Docs
Packages
This is the latest version of Azure Native. Use the Azure Native v1 docs if using the v1 version of this package.
Azure Native v2.38.0 published on Monday, Apr 22, 2024 by Pulumi
azure-native.securityinsights.ScheduledAlertRule
Explore with Pulumi AI
This is the latest version of Azure Native. Use the Azure Native v1 docs if using the v1 version of this package.
Azure Native v2.38.0 published on Monday, Apr 22, 2024 by Pulumi
Represents scheduled alert rule. Azure REST API version: 2023-02-01. Prior API version in Azure Native 1.x: 2020-01-01.
Example Usage
Creates or updates a Fusion alert rule.
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var scheduledAlertRule = new AzureNative.SecurityInsights.ScheduledAlertRule("scheduledAlertRule", new()
{
ResourceGroupName = "myRg",
RuleId = "myFirstFusionRule",
WorkspaceName = "myWorkspace",
});
});
package main
import (
"github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewScheduledAlertRule(ctx, "scheduledAlertRule", &securityinsights.ScheduledAlertRuleArgs{
ResourceGroupName: pulumi.String("myRg"),
RuleId: pulumi.String("myFirstFusionRule"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRule;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var scheduledAlertRule = new ScheduledAlertRule("scheduledAlertRule", ScheduledAlertRuleArgs.builder()
.resourceGroupName("myRg")
.ruleId("myFirstFusionRule")
.workspaceName("myWorkspace")
.build());
}
}
import pulumi
import pulumi_azure_native as azure_native
scheduled_alert_rule = azure_native.securityinsights.ScheduledAlertRule("scheduledAlertRule",
resource_group_name="myRg",
rule_id="myFirstFusionRule",
workspace_name="myWorkspace")
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const scheduledAlertRule = new azure_native.securityinsights.ScheduledAlertRule("scheduledAlertRule", {
resourceGroupName: "myRg",
ruleId: "myFirstFusionRule",
workspaceName: "myWorkspace",
});
resources:
scheduledAlertRule:
type: azure-native:securityinsights:ScheduledAlertRule
properties:
resourceGroupName: myRg
ruleId: myFirstFusionRule
workspaceName: myWorkspace
Creates or updates a MicrosoftSecurityIncidentCreation rule.
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var scheduledAlertRule = new AzureNative.SecurityInsights.ScheduledAlertRule("scheduledAlertRule", new()
{
ResourceGroupName = "myRg",
RuleId = "microsoftSecurityIncidentCreationRuleExample",
WorkspaceName = "myWorkspace",
});
});
package main
import (
"github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewScheduledAlertRule(ctx, "scheduledAlertRule", &securityinsights.ScheduledAlertRuleArgs{
ResourceGroupName: pulumi.String("myRg"),
RuleId: pulumi.String("microsoftSecurityIncidentCreationRuleExample"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRule;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var scheduledAlertRule = new ScheduledAlertRule("scheduledAlertRule", ScheduledAlertRuleArgs.builder()
.resourceGroupName("myRg")
.ruleId("microsoftSecurityIncidentCreationRuleExample")
.workspaceName("myWorkspace")
.build());
}
}
import pulumi
import pulumi_azure_native as azure_native
scheduled_alert_rule = azure_native.securityinsights.ScheduledAlertRule("scheduledAlertRule",
resource_group_name="myRg",
rule_id="microsoftSecurityIncidentCreationRuleExample",
workspace_name="myWorkspace")
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const scheduledAlertRule = new azure_native.securityinsights.ScheduledAlertRule("scheduledAlertRule", {
resourceGroupName: "myRg",
ruleId: "microsoftSecurityIncidentCreationRuleExample",
workspaceName: "myWorkspace",
});
resources:
scheduledAlertRule:
type: azure-native:securityinsights:ScheduledAlertRule
properties:
resourceGroupName: myRg
ruleId: microsoftSecurityIncidentCreationRuleExample
workspaceName: myWorkspace
Creates or updates a Scheduled alert rule.
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var scheduledAlertRule = new AzureNative.SecurityInsights.ScheduledAlertRule("scheduledAlertRule", new()
{
AlertDetailsOverride = new AzureNative.SecurityInsights.Inputs.AlertDetailsOverrideArgs
{
AlertDescriptionFormat = "Suspicious activity was made by {{ComputerIP}}",
AlertDisplayNameFormat = "Alert from {{Computer}}",
AlertDynamicProperties = new[]
{
new AzureNative.SecurityInsights.Inputs.AlertPropertyMappingArgs
{
AlertProperty = AzureNative.SecurityInsights.AlertProperty.ProductComponentName,
Value = "ProductComponentNameCustomColumn",
},
new AzureNative.SecurityInsights.Inputs.AlertPropertyMappingArgs
{
AlertProperty = AzureNative.SecurityInsights.AlertProperty.ProductName,
Value = "ProductNameCustomColumn",
},
new AzureNative.SecurityInsights.Inputs.AlertPropertyMappingArgs
{
AlertProperty = AzureNative.SecurityInsights.AlertProperty.AlertLink,
Value = "Link",
},
},
},
CustomDetails =
{
{ "OperatingSystemName", "OSName" },
{ "OperatingSystemType", "OSType" },
},
Description = "An example for a scheduled rule",
DisplayName = "My scheduled rule",
Enabled = true,
EntityMappings = new[]
{
new AzureNative.SecurityInsights.Inputs.EntityMappingArgs
{
EntityType = AzureNative.SecurityInsights.EntityMappingType.Host,
FieldMappings = new[]
{
new AzureNative.SecurityInsights.Inputs.FieldMappingArgs
{
ColumnName = "Computer",
Identifier = "FullName",
},
},
},
new AzureNative.SecurityInsights.Inputs.EntityMappingArgs
{
EntityType = AzureNative.SecurityInsights.EntityMappingType.IP,
FieldMappings = new[]
{
new AzureNative.SecurityInsights.Inputs.FieldMappingArgs
{
ColumnName = "ComputerIP",
Identifier = "Address",
},
},
},
},
EventGroupingSettings = new AzureNative.SecurityInsights.Inputs.EventGroupingSettingsArgs
{
AggregationKind = AzureNative.SecurityInsights.EventGroupingAggregationKind.AlertPerResult,
},
IncidentConfiguration = new AzureNative.SecurityInsights.Inputs.IncidentConfigurationArgs
{
CreateIncident = true,
GroupingConfiguration = new AzureNative.SecurityInsights.Inputs.GroupingConfigurationArgs
{
Enabled = true,
GroupByAlertDetails = new[]
{
AzureNative.SecurityInsights.AlertDetail.DisplayName,
},
GroupByCustomDetails = new[]
{
"OperatingSystemType",
"OperatingSystemName",
},
GroupByEntities = new[]
{
AzureNative.SecurityInsights.EntityMappingType.Host,
},
LookbackDuration = "PT5H",
MatchingMethod = AzureNative.SecurityInsights.MatchingMethod.Selected,
ReopenClosedIncident = false,
},
},
Kind = "Scheduled",
Query = "Heartbeat",
QueryFrequency = "PT1H",
QueryPeriod = "P2DT1H30M",
ResourceGroupName = "myRg",
RuleId = "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
Severity = AzureNative.SecurityInsights.AlertSeverity.High,
SuppressionDuration = "PT1H",
SuppressionEnabled = false,
Tactics = new[]
{
AzureNative.SecurityInsights.AttackTactic.Persistence,
AzureNative.SecurityInsights.AttackTactic.LateralMovement,
},
TriggerOperator = AzureNative.SecurityInsights.TriggerOperator.GreaterThan,
TriggerThreshold = 0,
WorkspaceName = "myWorkspace",
});
});
package main
import (
"github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewScheduledAlertRule(ctx, "scheduledAlertRule", &securityinsights.ScheduledAlertRuleArgs{
AlertDetailsOverride: &securityinsights.AlertDetailsOverrideArgs{
AlertDescriptionFormat: pulumi.String("Suspicious activity was made by {{ComputerIP}}"),
AlertDisplayNameFormat: pulumi.String("Alert from {{Computer}}"),
AlertDynamicProperties: securityinsights.AlertPropertyMappingArray{
&securityinsights.AlertPropertyMappingArgs{
AlertProperty: pulumi.String(securityinsights.AlertPropertyProductComponentName),
Value: pulumi.String("ProductComponentNameCustomColumn"),
},
&securityinsights.AlertPropertyMappingArgs{
AlertProperty: pulumi.String(securityinsights.AlertPropertyProductName),
Value: pulumi.String("ProductNameCustomColumn"),
},
&securityinsights.AlertPropertyMappingArgs{
AlertProperty: pulumi.String(securityinsights.AlertPropertyAlertLink),
Value: pulumi.String("Link"),
},
},
},
CustomDetails: pulumi.StringMap{
"OperatingSystemName": pulumi.String("OSName"),
"OperatingSystemType": pulumi.String("OSType"),
},
Description: pulumi.String("An example for a scheduled rule"),
DisplayName: pulumi.String("My scheduled rule"),
Enabled: pulumi.Bool(true),
EntityMappings: securityinsights.EntityMappingArray{
&securityinsights.EntityMappingArgs{
EntityType: pulumi.String(securityinsights.EntityMappingTypeHost),
FieldMappings: securityinsights.FieldMappingArray{
&securityinsights.FieldMappingArgs{
ColumnName: pulumi.String("Computer"),
Identifier: pulumi.String("FullName"),
},
},
},
&securityinsights.EntityMappingArgs{
EntityType: pulumi.String(securityinsights.EntityMappingTypeIP),
FieldMappings: securityinsights.FieldMappingArray{
&securityinsights.FieldMappingArgs{
ColumnName: pulumi.String("ComputerIP"),
Identifier: pulumi.String("Address"),
