The azure-native:securityinsights:FusionAlertRule resource, part of the Pulumi Azure Native provider, defines a Fusion alert rule in Microsoft Sentinel that uses machine learning to correlate signals and detect multi-stage attacks. This guide focuses on one capability: activating Fusion rules from built-in templates.
Fusion rules belong to a Microsoft Sentinel workspace and reference alert rule templates that define detection logic. The example is intentionally minimal. Extend it with source settings, scenario exclusions, and automation rules for production deployments.
Enable a Fusion alert rule from a template
Security teams deploy Fusion rules to detect multi-stage attacks by correlating signals across data sources using machine learning.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const fusionAlertRule = new azure_native.securityinsights.FusionAlertRule("fusionAlertRule", {
alertRuleTemplateName: "f71aba3d-28fb-450b-b192-4e76a83015c8",
enabled: true,
kind: "Fusion",
resourceGroupName: "myRg",
ruleId: "myFirstFusionRule",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
fusion_alert_rule = azure_native.securityinsights.FusionAlertRule("fusionAlertRule",
alert_rule_template_name="f71aba3d-28fb-450b-b192-4e76a83015c8",
enabled=True,
kind="Fusion",
resource_group_name="myRg",
rule_id="myFirstFusionRule",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewFusionAlertRule(ctx, "fusionAlertRule", &securityinsights.FusionAlertRuleArgs{
AlertRuleTemplateName: pulumi.String("f71aba3d-28fb-450b-b192-4e76a83015c8"),
Enabled: pulumi.Bool(true),
Kind: pulumi.String("Fusion"),
ResourceGroupName: pulumi.String("myRg"),
RuleId: pulumi.String("myFirstFusionRule"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var fusionAlertRule = new AzureNative.SecurityInsights.FusionAlertRule("fusionAlertRule", new()
{
AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8",
Enabled = true,
Kind = "Fusion",
ResourceGroupName = "myRg",
RuleId = "myFirstFusionRule",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.FusionAlertRule;
import com.pulumi.azurenative.securityinsights.FusionAlertRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var fusionAlertRule = new FusionAlertRule("fusionAlertRule", FusionAlertRuleArgs.builder()
.alertRuleTemplateName("f71aba3d-28fb-450b-b192-4e76a83015c8")
.enabled(true)
.kind("Fusion")
.resourceGroupName("myRg")
.ruleId("myFirstFusionRule")
.workspaceName("myWorkspace")
.build());
}
}
resources:
fusionAlertRule:
type: azure-native:securityinsights:FusionAlertRule
properties:
alertRuleTemplateName: f71aba3d-28fb-450b-b192-4e76a83015c8
enabled: true
kind: Fusion
resourceGroupName: myRg
ruleId: myFirstFusionRule
workspaceName: myWorkspace
When enabled, the rule continuously analyzes alerts from connected data sources, applying the detection logic defined in the template. The alertRuleTemplateName property references a built-in Fusion template (identified by GUID), and the enabled property controls whether detection is active. The kind property must be set to “Fusion” to indicate this rule type. The workspaceName and resourceGroupName properties place the rule in your Sentinel workspace.
Beyond these examples
This snippet focuses on Fusion rule activation from templates. It’s intentionally minimal rather than a full threat detection deployment.
The example references pre-existing infrastructure such as a Microsoft Sentinel workspace, Azure resource group, and Fusion alert rule templates. It focuses on configuring the rule rather than provisioning the workspace or data connectors.
To keep things focused, common Fusion patterns are omitted, including:
- Source settings and scenario exclusions (sourceSettings, scenarioExclusionPatterns)
- Custom severity and tactic configuration
- Alert grouping and automation rules
- Incident creation settings
These omissions are intentional: the goal is to illustrate how the Fusion rule is wired, not provide a drop-in security operations module. See the FusionAlertRule resource reference for all available configuration options.
Let's configure Azure Fusion Alert Rules
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration
alertRuleTemplateName (the template GUID), enabled (true or false), and kind (must be “Fusion”). You also need resourceGroupName, ruleId, and workspaceName to identify where the rule is created.f71aba3d-28fb-450b-b192-4e76a83015c8, which references an existing alert rule template in Azure Sentinel.description, displayName, severity, and tactics are output-only fields computed by Azure based on the alert rule template you specify.Updates & Immutability
resourceGroupName, ruleId, and workspaceName properties are immutable. Changing any of these requires replacing the resource.enabled property to true to activate the rule or false to disable it. This property can be updated without replacing the resource.