to run on logs.
- agent
Rules List<SecurityMonitoring Rule Query Agent Rule> - Deprecated. It won't be applied anymore. Deprecated.
agent_rulehas been deprecated in favor of new Agent Rule resource. - aggregation String
- The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none. Defaults to"count". - distinct
Fields List<String> - Field for which the cardinality is measured. Sent as an array.
- group
By List<String>Fields - Fields to group by.
- metric String
- The target field to aggregate over when using the
sum,max, orgeo_dataaggregations. Deprecated. Configuremetricsinstead. This attribute will be removed in the next major version of the provider. - metrics List<String>
- Group of target fields to aggregate over when using the
sum,max,geo_data, ornew_valueaggregations. Thesum,max, andgeo_dataaggregations only accept one value in this list, whereas thenew_valueaggregation accepts up to five values. - name String
- Name of the query. Not compatible with
new_valueaggregations.
- query string
- Query to run on logs.
- agent
Rules SecurityMonitoring Rule Query Agent Rule[] - Deprecated. It won't be applied anymore. Deprecated.
agent_rulehas been deprecated in favor of new Agent Rule resource. - aggregation string
- The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none. Defaults to"count". - distinct
Fields string[] - Field for which the cardinality is measured. Sent as an array.
- group
By string[]Fields - Fields to group by.
- metric string
- The target field to aggregate over when using the
sum,max, orgeo_dataaggregations. Deprecated. Configuremetricsinstead. This attribute will be removed in the next major version of the provider. - metrics string[]
- Group of target fields to aggregate over when using the
sum,max,geo_data, ornew_valueaggregations. Thesum,max, andgeo_dataaggregations only accept one value in this list, whereas thenew_valueaggregation accepts up to five values. - name string
- Name of the query. Not compatible with
new_valueaggregations.
- query str
- Query to run on logs.
- agent_
rules Sequence[SecurityMonitoring Rule Query Agent Rule] - Deprecated. It won't be applied anymore. Deprecated.
agent_rulehas been deprecated in favor of new Agent Rule resource. - aggregation str
- The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none. Defaults to"count". - distinct_
fields Sequence[str] - Field for which the cardinality is measured. Sent as an array.
- group_
by_ Sequence[str]fields - Fields to group by.
- metric str
- The target field to aggregate over when using the
sum,max, orgeo_dataaggregations. Deprecated. Configuremetricsinstead. This attribute will be removed in the next major version of the provider. - metrics Sequence[str]
- Group of target fields to aggregate over when using the
sum,max,geo_data, ornew_valueaggregations. Thesum,max, andgeo_dataaggregations only accept one value in this list, whereas thenew_valueaggregation accepts up to five values. - name str
- Name of the query. Not compatible with
new_valueaggregations.
- query String
- Query to run on logs.
- agent
Rules List<Property Map> - Deprecated. It won't be applied anymore. Deprecated.
agent_rulehas been deprecated in favor of new Agent Rule resource. - aggregation String
- The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none. Defaults to"count". - distinct
Fields List<String> - Field for which the cardinality is measured. Sent as an array.
- group
By List<String>Fields - Fields to group by.
- metric String
- The target field to aggregate over when using the
sum,max, orgeo_dataaggregations. Deprecated. Configuremetricsinstead. This attribute will be removed in the next major version of the provider. - metrics List<String>
- Group of target fields to aggregate over when using the
sum,max,geo_data, ornew_valueaggregations. Thesum,max, andgeo_dataaggregations only accept one value in this list, whereas thenew_valueaggregation accepts up to five values. - name String
- Name of the query. Not compatible with
new_valueaggregations.
SecurityMonitoringRuleQueryAgentRule, SecurityMonitoringRuleQueryAgentRuleArgs
- Agent
Rule stringId - Deprecated. It won't be applied anymore.
- Expression string
- Deprecated. It won't be applied anymore.
- Agent
Rule stringId - Deprecated. It won't be applied anymore.
- Expression string
- Deprecated. It won't be applied anymore.
- agent
Rule StringId - Deprecated. It won't be applied anymore.
- expression String
- Deprecated. It won't be applied anymore.
- agent
Rule stringId - Deprecated. It won't be applied anymore.