},
},
},
},
EventGroupingSettings: &securityinsights.EventGroupingSettingsArgs{
AggregationKind: pulumi.String(securityinsights.EventGroupingAggregationKindAlertPerResult),
},
IncidentConfiguration: &securityinsights.IncidentConfigurationArgs{
CreateIncident: pulumi.Bool(true),
GroupingConfiguration: &securityinsights.GroupingConfigurationArgs{
Enabled: pulumi.Bool(true),
GroupByAlertDetails: pulumi.StringArray{
pulumi.String(securityinsights.AlertDetailDisplayName),
},
GroupByCustomDetails: pulumi.StringArray{
pulumi.String("OperatingSystemType"),
pulumi.String("OperatingSystemName"),
},
GroupByEntities: pulumi.StringArray{
pulumi.String(securityinsights.EntityMappingTypeHost),
},
LookbackDuration: pulumi.String("PT5H"),
MatchingMethod: pulumi.String(securityinsights.MatchingMethodSelected),
ReopenClosedIncident: pulumi.Bool(false),
},
},
Kind: pulumi.String("Scheduled"),
Query: pulumi.String("Heartbeat"),
QueryFrequency: pulumi.String("PT1H"),
QueryPeriod: pulumi.String("P2DT1H30M"),
ResourceGroupName: pulumi.String("myRg"),
RuleId: pulumi.String("73e01a99-5cd7-4139-a149-9f2736ff2ab5"),
Severity: pulumi.String(securityinsights.AlertSeverityHigh),
SuppressionDuration: pulumi.String("PT1H"),
SuppressionEnabled: pulumi.Bool(false),
Tactics: pulumi.StringArray{
pulumi.String(securityinsights.AttackTacticPersistence),
pulumi.String(securityinsights.AttackTacticLateralMovement),
},
TriggerOperator: securityinsights.TriggerOperatorGreaterThan,
TriggerThreshold: pulumi.Int(0),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRule;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRuleArgs;
import com.pulumi.azurenative.securityinsights.inputs.AlertDetailsOverrideArgs;
import com.pulumi.azurenative.securityinsights.inputs.EntityMappingArgs;
import com.pulumi.azurenative.securityinsights.inputs.EventGroupingSettingsArgs;
import com.pulumi.azurenative.securityinsights.inputs.IncidentConfigurationArgs;
import com.pulumi.azurenative.securityinsights.inputs.GroupingConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var scheduledAlertRule = new ScheduledAlertRule("scheduledAlertRule", ScheduledAlertRuleArgs.builder()
.alertDetailsOverride(AlertDetailsOverrideArgs.builder()
.alertDescriptionFormat("Suspicious activity was made by {{ComputerIP}}")
.alertDisplayNameFormat("Alert from {{Computer}}")
.alertDynamicProperties(
AlertPropertyMappingArgs.builder()
.alertProperty("ProductComponentName")
.value("ProductComponentNameCustomColumn")
.build(),
AlertPropertyMappingArgs.builder()
.alertProperty("ProductName")
.value("ProductNameCustomColumn")
.build(),
AlertPropertyMappingArgs.builder()
.alertProperty("AlertLink")
.value("Link")
.build())
.build())
.customDetails(Map.ofEntries(
Map.entry("OperatingSystemName", "OSName"),
Map.entry("OperatingSystemType", "OSType")
))
.description("An example for a scheduled rule")
.displayName("My scheduled rule")
.enabled(true)
.entityMappings(
EntityMappingArgs.builder()
.entityType("Host")
.fieldMappings(FieldMappingArgs.builder()
.columnName("Computer")
.identifier("FullName")
.build())
.build(),
EntityMappingArgs.builder()
.entityType("IP")
.fieldMappings(FieldMappingArgs.builder()
.columnName("ComputerIP")
.identifier("Address")
.build())
.build())
.eventGroupingSettings(EventGroupingSettingsArgs.builder()
.aggregationKind("AlertPerResult")
.build())
.incidentConfiguration(IncidentConfigurationArgs.builder()
.createIncident(true)
.groupingConfiguration(GroupingConfigurationArgs.builder()
.enabled(true)
.groupByAlertDetails("DisplayName")
.groupByCustomDetails(
"OperatingSystemType",
"OperatingSystemName")
.groupByEntities("Host")
.lookbackDuration("PT5H")
.matchingMethod("Selected")
.reopenClosedIncident(false)
.build())
.build())
.kind("Scheduled")
.query("Heartbeat")
.queryFrequency("PT1H")
.queryPeriod("P2DT1H30M")
.resourceGroupName("myRg")
.ruleId("73e01a99-5cd7-4139-a149-9f2736ff2ab5")
.severity("High")
.suppressionDuration("PT1H")
.suppressionEnabled(false)
.tactics(
"Persistence",
"LateralMovement")
.triggerOperator("GreaterThan")
.triggerThreshold(0)
.workspaceName("myWorkspace")
.build());
}
}
import pulumi
import pulumi_azure_native as azure_native
scheduled_alert_rule = azure_native.securityinsights.ScheduledAlertRule("scheduledAlertRule",
alert_details_override=azure_native.securityinsights.AlertDetailsOverrideArgs(
alert_description_format="Suspicious activity was made by {{ComputerIP}}",
alert_display_name_format="Alert from {{Computer}}",
alert_dynamic_properties=[
azure_native.securityinsights.AlertPropertyMappingArgs(
alert_property=azure_native.securityinsights.AlertProperty.PRODUCT_COMPONENT_NAME,
value="ProductComponentNameCustomColumn",
),
azure_native.securityinsights.AlertPropertyMappingArgs(
alert_property=azure_native.securityinsights.AlertProperty.PRODUCT_NAME,
value="ProductNameCustomColumn",
),
azure_native.securityinsights.AlertPropertyMappingArgs(
alert_property=azure_native.securityinsights.AlertProperty.ALERT_LINK,
value="Link",
),
],
),
custom_details={
"OperatingSystemName": "OSName",
"OperatingSystemType": "OSType",
},
description="An example for a scheduled rule",
display_name="My scheduled rule",
enabled=True,
entity_mappings=[
azure_native.securityinsights.EntityMappingArgs(
entity_type=azure_native.securityinsights.EntityMappingType.HOST,
field_mappings=[azure_native.securityinsights.FieldMappingArgs(
column_name="Computer",
identifier="FullName",
)],
),
azure_native.securityinsights.EntityMappingArgs(
entity_type=azure_native.securityinsights.EntityMappingType.IP,
field_mappings=[azure_native.securityinsights.FieldMappingArgs(
column_name="ComputerIP",
identifier="Address",
)],
),
],
event_grouping_settings=azure_native.securityinsights.EventGroupingSettingsArgs(
aggregation_kind=azure_native.securityinsights.EventGroupingAggregationKind.ALERT_PER_RESULT,
),
incident_configuration=azure_native.securityinsights.IncidentConfigurationArgs(
create_incident=True,
grouping_configuration=azure_native.securityinsights.GroupingConfigurationArgs(
enabled=True,
group_by_alert_details=[azure_native.securityinsights.AlertDetail.DISPLAY_NAME],
group_by_custom_details=[
"OperatingSystemType",
"OperatingSystemName",
],
group_by_entities=[azure_native.securityinsights.EntityMappingType.HOST],
lookback_duration="PT5H",
matching_method=azure_native.securityinsights.MatchingMethod.SELECTED,
reopen_closed_incident=False,
),
),
kind="Scheduled",
query="Heartbeat",
query_frequency="PT1H",
query_period="P2DT1H30M",
resource_group_name="myRg",
rule_id="73e01a99-5cd7-4139-a149-9f2736ff2ab5",
severity=azure_native.securityinsights.AlertSeverity.HIGH,
suppression_duration="PT1H",
suppression_enabled=False,
tactics=[
azure_native.securityinsights.AttackTactic.PERSISTENCE,
azure_native.securityinsights.AttackTactic.LATERAL_MOVEMENT,
],
trigger_operator=azure_native.securityinsights.TriggerOperator.GREATER_THAN,
trigger_threshold=0,
workspace_name="myWorkspace")
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const scheduledAlertRule = new azure_native.securityinsights.ScheduledAlertRule("scheduledAlertRule", {
alertDetailsOverride: {
alertDescriptionFormat: "Suspicious activity was made by {{ComputerIP}}",
alertDisplayNameFormat: "Alert from {{Computer}}",
alertDynamicProperties: [
{
alertProperty: azure_native.securityinsights.AlertProperty.ProductComponentName,
value: "ProductComponentNameCustomColumn",
},
{
alertProperty: azure_native.securityinsights.AlertProperty.ProductName,
value: "ProductNameCustomColumn",
},
{
alertProperty: azure_native.securityinsights.AlertProperty.AlertLink,
value: "Link",
},
],
},
customDetails: {
OperatingSystemName: "OSName",
OperatingSystemType: "OSType",
},
description: "An example for a scheduled rule",
displayName: "My scheduled rule",
enabled: true,
entityMappings: [
{
entityType: azure_native.securityinsights.EntityMappingType.Host,
fieldMappings: [{
columnName: "Computer",
identifier: "FullName",
}],
},
{
entityType: azure_native.securityinsights.EntityMappingType.IP,
fieldMappings: [{
columnName: "ComputerIP",
identifier: "Address",
}],
},
],
eventGroupingSettings: {
aggregationKind: azure_native.securityinsights.EventGroupingAggregationKind.AlertPerResult,
},
incidentConfiguration: {
createIncident: true,
groupingConfiguration: {
enabled: true,
groupByAlertDetails: [azure_native.securityinsights.AlertDetail.DisplayName],
groupByCustomDetails: [
"OperatingSystemType",
"OperatingSystemName",
],
groupByEntities: [azure_native.securityinsights.EntityMappingType.Host],
lookbackDuration: "PT5H",
matchingMethod: azure_native.securityinsights.MatchingMethod.Selected,
reopenClosedIncident: false,
},
},
kind: "Scheduled",
query: "Heartbeat",
queryFrequency: "PT1H",
queryPeriod: "P2DT1H30M",
resourceGroupName: "myRg",
