The azure-native:securityinsights:MicrosoftSecurityIncidentCreationAlertRule resource, part of the Pulumi Azure Native provider, defines alert rules that automatically convert alerts from Microsoft security products into Microsoft Sentinel incidents. This guide focuses on one capability: product-based alert filtering.
These rules require an existing Microsoft Sentinel workspace and configured data connectors for the security products you want to monitor. The example is intentionally small. Extend it with severity filters, display name filters, and descriptions for production use.
Create a rule for Microsoft Cloud App Security alerts
Security teams using Microsoft Sentinel often need to automatically convert alerts from Microsoft security products into incidents for investigation and response workflows.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const microsoftSecurityIncidentCreationAlertRule = new azure_native.securityinsights.MicrosoftSecurityIncidentCreationAlertRule("microsoftSecurityIncidentCreationAlertRule", {
displayName: "testing displayname",
enabled: true,
kind: "MicrosoftSecurityIncidentCreation",
productFilter: azure_native.securityinsights.MicrosoftSecurityProductName.Microsoft_Cloud_App_Security,
resourceGroupName: "myRg",
ruleId: "microsoftSecurityIncidentCreationRuleExample",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
microsoft_security_incident_creation_alert_rule = azure_native.securityinsights.MicrosoftSecurityIncidentCreationAlertRule("microsoftSecurityIncidentCreationAlertRule",
display_name="testing displayname",
enabled=True,
kind="MicrosoftSecurityIncidentCreation",
product_filter=azure_native.securityinsights.MicrosoftSecurityProductName.MICROSOFT_CLOUD_APP_SECURITY,
resource_group_name="myRg",
rule_id="microsoftSecurityIncidentCreationRuleExample",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewMicrosoftSecurityIncidentCreationAlertRule(ctx, "microsoftSecurityIncidentCreationAlertRule", &securityinsights.MicrosoftSecurityIncidentCreationAlertRuleArgs{
DisplayName: pulumi.String("testing displayname"),
Enabled: pulumi.Bool(true),
Kind: pulumi.String("MicrosoftSecurityIncidentCreation"),
ProductFilter: pulumi.String(securityinsights.MicrosoftSecurityProductName_Microsoft_Cloud_App_Security),
ResourceGroupName: pulumi.String("myRg"),
RuleId: pulumi.String("microsoftSecurityIncidentCreationRuleExample"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var microsoftSecurityIncidentCreationAlertRule = new AzureNative.SecurityInsights.MicrosoftSecurityIncidentCreationAlertRule("microsoftSecurityIncidentCreationAlertRule", new()
{
DisplayName = "testing displayname",
Enabled = true,
Kind = "MicrosoftSecurityIncidentCreation",
ProductFilter = AzureNative.SecurityInsights.MicrosoftSecurityProductName.Microsoft_Cloud_App_Security,
ResourceGroupName = "myRg",
RuleId = "microsoftSecurityIncidentCreationRuleExample",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.MicrosoftSecurityIncidentCreationAlertRule;
import com.pulumi.azurenative.securityinsights.MicrosoftSecurityIncidentCreationAlertRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var microsoftSecurityIncidentCreationAlertRule = new MicrosoftSecurityIncidentCreationAlertRule("microsoftSecurityIncidentCreationAlertRule", MicrosoftSecurityIncidentCreationAlertRuleArgs.builder()
.displayName("testing displayname")
.enabled(true)
.kind("MicrosoftSecurityIncidentCreation")
.productFilter("Microsoft Cloud App Security")
.resourceGroupName("myRg")
.ruleId("microsoftSecurityIncidentCreationRuleExample")
.workspaceName("myWorkspace")
.build());
}
}
resources:
microsoftSecurityIncidentCreationAlertRule:
type: azure-native:securityinsights:MicrosoftSecurityIncidentCreationAlertRule
properties:
displayName: testing displayname
enabled: true
kind: MicrosoftSecurityIncidentCreation
productFilter: Microsoft Cloud App Security
resourceGroupName: myRg
ruleId: microsoftSecurityIncidentCreationRuleExample
workspaceName: myWorkspace
When enabled, the rule monitors alerts from the specified product and creates Sentinel incidents automatically. The productFilter property determines which Microsoft security product’s alerts trigger incident creation (here, Microsoft Cloud App Security). The displayName appears in the Sentinel UI, and the kind property must be set to “MicrosoftSecurityIncidentCreation” to identify this rule type.
Beyond these examples
This snippet focuses on product-based alert filtering and incident creation automation. It’s intentionally minimal rather than a complete security operations configuration.
The example references pre-existing infrastructure such as a Microsoft Sentinel workspace, resource group, and Microsoft security product data connectors. It focuses on configuring the alert rule rather than provisioning the workspace or connectors.
To keep things focused, common alert rule patterns are omitted, including:
- Alert name filtering (displayNamesFilter, displayNamesExcludeFilter)
- Severity-based filtering (severitiesFilter)
- Template-based rule creation (alertRuleTemplateName)
- Description and metadata fields
These omissions are intentional: the goal is to illustrate how the alert rule is wired, not provide a drop-in security operations module. See the MicrosoftSecurityIncidentCreationAlertRule resource reference for all available configuration options.
Let's configure Azure Microsoft Security Incident Creation Alert Rules
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
displayName, enabled, kind, productFilter, resourceGroupName, ruleId, and workspaceName. The kind property must be set to exactly MicrosoftSecurityIncidentCreation.kind property must be set to exactly MicrosoftSecurityIncidentCreation. This is a required field with an expected value constraint.productFilter specifies which Microsoft security product’s alerts will generate incidents. For example, you can set it to Microsoft_Cloud_App_Security to monitor alerts from that product.Filtering & Customization
You have three filtering options:
- Include specific alerts - Use
displayNamesFilterwith alert display names - Exclude specific alerts - Use
displayNamesExcludeFilterwith alert display names - Filter by severity - Use
severitiesFilterwith severity levels
displayNamesFilter to include specific alerts and displayNamesExcludeFilter to exclude others from incident generation.Resource Management
resourceGroupName, ruleId, and workspaceName properties are immutable. Changing any of these requires recreating the resource.enabled property to false to disable the rule. You can re-enable it later by setting it back to true.