- expression string
- Deprecated. It won't be applied anymore.
- agent_
rule_ strid - Deprecated. It won't be applied anymore.
- expression str
- Deprecated. It won't be applied anymore.
- agent
Rule StringId - Deprecated. It won't be applied anymore.
- expression String
- Deprecated. It won't be applied anymore.
SecurityMonitoringRuleSignalQuery, SecurityMonitoringRuleSignalQueryArgs
- Rule
Id string - Rule ID of the signal to correlate.
- Aggregation string
- The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none. Defaults to"event_count". - List<string>
- Fields to correlate by.
- string
- Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to
"". - Default
Rule stringId - Default Rule ID of the signal to correlate. This value is READ-ONLY.
- Name string
- Name of the query. Not compatible with
new_valueaggregations.
- Rule
Id string - Rule ID of the signal to correlate.
- Aggregation string
- The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none. Defaults to"event_count". - []string
- Fields to correlate by.
- string
- Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to
"". - Default
Rule stringId - Default Rule ID of the signal to correlate. This value is READ-ONLY.
- Name string
- Name of the query. Not compatible with
new_valueaggregations.
- rule
Id String - Rule ID of the signal to correlate.
- aggregation String
- The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none. Defaults to"event_count". - List<String>
- Fields to correlate by.
- String
- Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to
"". - default
Rule StringId - Default Rule ID of the signal to correlate. This value is READ-ONLY.
- name String
- Name of the query. Not compatible with
new_valueaggregations.
- rule
Id string - Rule ID of the signal to correlate.
- aggregation string
- The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none. Defaults to"event_count". - string[]
- Fields to correlate by.
- string
- Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to
"". - default
Rule stringId - Default Rule ID of the signal to correlate. This value is READ-ONLY.
- name string
- Name of the query. Not compatible with
new_valueaggregations.
- rule_
id str - Rule ID of the signal to correlate.
- aggregation str
- The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none. Defaults to"event_count". - Sequence[str]
- Fields to correlate by.
- str
- Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to
"". - default_
rule_ strid - Default Rule ID of the signal to correlate. This value is READ-ONLY.
- name str
- Name of the query. Not compatible with
new_valueaggregations.
- rule
Id String - Rule ID of the signal to correlate.
- aggregation String
- The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none. Defaults to"event_count". - List<String>
- Fields to correlate by.
- String
- Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to
"". - default
Rule StringId - Default Rule ID of the signal to correlate. This value is READ-ONLY.
- name String
- Name of the query. Not compatible with
new_valueaggregations.
SecurityMonitoringRuleThirdPartyCase, SecurityMonitoringRuleThirdPartyCaseArgs
- Status string
- Severity of the Security Signal. Valid values are
info,low,medium,high,critical. - Name string
- Name of the case.
- Notifications List<string>
- Notification targets for each rule case.
- Query string
- A query to associate a third-party event to this case.
- Status string
- Severity of the Security Signal. Valid values are
info,low,medium,high,critical. - Name string
- Name of the case.
- Notifications []string
- Notification targets for each rule case.
- Query string
- A query to associate a third-party event to this case.
- status String
- Severity of the Security Signal. Valid values are
info,low,medium,high,critical. - name String
- Name of the case.
- notifications List<String>
- Notification targets for each rule case.
- query String
- A query to associate a third-party event to this case.
- status string
- Severity of the Security Signal. Valid values are
info,low,medium,high,critical. - name string
- Name of the case.
- notifications string[]
- Notification targets for each rule case.
- query string
- A query to associate a third-party event to this case.
- status str
- Severity of the Security Signal. Valid values are
info,low,medium,high,critical. - name str
- Name of the case.
- notifications Sequence[str]
- Notification targets for each rule case.
- query str
- A query to associate a third-party event to this case.
- status String
- Severity of the Security Signal. Valid values are
info,low,medium,high,critical. - name String
- Name of the case.
- notifications List<String>
- Notification targets for each rule case.
- query String
- A query to associate a third-party event to this case.
Import
Security monitoring rules can be imported using ID, e.g.
$ pulumi import datadog:index/securityMonitoringRule:SecurityMonitoringRule my_rule m0o-hto-lkb
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Datadog pulumi/pulumi-datadog
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
datadogTerraform Provider.