ruleId: "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
severity: azure_native.securityinsights.AlertSeverity.High,
suppressionDuration: "PT1H",
suppressionEnabled: false,
tactics: [
azure_native.securityinsights.AttackTactic.Persistence,
azure_native.securityinsights.AttackTactic.LateralMovement,
],
triggerOperator: azure_native.securityinsights.TriggerOperator.GreaterThan,
triggerThreshold: 0,
workspaceName: "myWorkspace",
});
resources:
scheduledAlertRule:
type: azure-native:securityinsights:ScheduledAlertRule
properties:
alertDetailsOverride:
alertDescriptionFormat: Suspicious activity was made by {{ComputerIP}}
alertDisplayNameFormat: Alert from {{Computer}}
alertDynamicProperties:
- alertProperty: ProductComponentName
value: ProductComponentNameCustomColumn
- alertProperty: ProductName
value: ProductNameCustomColumn
- alertProperty: AlertLink
value: Link
customDetails:
OperatingSystemName: OSName
OperatingSystemType: OSType
description: An example for a scheduled rule
displayName: My scheduled rule
enabled: true
entityMappings:
- entityType: Host
fieldMappings:
- columnName: Computer
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: ComputerIP
identifier: Address
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
groupByAlertDetails:
- DisplayName
groupByCustomDetails:
- OperatingSystemType
- OperatingSystemName
groupByEntities:
- Host
lookbackDuration: PT5H
matchingMethod: Selected
reopenClosedIncident: false
kind: Scheduled
query: Heartbeat
queryFrequency: PT1H
queryPeriod: P2DT1H30M
resourceGroupName: myRg
ruleId: 73e01a99-5cd7-4139-a149-9f2736ff2ab5
severity: High
suppressionDuration: PT1H
suppressionEnabled: false
tactics:
- Persistence
- LateralMovement
triggerOperator: GreaterThan
triggerThreshold: 0
workspaceName: myWorkspace
Create ScheduledAlertRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ScheduledAlertRule(name: string, args: ScheduledAlertRuleArgs, opts?: CustomResourceOptions);@overload
def ScheduledAlertRule(resource_name: str,
args: ScheduledAlertRuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ScheduledAlertRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
suppression_enabled: Optional[bool] = None,
workspace_name: Optional[str] = None,
trigger_threshold: Optional[int] = None,
trigger_operator: Optional[TriggerOperator] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
resource_group_name: Optional[str] = None,
suppression_duration: Optional[str] = None,
severity: Optional[Union[str, AlertSeverity]] = None,
query: Optional[str] = None,
query_frequency: Optional[str] = None,
query_period: Optional[str] = None,
entity_mappings: Optional[Sequence[EntityMappingArgs]] = None,
rule_id: Optional[str] = None,
incident_configuration: Optional[IncidentConfigurationArgs] = None,
event_grouping_settings: Optional[EventGroupingSettingsArgs] = None,
alert_details_override: Optional[AlertDetailsOverrideArgs] = None,
tactics: Optional[Sequence[Union[str, AttackTactic]]] = None,
techniques: Optional[Sequence[str]] = None,
template_version: Optional[str] = None,
description: Optional[str] = None,
custom_details: Optional[Mapping[str, str]] = None,
alert_rule_template_name: Optional[str] = None)func NewScheduledAlertRule(ctx *Context, name string, args ScheduledAlertRuleArgs, opts ...ResourceOption) (*ScheduledAlertRule, error)public ScheduledAlertRule(string name, ScheduledAlertRuleArgs args, CustomResourceOptions? opts = null)
public ScheduledAlertRule(String name, ScheduledAlertRuleArgs args)
public ScheduledAlertRule(String name, ScheduledAlertRuleArgs args, CustomResourceOptions options)
type: azure-native:securityinsights:ScheduledAlertRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ScheduledAlertRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ScheduledAlertRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ScheduledAlertRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ScheduledAlertRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ScheduledAlertRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Example
The following reference example uses placeholder values for all input properties.
var scheduledAlertRuleResource = new AzureNative.SecurityInsights.ScheduledAlertRule("scheduledAlertRuleResource", new()
{
SuppressionEnabled = false,
WorkspaceName = "string",
TriggerThreshold = 0,
TriggerOperator = AzureNative.SecurityInsights.TriggerOperator.GreaterThan,
DisplayName = "string",
Enabled = false,
ResourceGroupName = "string",
SuppressionDuration = "string",
Severity = "string",
Kind = "string",
Query = "string",
QueryFrequency = "string",
QueryPeriod = "string",
EntityMappings = new[]
{
new AzureNative.SecurityInsights.Inputs.EntityMappingArgs
{
EntityType = "string",
FieldMappings = new[]
{
new AzureNative.SecurityInsights.Inputs.FieldMappingArgs
{
ColumnName = "string",
Identifier = "string",
},
},
},
},
RuleId = "string",
IncidentConfiguration = new AzureNative.SecurityInsights.Inputs.IncidentConfigurationArgs
{
CreateIncident = false,
GroupingConfiguration = new AzureNative.SecurityInsights.Inputs.GroupingConfigurationArgs
{
Enabled = false,
LookbackDuration = "string",
MatchingMethod = "string",
ReopenClosedIncident = false,
GroupByAlertDetails = new[]
{
"string",
},
GroupByCustomDetails = new[]
{
"string",
},
GroupByEntities = new[]
{
"string",
},
},
},
EventGroupingSettings = new AzureNative.SecurityInsights.Inputs.EventGroupingSettingsArgs
{
AggregationKind = "string",
},
AlertDetailsOverride = new AzureNative.SecurityInsights.Inputs.AlertDetailsOverrideArgs
{
AlertDescriptionFormat = "string",
AlertDisplayNameFormat = "string",
AlertDynamicProperties = new[]
{
new AzureNative.SecurityInsights.Inputs.AlertPropertyMappingArgs
{
AlertProperty = "string",
Value = "string",
},
},
AlertSeverityColumnName = "string",
AlertTacticsColumnName = "string",
},
Tactics = new[]
{
"string",
},
Techniques = new[]
{
"string",
},
TemplateVersion = "string",
Description = "string",
CustomDetails =
{
{ "string", "string" },
},
AlertRuleTemplateName = "string",
});
example, err := securityinsights.NewScheduledAlertRule(ctx, "scheduledAlertRuleResource", &securityinsights.ScheduledAlertRuleArgs{
SuppressionEnabled: pulumi.Bool(false),
WorkspaceName: pulumi.String("string"),
TriggerThreshold: pulumi.Int(0),
TriggerOperator: securityinsights.TriggerOperatorGreaterThan,
DisplayName: pulumi.String("string"),
Enabled: pulumi.Bool(false),
ResourceGroupName: pulumi.String("string"),
SuppressionDuration: pulumi.String("string"),
Severity: pulumi.String("string"),
Kind: pulumi.String("string"),
Query: pulumi.String("string"),
QueryFrequency: pulumi.String("string"),
QueryPeriod: pulumi.String("string"),
EntityMappings: securityinsights.EntityMappingArray{
&securityinsights.EntityMappingArgs{
EntityType: pulumi.String("string"),
FieldMappings: securityinsights.FieldMappingArray{
&securityinsights.FieldMappingArgs{
ColumnName: pulumi.String("string"),
Identifier: pulumi.String("string"),
},
},
},
},
RuleId: pulumi.String("string"),
IncidentConfiguration: &securityinsights.IncidentConfigurationArgs{
CreateIncident: pulumi.Bool(false),
GroupingConfiguration: &securityinsights.GroupingConfigurationArgs{
Enabled: pulumi.Bool(false),
LookbackDuration: pulumi.String("string"),
MatchingMethod: pulumi.String("string"),
ReopenClosedIncident: pulumi.Bool(false),
GroupByAlertDetails: pulumi.StringArray{
pulumi.String("string"),
},
GroupByCustomDetails: pulumi.StringArray{
pulumi.String("string"),
},
GroupByEntities: pulumi.StringArray{
pulumi.String("string"),
},
},
},
EventGroupingSettings: &securityinsights.EventGroupingSettingsArgs{
AggregationKind: pulumi.String("string"),
},
AlertDetailsOverride: &securityinsights.AlertDetailsOverrideArgs{
AlertDescriptionFormat: pulumi.String("string"),
AlertDisplayNameFormat: pulumi.String("string"),
AlertDynamicProperties: securityinsights.AlertPropertyMappingArray{
&securityinsights.AlertPropertyMappingArgs{
AlertProperty: pulumi.String("string"),
Value: pulumi.String("string"),
},
},
AlertSeverityColumnName: pulumi.String("string"),
AlertTacticsColumnName: pulumi.String("string"),
},
Tactics: pulumi.StringArray{
pulumi.String("string"),
},
Techniques: pulumi.StringArray{
pulumi.String("string"),
},
TemplateVersion: pulumi.String("string"),
Description: pulumi.String("string"),
CustomDetails: pulumi.StringMap{
"string": pulumi.String("string"),
},
AlertRuleTemplateName: pulumi.String("string"),
})
var scheduledAlertRuleResource = new ScheduledAlertRule("scheduledAlertRuleResource", ScheduledAlertRuleArgs.builder()
.suppressionEnabled(false)
.workspaceName("string")
.triggerThreshold(0)
.triggerOperator("GreaterThan")
.displayName("string")
.enabled(false)
.resourceGroupName("string")
.suppressionDuration("string")
.severity("string")
.kind("string")
.query("string")
.queryFrequency("string")
.queryPeriod("string")
.entityMappings(EntityMappingArgs.builder()
.entityType("string")
.fieldMappings(FieldMappingArgs.builder()
.columnName("string")
.identifier("string")
.build())
.build())
.ruleId("string")
.incidentConfiguration(IncidentConfigurationArgs.builder()
.createIncident(false)
.groupingConfiguration(GroupingConfigurationArgs.builder()
.enabled(false)
.lookbackDuration("string")
.matchingMethod("string")
.reopenClosedIncident(false)
.groupByAlertDetails("string")
.groupByCustomDetails("string")
.groupByEntities("string")
.build())
.build())
.eventGroupingSettings(EventGroupingSettingsArgs.builder()
.aggregationKind("string")
.build())
.alertDetailsOverride(AlertDetailsOverrideArgs.builder()
.alertDescriptionFormat("string")
.alertDisplayNameFormat("string")
.alertDynamicProperties(AlertPropertyMappingArgs.builder()
.alertProperty("string")
.value("string")
.build())
.alertSeverityColumnName("string")
.alertTacticsColumnName("string")
.build())
.tactics("string")
.techniques("string")
.templateVersion("string")
.description("string")
.customDetails(Map.of("string", "string"))
.alertRuleTemplateName("string")
.build());
scheduled_alert_rule_resource = azure_native.securityinsights.ScheduledAlertRule("scheduledAlertRuleResource",
suppression_enabled=False,
workspace_name="string",
trigger_threshold=0,
trigger_operator=azure_native.securityinsights.TriggerOperator.GREATER_THAN,
display_name="string",
enabled=False,
resource_group_name="string",
suppression_duration="string",
severity="string",
kind="string",
query="string",
query_frequency="string",
query_period="string",
entity_mappings=[azure_native.securityinsights.EntityMappingArgs(
entity_type="string",
field_mappings=[azure_native.securityinsights.FieldMappingArgs(
column_name="string",
identifier="string",
)],
)],
rule_id="string",
incident_configuration=azure_native.securityinsights.IncidentConfigurationArgs(
create_incident=False,
grouping_configuration=azure_native.securityinsights.GroupingConfigurationArgs(
enabled=False,
lookback_duration="string",
matching_method="string",
reopen_closed_incident=False,
group_by_alert_details=["string"],
group_by_custom_details=["string"],
group_by_entities=["string"],
),
),
event_grouping_settings=azure_native.securityinsights.EventGroupingSettingsArgs(
aggregation_kind="string",
),
alert_details_override=azure_native.securityinsights.AlertDetailsOverrideArgs(
alert_description_format="string",
alert_display_name_format="string",
alert_dynamic_properties=[azure_native.securityinsights.AlertPropertyMappingArgs(
alert_property="string",
value="string",
)],
alert_severity_column_name="string",
alert_tactics_column_name="string",
),
tactics=["string"],
techniques=["string"],
template_version="string",
description="string",
custom_details={
"string": "string",
},
alert_rule_template_name="string")
const scheduledAlertRuleResource = new azure_native.securityinsights.ScheduledAlertRule("scheduledAlertRuleResource", {
suppressionEnabled: false,
workspaceName: "string",
triggerThreshold: 0,
triggerOperator: azure_native.securityinsights.TriggerOperator.GreaterThan,
displayName: "string",
enabled: false,
resourceGroupName: "string",
suppressionDuration: "string",
severity: "string",
kind: "string",
query: "string",
queryFrequency: "string",
queryPeriod: "string",
entityMappings: [{
entityType: "string",
fieldMappings: [{
columnName: "string",
identifier: "string",
}],
}],
ruleId: "string",
incidentConfiguration: {
createIncident: false,
groupingConfiguration: {
enabled: false,
lookbackDuration: "string",
matchingMethod: "string",
reopenClosedIncident: false,
groupByAlertDetails: ["string"],
groupByCustomDetails: ["string"],
groupByEntities: ["string"],
},
},
eventGroupingSettings: {
aggregationKind: "string",
},
alertDetailsOverride: {
alertDescriptionFormat: "string",
alertDisplayNameFormat: "string",
alertDynamicProperties: [{
alertProperty: "string",
value: "string",
}],
alertSeverityColumnName: "string",
alertTacticsColumnName: "string",
},
tactics: ["string"],
techniques: ["string"],
templateVersion: "string",
description: "string",
customDetails: {
string: "string",
},
alertRuleTemplateName: "string",
});
type: azure-native:securityinsights:ScheduledAlertRule
properties:
alertDetailsOverride:
alertDescriptionFormat: string
alertDisplayNameFormat: string
alertDynamicProperties:
- alertProperty: string
value: string
alertSeverityColumnName: string
alertTacticsColumnName: string
alertRuleTemplateName: string
customDetails:
string: string
description: string
displayName: string
enabled: false
entityMappings:
- entityType: string
fieldMappings:
- columnName: string
identifier: string
eventGroupingSettings:
aggregationKind: string
incidentConfiguration:
createIncident: false
groupingConfiguration:
enabled: false
groupByAlertDetails:
- string
groupByCustomDetails:
- string
groupByEntities:
- string
lookbackDuration: string
matchingMethod: string
reopenClosedIncident: false
kind: string
query: string
queryFrequency: string
queryPeriod: string
resourceGroupName: string
ruleId: string
severity: string
suppressionDuration: string
suppressionEnabled: false
tactics:
- string
techniques:
- string
templateVersion: string
triggerOperator: GreaterThan
triggerThreshold: 0
workspaceName: string
ScheduledAlertRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ScheduledAlertRule resource accepts the following input properties:
- Display
Name string - The display name for alerts created by this alert rule.
- Enabled bool
- Determines whether this alert rule is enabled or disabled.
- Query string
- The query that creates alerts for this rule.
- Query
Frequency string - The frequency (in ISO 8601 duration format) for this alert rule to run.
- Query
Period string - The period (in ISO 8601 duration format) that this alert rule looks at.
- Resource
Group stringName - The name of the resource group. The name is case insensitive.
- Severity
string | Pulumi.
Azure Native. Security Insights. Alert Severity - The severity for alerts created by this alert rule.
- Suppression
Duration string - The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.
- Suppression
Enabled bool - Determines whether the suppression for this alert rule is enabled or disabled.
- Trigger
Operator Pulumi.Azure Native. Security Insights. Trigger Operator - The operation against the threshold that triggers alert rule.
- Trigger
Threshold int - The threshold triggers this alert rule.
- Workspace
Name string - The name of the workspace.
- Alert
Details Pulumi.Override Azure Native. Security Insights. Inputs. Alert Details Override - The alert details override settings
- Alert
Rule stringTemplate Name - The Name of the alert rule template used to create this rule.
- Custom
Details Dictionary<string, string> - Dictionary of string key-value pairs of columns to be attached to the alert
- Description string
- The description of the alert rule.
- Entity
Mappings List<Pulumi.Azure Native. Security Insights. Inputs. Entity Mapping> - Array of the entity mappings of the alert rule
- Event
Grouping Pulumi.Settings Azure Native. Security Insights. Inputs. Event Grouping Settings - The event grouping settings.
- Incident
Configuration Pulumi.Azure Native. Security Insights. Inputs. Incident Configuration - The settings of the incidents that created from alerts triggered by this analytics rule
- Rule
Id string - Alert rule ID
- Tactics
List<Union<string, Pulumi.
Azure Native. Security Insights. Attack Tactic>> - The tactics of the alert rule
- Techniques List<string>
- The techniques of the alert rule
- Template
Version string - The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2>
- Display
Name string - The display name for alerts created by this alert rule.
- Enabled bool
- Determines whether this alert rule is enabled or disabled.
- Query string
- The query that creates alerts for this rule.
- Query
Frequency string - The frequency (in ISO 8601 duration format) for this alert rule to run.
- Query
Period string - The period (in ISO 8601 duration format) that this alert rule looks at.
- Resource
Group stringName - The name of the resource group. The name is case insensitive.
- Severity
string | Alert
Severity - The severity for alerts created by this alert rule.
- Suppression
Duration string - The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.
- Suppression
Enabled bool - Determines whether the suppression for this alert rule is enabled or disabled.
- Trigger
Operator TriggerOperator - The operation against the threshold that triggers alert rule.
- Trigger
Threshold int - The threshold triggers this alert rule.
- Workspace
Name string - The name of the workspace.
- Alert
Details AlertOverride Details Override Args - The alert details override settings
- Alert
Rule stringTemplate Name - The Name of the alert rule template used to create this rule.
- Custom
Details map[string]string - Dictionary of string key-value pairs of columns to be attached to the alert
- Description string
- The description of the alert rule.
- Entity
Mappings []EntityMapping Args - Array of the entity mappings of the alert rule
- Event
Grouping EventSettings Grouping Settings Args - The event grouping settings.
- Incident
Configuration IncidentConfiguration Args - The settings of the incidents that created from alerts triggered by this analytics rule
- Rule
Id string - Alert rule ID
- Tactics []string
- The tactics of the alert rule
- Techniques []string
- The techniques of the alert rule
- Template
Version string - The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2>
- display
Name String - The display name for alerts created by this alert rule.
- enabled Boolean
- Determines whether this alert rule is enabled or disabled.
- query String
- The query that creates alerts for this rule.
- query
Frequency String - The frequency (in ISO 8601 duration format) for this alert rule to run.
- query
Period String - The period (in ISO 8601 duration format) that this alert rule looks at.
- resource
Group StringName - The name of the resource group. The name is case insensitive.
- severity
String | Alert
Severity - The severity for alerts created by this alert rule.
- suppression
Duration String - The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.
- suppression
Enabled Boolean - Determines whether the suppression for this alert rule is enabled or disabled.
- trigger
Operator TriggerOperator - The operation against the threshold that triggers alert rule.
- trigger
Threshold Integer - The threshold triggers this alert rule.
- workspace
Name String - The name of the workspace.
- alert
Details AlertOverride Details Override - The alert details override settings
- alert
Rule StringTemplate Name - The Name of the alert rule template used to create this rule.
- custom
Details Map<String,String> - Dictionary of string key-value pairs of columns to be attached to the alert
- description String
- The description of the alert rule.
- entity
Mappings List<EntityMapping> - Array of the entity mappings of the alert rule
- event
Grouping EventSettings Grouping Settings - The event grouping settings.
- incident
Configuration IncidentConfiguration - The settings of the incidents that created from alerts triggered by this analytics rule
- rule
Id String - Alert rule ID
- tactics
List<Either<String,Attack
Tactic>> - The tactics of the alert rule
- techniques List<String>
- The techniques of the alert rule
- template
Version String - The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2>
- display
Name string - The display name for alerts created by this alert rule.
- enabled boolean
- Determines whether this alert rule is enabled or disabled.
- query string
- The query that creates alerts for this rule.
- query
Frequency string - The frequency (in ISO 8601 duration format) for this alert rule to run.
- query
Period string - The period (in ISO 8601 duration format) that this alert rule looks at.
- resource
Group stringName - The name of the resource group. The name is case insensitive.
- severity
string | Alert
Severity - The severity for alerts created by this alert rule.
- suppression
Duration string - The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.
- suppression
Enabled boolean - Determines whether the suppression for this alert rule is enabled or disabled.
- trigger
Operator TriggerOperator - The operation against the threshold that triggers alert rule.
- trigger
Threshold number - The threshold triggers this alert rule.
- workspace
Name string - The name of the workspace.
- alert
Details AlertOverride Details Override - The alert details override settings
- alert
Rule stringTemplate Name - The Name of the alert rule template used to create this rule.
- custom
Details {[key: string]: string} - Dictionary of string key-value pairs of columns to be attached to the alert
- description string
- The description of the alert rule.
- entity
Mappings EntityMapping[] - Array of the entity mappings of the alert rule
- event
Grouping EventSettings Grouping Settings - The event grouping settings.
- incident
Configuration IncidentConfiguration - The settings of the incidents that created from alerts triggered by this analytics rule
- rule
Id string - Alert rule ID
- tactics
(string | Attack
Tactic)[] - The tactics of the alert rule
- techniques string[]
- The techniques of the alert rule
- template
Version string - The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2>
- display_
name str - The display name for alerts created by this alert rule.
- enabled bool
- Determines whether this alert rule is enabled or disabled.
- query str
- The query that creates alerts for this rule.
- query_
frequency str - The frequency (in ISO 8601 duration format) for this alert rule to run.
- query_
period str - The period (in ISO 8601 duration format) that this alert rule looks at.
- resource_
group_ strname - The name of the resource group. The name is case insensitive.
- severity
str | Alert
Severity - The severity for alerts created by this alert rule.
- suppression_
duration str - The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.
- suppression_
enabled bool - Determines whether the suppression for this alert rule is enabled or disabled.
- trigger_
operator TriggerOperator - The operation against the threshold that triggers alert rule.
- trigger_
threshold int - The threshold triggers this alert rule.
- workspace_
name str - The name of the workspace.
- alert_
details_ Alertoverride Details Override Args - The alert details override settings
- alert_
rule_ strtemplate_ name - The Name of the alert rule template used to create this rule.
- custom_
details Mapping[str, str] - Dictionary of string key-value pairs of columns to be attached to the alert
- description str
- The description of the alert rule.
- entity_
mappings Sequence[EntityMapping Args] - Array of the entity mappings of the alert rule
- event_
grouping_ Eventsettings Grouping Settings Args - The event grouping settings.
- incident_
configuration IncidentConfiguration Args - The settings of the incidents that created from alerts triggered by this analytics rule
- rule_
id str - Alert rule ID
- tactics
Sequence[Union[str, Attack
Tactic]] - The tactics of the alert rule
- techniques Sequence[str]
- The techniques of the alert rule
- template_
version str - The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2>
- display
Name String - The display name for alerts created by this alert rule.
- enabled Boolean
- Determines whether this alert rule is enabled or disabled.
- query String
- The query that creates alerts for this rule.
- query
Frequency String - The frequency (in ISO 8601 duration format) for this alert rule to run.
- query
Period String - The period (in ISO 8601 duration format) that this alert rule looks at.
- resource
Group StringName - The name of the resource group. The name is case insensitive.
- severity String | "High" | "Medium" | "Low" | "Informational"
- The severity for alerts created by this alert rule.
- suppression
Duration String - The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.
- suppression
Enabled Boolean - Determines whether the suppression for this alert rule is enabled or disabled.
- trigger
Operator "GreaterThan" | "Less Than" | "Equal" | "Not Equal" - The operation against the threshold that triggers alert rule.
- trigger
Threshold Number - The threshold triggers this alert rule.
- workspace
Name String - The name of the workspace.
- alert
Details Property MapOverride - The alert details override settings
- alert
Rule StringTemplate Name - The Name of the alert rule template used to create this rule.
- custom
Details Map<String> - Dictionary of string key-value pairs of columns to be attached to the alert
- description String
- The description of the alert rule.
- entity
Mappings List<Property Map> - Array of the entity mappings of the alert rule
- event
Grouping Property MapSettings - The event grouping settings.
- incident
Configuration Property Map - The settings of the incidents that created from alerts triggered by this analytics rule
- rule
Id String - Alert rule ID
- tactics
List<String | "Reconnaissance" | "Resource
Development" | "Initial Access" | "Execution" | "Persistence" | "Privilege Escalation" | "Defense Evasion" | "Credential Access" | "Discovery" | "Lateral Movement" | "Collection" | "Exfiltration" | "Command And Control" | "Impact" | "Pre Attack" | "Impair Process Control" | "Inhibit Response Function"> - The tactics of the alert rule
- techniques List<String>
- The techniques of the alert rule
- template
Version String - The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2>
Outputs
All input properties are implicitly available as output properties. Additionally, the ScheduledAlertRule resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Modified stringUtc - The last time that this alert rule has been modified.
- Name string
- The name of the resource
- System
Data Pulumi.Azure Native. Security Insights. Outputs. System Data Response - Azure Resource Manager metadata containing createdBy and modifiedBy information.
- Type string
- The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
- Etag string
- Etag of the azure resource
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Modified stringUtc - The last time that this alert rule has been modified.
- Name string
- The name of the resource
- System
Data SystemData Response - Azure Resource Manager metadata containing createdBy and modifiedBy information.
- Type string
- The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
- Etag string
- Etag of the azure resource
- id String
- The provider-assigned unique ID for this managed resource.
- last
Modified StringUtc - The last time that this alert rule has been modified.
- name String
- The name of the resource
- system
Data SystemData Response - Azure Resource Manager metadata containing createdBy and modifiedBy information.
- type String
- The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
- etag String
- Etag of the azure resource
- id string
- The provider-assigned unique ID for this managed resource.
- last
Modified stringUtc - The last time that this alert rule has been modified.
- name string
- The name of the resource
- system
Data SystemData Response - Azure Resource Manager metadata containing createdBy and modifiedBy information.
- type string
- The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
- etag string
- Etag of the azure resource
- id str
- The provider-assigned unique ID for this managed resource.
- last_
modified_ strutc - The last time that this alert rule has been modified.
- name str
- The name of the resource
- system_
data SystemData Response - Azure Resource Manager metadata containing createdBy and modifiedBy information.
- type str
- The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
- etag str
- Etag of the azure resource
- id String
- The provider-assigned unique ID for this managed resource.
- last
Modified StringUtc - The last time that this alert rule has been modified.
- name String
- The name of the resource
- system
Data Property Map - Azure Resource Manager metadata containing createdBy and modifiedBy information.
- type String
- The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
- etag String
- Etag of the azure resource
Supporting Types
AlertDetail, AlertDetailArgs
- Display
Name - DisplayNameAlert display name
- Severity
- SeverityAlert severity
- Alert
Detail Display Name - DisplayNameAlert display name
- Alert
Detail Severity - SeverityAlert severity
- Display
Name - DisplayNameAlert display name
- Severity
- SeverityAlert severity
- Display
Name - DisplayNameAlert display name
- Severity
- SeverityAlert severity
- DISPLAY_NAME
- DisplayNameAlert display name
- SEVERITY
- SeverityAlert severity
- "Display
Name" - DisplayNameAlert display name
- "Severity"
- SeverityAlert severity
AlertDetailsOverride, AlertDetailsOverrideArgs
- Alert
Description stringFormat - the format containing columns name(s) to override the alert description
- Alert
Display stringName Format - the format containing columns name(s) to override the alert name
- Alert
Dynamic List<Pulumi.Properties Azure Native. Security Insights. Inputs. Alert Property Mapping> - List of additional dynamic properties to override
- Alert
Severity stringColumn Name - the column name to take the alert severity from
- Alert
Tactics stringColumn Name - the column name to take the alert tactics from
- Alert
Description stringFormat - the format containing columns name(s) to override the alert description
- Alert
Display stringName Format - the format containing columns name(s) to override the alert name
- Alert
Dynamic []AlertProperties Property Mapping - List of additional dynamic properties to override
- Alert
Severity stringColumn Name - the column name to take the alert severity from
- Alert
Tactics stringColumn Name - the column name to take the alert tactics from
- alert
Description StringFormat - the format containing columns name(s) to override the alert description
- alert
Display StringName Format - the format containing columns name(s) to override the alert name
- alert
Dynamic List<AlertProperties Property Mapping> - List of additional dynamic properties to override
- alert
Severity StringColumn Name - the column name to take the alert severity from
- alert
Tactics StringColumn Name - the column name to take the alert tactics from
- alert
Description stringFormat - the format containing columns name(s) to override the alert description
- alert
Display stringName Format - the format containing columns name(s) to override the alert name
- alert
Dynamic AlertProperties Property Mapping[] - List of additional dynamic properties to override
- alert
Severity stringColumn Name - the column name to take the alert severity from
- alert
Tactics stringColumn Name - the column name to take the alert tactics from
- alert_
description_ strformat - the format containing columns name(s) to override the alert description
- alert_
display_ strname_ format - the format containing columns name(s) to override the alert name
- alert_
dynamic_ Sequence[Alertproperties Property Mapping] - List of additional dynamic properties to override
- alert_
severity_ strcolumn_ name - the column name to take the alert severity from
- alert_
tactics_ strcolumn_ name - the column name to take the alert tactics from
- alert
Description StringFormat - the format containing columns name(s) to override the alert description
- alert
Display StringName Format - the format containing columns name(s) to override the alert name
- alert
Dynamic List<Property Map>Properties - List of additional dynamic properties to override
- alert
Severity StringColumn Name - the column name to take the alert severity from
- alert
Tactics StringColumn Name - the column name to take the alert tactics from
AlertDetailsOverrideResponse, AlertDetailsOverrideResponseArgs
- Alert
Description stringFormat - the format containing columns name(s) to override the alert description
- Alert
Display stringName Format - the format containing columns name(s) to override the alert name
- Alert
Dynamic List<Pulumi.Properties Azure Native. Security Insights. Inputs. Alert Property Mapping Response> - List of additional dynamic properties to override
- Alert
Severity stringColumn Name - the column name to take the alert severity from
- Alert
Tactics stringColumn Name - the column name to take the alert tactics from
- Alert
Description stringFormat - the format containing columns name(s) to override the alert description
- Alert
Display stringName Format - the format containing columns name(s) to override the alert name
- Alert
Dynamic []AlertProperties Property Mapping Response - List of additional dynamic properties to override
- Alert
Severity stringColumn Name - the column name to take the alert severity from
- Alert
Tactics stringColumn Name - the column name to take the alert tactics from
- alert
Description StringFormat - the format containing columns name(s) to override the alert description
- alert
Display StringName Format - the format containing columns name(s) to override the alert name
- alert
Dynamic List<AlertProperties Property Mapping Response> - List of additional dynamic properties to override
- alert
Severity StringColumn Name - the column name to take the alert severity from
- alert
Tactics StringColumn Name - the column name to take the alert tactics from
- alert
Description stringFormat - the format containing columns name(s) to override the alert description
- alert
Display stringName Format - the format containing columns name(s) to override the alert name
- alert
Dynamic AlertProperties Property Mapping Response[] - List of additional dynamic properties to override
- alert
Severity stringColumn Name - the column name to take the alert severity from
- alert
Tactics stringColumn Name - the column name to take the alert tactics from
- alert_
description_ strformat - the format containing columns name(s) to override the alert description
- alert_
display_ strname_ format - the format containing columns name(s) to override the alert name
- alert_
dynamic_ Sequence[Alertproperties Property Mapping Response] - List of additional dynamic properties to override
- alert_
severity_ strcolumn_ name - the column name to take the alert severity from
- alert_
tactics_ strcolumn_ name - the column name to take the alert tactics from
- alert
Description StringFormat - the format containing columns name(s) to override the alert description
- alert
Display StringName Format - the format containing columns name(s) to override the alert name
- alert
Dynamic List<Property Map>Properties - List of additional dynamic properties to override
- alert
Severity StringColumn Name - the column name to take the alert severity from
- alert
Tactics StringColumn Name - the column name to take the alert tactics from
AlertProperty, AlertPropertyArgs
- Alert
Link - AlertLinkAlert's link
- Confidence
Level - ConfidenceLevelConfidence level property
- Confidence
Score - ConfidenceScoreConfidence score
- Extended
Links - ExtendedLinksExtended links to the alert
- Product
Name - ProductNameProduct name alert property
- Provider
Name - ProviderNameProvider name alert property
- Product
Component Name - ProductComponentNameProduct component name alert property
- Remediation
Steps - RemediationStepsRemediation steps alert property
- Techniques
- TechniquesTechniques alert property
- Alert
Property Alert Link - AlertLinkAlert's link
- Alert
Property Confidence Level - ConfidenceLevelConfidence level property
- Alert
Property Confidence Score - ConfidenceScoreConfidence score
- Alert
Property Extended Links - ExtendedLinksExtended links to the alert
- Alert
Property Product Name - ProductNameProduct name alert property
- Alert
Property Provider Name - ProviderNameProvider name alert property
- Alert
Property Product Component Name - ProductComponentNameProduct component name alert property
- Alert
Property Remediation Steps - RemediationStepsRemediation steps alert property
- Alert
Property Techniques - TechniquesTechniques alert property
- Alert
Link - AlertLinkAlert's link
- Confidence
Level - ConfidenceLevelConfidence level property
- Confidence
Score - ConfidenceScoreConfidence score
- Extended
Links - ExtendedLinksExtended links to the alert
- Product
Name - ProductNameProduct name alert property
- Provider
Name - ProviderNameProvider name alert property
- Product
Component Name - ProductComponentNameProduct component name alert property
- Remediation
Steps - RemediationStepsRemediation steps alert property
- Techniques
- TechniquesTechniques alert property
- Alert
Link - AlertLinkAlert's link
- Confidence
Level - ConfidenceLevelConfidence level property
- Confidence
Score - ConfidenceScoreConfidence score
- Extended
Links - ExtendedLinksExtended links to the alert
- Product
Name - ProductNameProduct name alert property
- Provider
Name - ProviderNameProvider name alert property
- Product
Component Name - ProductComponentNameProduct component name alert property
- Remediation
Steps - RemediationStepsRemediation steps alert property
- Techniques
- TechniquesTechniques alert property
- ALERT_LINK
- AlertLinkAlert's link
- CONFIDENCE_LEVEL
- ConfidenceLevelConfidence level property
- CONFIDENCE_SCORE
- ConfidenceScoreConfidence score
- EXTENDED_LINKS
- ExtendedLinksExtended links to the alert
- PRODUCT_NAME
- ProductNameProduct name alert property
- PROVIDER_NAME
- ProviderNameProvider name alert property
- PRODUCT_COMPONENT_NAME
- ProductComponentNameProduct component name alert property
- REMEDIATION_STEPS
- RemediationStepsRemediation steps alert property
- TECHNIQUES
- TechniquesTechniques alert property
- "Alert
Link" - AlertLinkAlert's link
- "Confidence
Level" - ConfidenceLevelConfidence level property
- "Confidence
Score" - ConfidenceScoreConfidence score
- "Extended
Links" - ExtendedLinksExtended links to the alert
- "Product
Name" - ProductNameProduct name alert property
- "Provider
Name" - ProviderNameProvider name alert property
- "Product
Component Name" - ProductComponentNameProduct component name alert property
- "Remediation
Steps" - RemediationStepsRemediation steps alert property
- "Techniques"
- TechniquesTechniques alert property
AlertPropertyMapping, AlertPropertyMappingArgs
- Alert
Property string | Pulumi.Azure Native. Security Insights. Alert Property - The V3 alert property
- Value string
- the column name to use to override this property
- Alert
Property string | AlertProperty - The V3 alert property
- Value string
- the column name to use to override this property
- alert
Property String | AlertProperty - The V3 alert property
- value String
- the column name to use to override this property
- alert
Property string | AlertProperty - The V3 alert property
- value string
- the column name to use to override this property
- alert_
property str | AlertProperty - The V3 alert property
- value str
- the column name to use to override this property
- alert
Property String | "AlertLink" | "Confidence Level" | "Confidence Score" | "Extended Links" | "Product Name" | "Provider Name" | "Product Component Name" | "Remediation Steps" | "Techniques" - The V3 alert property
- value String
- the column name to use to override this property
AlertPropertyMappingResponse, AlertPropertyMappingResponseArgs
- Alert
Property string - The V3 alert property
- Value string
- the column name to use to override this property
- Alert
Property string - The V3 alert property
- Value string
- the column name to use to override this property
- alert
Property String - The V3 alert property
- value String
- the column name to use to override this property
- alert
Property string - The V3 alert property
- value string
- the column name to use to override this property
- alert_
property str - The V3 alert property
- value str
- the column name to use to override this property
- alert
Property String - The V3 alert property
- value String
- the column name to use to override this property
AlertSeverity, AlertSeverityArgs
- High
- HighHigh severity
- Medium
- MediumMedium severity
- Low
- LowLow severity
- Informational
- InformationalInformational severity
- Alert
Severity High - HighHigh severity
- Alert
Severity Medium - MediumMedium severity
- Alert
Severity Low - LowLow severity
- Alert
Severity Informational - InformationalInformational severity
- High
- HighHigh severity
- Medium
- MediumMedium severity
- Low
- LowLow severity
- Informational
- InformationalInformational severity
- High
- HighHigh severity
- Medium
- MediumMedium severity
- Low
- LowLow severity
- Informational
- InformationalInformational severity
- HIGH
- HighHigh severity
- MEDIUM
- MediumMedium severity
- LOW
- LowLow severity
- INFORMATIONAL
- InformationalInformational severity
- "High"
- HighHigh severity
- "Medium"
- MediumMedium severity
- "Low"
- LowLow severity
- "Informational"
- InformationalInformational severity
AttackTactic, AttackTacticArgs
- Reconnaissance
- Reconnaissance
- Resource
Development - ResourceDevelopment
- Initial
Access - InitialAccess
- Execution
- Execution
- Persistence
- Persistence
- Privilege
Escalation - PrivilegeEscalation
- Defense
Evasion - DefenseEvasion
- Credential
Access - CredentialAccess
- Discovery
- Discovery
- Lateral
Movement - LateralMovement
- Collection
- Collection
- Exfiltration
- Exfiltration
- Command
And Control - CommandAndControl
- Impact
- Impact
- Pre
Attack - PreAttack
- Impair
Process Control - ImpairProcessControl
- Inhibit
Response Function - InhibitResponseFunction
- Attack
Tactic Reconnaissance - Reconnaissance
- Attack
Tactic Resource Development - ResourceDevelopment
- Attack
Tactic Initial Access - InitialAccess
- Attack
Tactic Execution - Execution
- Attack
Tactic Persistence - Persistence
- Attack
Tactic Privilege Escalation - PrivilegeEscalation
- Attack
Tactic Defense Evasion - DefenseEvasion
- Attack
Tactic Credential Access - CredentialAccess
- Attack
Tactic Discovery - Discovery
- Attack
Tactic Lateral Movement - LateralMovement
- Attack
Tactic Collection - Collection
- Attack
Tactic Exfiltration - Exfiltration
- Attack
Tactic Command And Control - CommandAndControl
- Attack
Tactic Impact - Impact
- Attack
Tactic Pre Attack - PreAttack
- Attack
Tactic Impair Process Control - ImpairProcessControl
- Attack
Tactic Inhibit Response Function - InhibitResponseFunction
- Reconnaissance
- Reconnaissance
- Resource
Development - ResourceDevelopment
- Initial
Access - InitialAccess
- Execution
- Execution
- Persistence
- Persistence
- Privilege
Escalation - PrivilegeEscalation
- Defense
Evasion - DefenseEvasion
- Credential
Access - CredentialAccess
- Discovery
- Discovery
- Lateral
Movement - LateralMovement
- Collection
- Collection
- Exfiltration
- Exfiltration
- Command
And Control - CommandAndControl
- Impact
- Impact
- Pre
Attack - PreAttack
- Impair
Process Control - ImpairProcessControl
- Inhibit
Response Function - InhibitResponseFunction
- Reconnaissance
- Reconnaissance
- Resource
Development - ResourceDevelopment
- Initial
Access - InitialAccess
- Execution
- Execution
- Persistence
- Persistence
- Privilege
Escalation - PrivilegeEscalation
- Defense
Evasion - DefenseEvasion
- Credential
Access - CredentialAccess
- Discovery
- Discovery
- Lateral
Movement - LateralMovement
- Collection
- Collection
- Exfiltration
- Exfiltration
- Command
And Control - CommandAndControl
- Impact
- Impact
- Pre
Attack - PreAttack
- Impair
Process Control - ImpairProcessControl
- Inhibit
Response Function - InhibitResponseFunction
- RECONNAISSANCE
- Reconnaissance
- RESOURCE_DEVELOPMENT
- ResourceDevelopment
- INITIAL_ACCESS
- InitialAccess
- EXECUTION
- Execution
- PERSISTENCE
- Persistence
- PRIVILEGE_ESCALATION
- PrivilegeEscalation
- DEFENSE_EVASION
- DefenseEvasion
- CREDENTIAL_ACCESS
- CredentialAccess
- DISCOVERY
- Discovery
- LATERAL_MOVEMENT
- LateralMovement
- COLLECTION
- Collection
- EXFILTRATION
- Exfiltration
- COMMAND_AND_CONTROL
- CommandAndControl
- IMPACT
- Impact
- PRE_ATTACK
- PreAttack
- IMPAIR_PROCESS_CONTROL
- ImpairProcessControl
- INHIBIT_RESPONSE_FUNCTION
- InhibitResponseFunction
- "Reconnaissance"
- Reconnaissance
- "Resource
Development" - ResourceDevelopment
- "Initial
Access" - InitialAccess
- "Execution"
- Execution
- "Persistence"
- Persistence
- "Privilege
Escalation" - PrivilegeEscalation
- "Defense
Evasion" - DefenseEvasion
- "Credential
Access" - CredentialAccess
- "Discovery"
- Discovery
- "Lateral
Movement" - LateralMovement
- "Collection"
- Collection
- "Exfiltration"
- Exfiltration
- "Command
And Control" - CommandAndControl
- "Impact"
- Impact
- "Pre
Attack" - PreAttack
- "Impair
Process Control" - ImpairProcessControl
- "Inhibit
Response Function" - InhibitResponseFunction
EntityMapping, EntityMappingArgs
- Entity
Type string | Pulumi.Azure Native. Security Insights. Entity Mapping Type - The V3 type of the mapped entity
- Field
Mappings List<Pulumi.Azure Native. Security Insights. Inputs. Field Mapping> - array of field mappings for the given entity mapping
- Entity
Type string | EntityMapping Type - The V3 type of the mapped entity
- Field
Mappings []FieldMapping - array of field mappings for the given entity mapping
- entity
Type String | EntityMapping Type - The V3 type of the mapped entity
- field
Mappings List<FieldMapping> - array of field mappings for the given entity mapping
- entity
Type string | EntityMapping Type - The V3 type of the mapped entity
- field
Mappings FieldMapping[] - array of field mappings for the given entity mapping
- entity_
type str | EntityMapping Type - The V3 type of the mapped entity
- field_
mappings Sequence[FieldMapping] - array of field mappings for the given entity mapping
- entity
Type String | "Account" | "Host" | "IP" | "Malware" | "File" | "Process" | "CloudApplication" | "DNS" | "Azure Resource" | "File Hash" | "Registry Key" | "Registry Value" | "Security Group" | "URL" | "Mailbox" | "Mail Cluster" | "Mail Message" | "Submission Mail" - The V3 type of the mapped entity
- field
Mappings List<Property Map> - array of field mappings for the given entity mapping
EntityMappingResponse, EntityMappingResponseArgs
- Entity
Type string - The V3 type of the mapped entity
- Field
Mappings List<Pulumi.Azure Native. Security Insights. Inputs. Field Mapping Response> - array of field mappings for the given entity mapping
- Entity
Type string - The V3 type of the mapped entity
- Field
Mappings []FieldMapping Response - array of field mappings for the given entity mapping
- entity
Type String - The V3 type of the mapped entity
- field
Mappings List<FieldMapping Response> - array of field mappings for the given entity mapping
- entity
Type string - The V3 type of the mapped entity
- field
Mappings FieldMapping Response[] - array of field mappings for the given entity mapping
- entity_
type str - The V3 type of the mapped entity
- field_
mappings Sequence[FieldMapping Response] - array of field mappings for the given entity mapping
- entity
Type String - The V3 type of the mapped entity
- field
Mappings List<Property Map> - array of field mappings for the given entity mapping
EntityMappingType, EntityMappingTypeArgs
- Account
- AccountUser account entity type
- Host
- HostHost entity type
- IP
- IPIP address entity type
- Malware
- MalwareMalware entity type
- File
- FileSystem file entity type
- Process
- ProcessProcess entity type
- Cloud
Application - CloudApplicationCloud app entity type
- DNS
- DNSDNS entity type
- Azure
Resource - AzureResourceAzure resource entity type
- File
Hash - FileHashFile-hash entity type
- Registry
Key - RegistryKeyRegistry key entity type
- Registry
Value - RegistryValueRegistry value entity type
- Security
Group - SecurityGroupSecurity group entity type
- URL
- URLURL entity type
- Mailbox
- MailboxMailbox entity type
- Mail
Cluster - MailClusterMail cluster entity type
- Mail
Message - MailMessageMail message entity type
- Submission
Mail - SubmissionMailSubmission mail entity type
- Entity
Mapping Type Account - AccountUser account entity type
- Entity
Mapping Type Host - HostHost entity type
- Entity
Mapping Type IP - IPIP address entity type
- Entity
Mapping Type Malware - MalwareMalware entity type
- Entity
Mapping Type File - FileSystem file entity type
- Entity
Mapping Type Process - ProcessProcess entity type
- Entity
Mapping Type Cloud Application - CloudApplicationCloud app entity type
- Entity
Mapping Type DNS - DNSDNS entity type
- Entity
Mapping Type Azure Resource - AzureResourceAzure resource entity type
- Entity
Mapping Type File Hash - FileHashFile-hash entity type
- Entity
Mapping Type Registry Key - RegistryKeyRegistry key entity type
- Entity
Mapping Type Registry Value - RegistryValueRegistry value entity type
- Entity
Mapping Type Security Group - SecurityGroupSecurity group entity type
- Entity
Mapping Type URL - URLURL entity type
- Entity
Mapping Type Mailbox - MailboxMailbox entity type
- Entity
Mapping Type Mail Cluster - MailClusterMail cluster entity type
- Entity
Mapping Type Mail Message - MailMessageMail message entity type
- Entity
Mapping Type Submission Mail - SubmissionMailSubmission mail entity type
- Account
- AccountUser account entity type
- Host
- HostHost entity type
- IP
- IPIP address entity type
- Malware
- MalwareMalware entity type
- File
- FileSystem file entity type
- Process
- ProcessProcess entity type
- Cloud
Application - CloudApplicationCloud app entity type
- DNS
- DNSDNS entity type
- Azure
Resource - AzureResourceAzure resource entity type
- File
Hash - FileHashFile-hash entity type
- Registry
Key - RegistryKeyRegistry key entity type
- Registry
Value - RegistryValueRegistry value entity type
- Security
Group - SecurityGroupSecurity group entity type
- URL
- URLURL entity type
- Mailbox
- MailboxMailbox entity type
- Mail
Cluster - MailClusterMail cluster entity type
- Mail
Message - MailMessageMail message entity type
- Submission
Mail - SubmissionMailSubmission mail entity type
- Account
- AccountUser account entity type
- Host
- HostHost entity type
- IP
- IPIP address entity type
- Malware
- MalwareMalware entity type
- File
- FileSystem file entity type
- Process
- ProcessProcess entity type
- Cloud
Application - CloudApplicationCloud app entity type
- DNS
- DNSDNS entity type
- Azure
Resource - AzureResourceAzure resource entity type
- File
Hash - FileHashFile-hash entity type
- Registry
Key - RegistryKeyRegistry key entity type
- Registry
Value - RegistryValueRegistry value entity type
- Security
Group - SecurityGroupSecurity group entity type
- URL
- URLURL entity type
- Mailbox
- MailboxMailbox entity type
- Mail
Cluster - MailClusterMail cluster entity type
- Mail
Message - MailMessageMail message entity type
- Submission
Mail - SubmissionMailSubmission mail entity type
- ACCOUNT
- AccountUser account entity type
- HOST
- HostHost entity type
- IP
- IPIP address entity type
- MALWARE
- MalwareMalware entity type
- FILE
- FileSystem file entity type
- PROCESS
- ProcessProcess entity type
- CLOUD_APPLICATION
- CloudApplicationCloud app entity type
- DNS
- DNSDNS entity type
- AZURE_RESOURCE
- AzureResourceAzure resource entity type
- FILE_HASH
- FileHashFile-hash entity type
- REGISTRY_KEY
- RegistryKeyRegistry key entity type
- REGISTRY_VALUE
- RegistryValueRegistry value entity type
- SECURITY_GROUP
- SecurityGroupSecurity group entity type
- URL
- URLURL entity type
- MAILBOX
- MailboxMailbox entity type
- MAIL_CLUSTER
- MailClusterMail cluster entity type
- MAIL_MESSAGE
- MailMessageMail message entity type
- SUBMISSION_MAIL
- SubmissionMailSubmission mail entity type
- "Account"
- AccountUser account entity type
- "Host"
- HostHost entity type
- "IP"
- IPIP address entity type
- "Malware"
- MalwareMalware entity type
- "File"
- FileSystem file entity type
- "Process"
- ProcessProcess entity type
- "Cloud
Application" - CloudApplicationCloud app entity type
- "DNS"
- DNSDNS entity type
- "Azure
Resource" - AzureResourceAzure resource entity type
- "File
Hash" - FileHashFile-hash entity type
- "Registry
Key" - RegistryKeyRegistry key entity type
- "Registry
Value" - RegistryValueRegistry value entity type
- "Security
Group" - SecurityGroupSecurity group entity type
- "URL"
- URLURL entity type
- "Mailbox"
- MailboxMailbox entity type
- "Mail
Cluster" - MailClusterMail cluster entity type
- "Mail
Message" - MailMessageMail message entity type
- "Submission
Mail" - SubmissionMailSubmission mail entity type
EventGroupingAggregationKind, EventGroupingAggregationKindArgs
- Single
Alert - SingleAlert
- Alert
Per Result - AlertPerResult
- Event
Grouping Aggregation Kind Single Alert - SingleAlert
- Event
Grouping Aggregation Kind Alert Per Result - AlertPerResult
- Single
Alert - SingleAlert
- Alert
Per Result - AlertPerResult
- Single
Alert - SingleAlert
- Alert
Per Result - AlertPerResult
- SINGLE_ALERT
- SingleAlert
- ALERT_PER_RESULT
- AlertPerResult
- "Single
Alert" - SingleAlert
- "Alert
Per Result" - AlertPerResult
EventGroupingSettings, EventGroupingSettingsArgs
- Aggregation
Kind string | Pulumi.Azure Native. Security Insights. Event Grouping Aggregation Kind - The event grouping aggregation kinds
- Aggregation
Kind string | EventGrouping Aggregation Kind - The event grouping aggregation kinds
- aggregation
Kind String | EventGrouping Aggregation Kind - The event grouping aggregation kinds
- aggregation
Kind string | EventGrouping Aggregation Kind - The event grouping aggregation kinds
- aggregation_
kind str | EventGrouping Aggregation Kind - The event grouping aggregation kinds
- aggregation
Kind String | "SingleAlert" | "Alert Per Result" - The event grouping aggregation kinds
EventGroupingSettingsResponse, EventGroupingSettingsResponseArgs
- Aggregation
Kind string - The event grouping aggregation kinds
- Aggregation
Kind string - The event grouping aggregation kinds
- aggregation
Kind String - The event grouping aggregation kinds
- aggregation
Kind string - The event grouping aggregation kinds
- aggregation_
kind str - The event grouping aggregation kinds
- aggregation
Kind String - The event grouping aggregation kinds
FieldMapping, FieldMappingArgs
- Column
Name string - the column name to be mapped to the identifier
- Identifier string
- the V3 identifier of the entity
- Column
Name string - the column name to be mapped to the identifier
- Identifier string
- the V3 identifier of the entity
- column
Name String - the column name to be mapped to the identifier
- identifier String
- the V3 identifier of the entity
- column
Name string - the column name to be mapped to the identifier
- identifier string
- the V3 identifier of the entity
- column_
name str - the column name to be mapped to the identifier
- identifier str
- the V3 identifier of the entity
- column
Name String - the column name to be mapped to the identifier
- identifier String
- the V3 identifier of the entity
FieldMappingResponse, FieldMappingResponseArgs
- Column
Name string - the column name to be mapped to the identifier
- Identifier string
- the V3 identifier of the entity
- Column
Name string - the column name to be mapped to the identifier
- Identifier string
- the V3 identifier of the entity
- column
Name String - the column name to be mapped to the identifier
- identifier String
- the V3 identifier of the entity
- column
Name string - the column name to be mapped to the identifier
- identifier string
- the V3 identifier of the entity
- column_
name str - the column name to be mapped to the identifier
- identifier str
- the V3 identifier of the entity
- column
Name String - the column name to be mapped to the identifier
- identifier String
- the V3 identifier of the entity
GroupingConfiguration, GroupingConfigurationArgs
- Enabled bool
- Grouping enabled
- Lookback
Duration string - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)
- Matching
Method string | Pulumi.Azure Native. Security Insights. Matching Method - Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
- Reopen
Closed boolIncident - Re-open closed matching incidents
- Group
By List<Union<string, Pulumi.Alert Details Azure Native. Security Insights. Alert Detail>> - A list of alert details to group by (when matchingMethod is Selected)
- Group
By List<string>Custom Details - A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.
- Group
By List<Union<string, Pulumi.Entities Azure Native. Security Insights. Entity Mapping Type>> - A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.
- Enabled bool
- Grouping enabled
- Lookback
Duration string - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)
- Matching
Method string | MatchingMethod - Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
- Reopen
Closed boolIncident - Re-open closed matching incidents
- Group
By []stringAlert Details - A list of alert details to group by (when matchingMethod is Selected)
- Group
By []stringCustom Details - A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.
- Group
By []stringEntities - A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.
- enabled Boolean
- Grouping enabled
- lookback
Duration String - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)
- matching
Method String | MatchingMethod - Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
- reopen
Closed BooleanIncident - Re-open closed matching incidents
- group
By List<Either<String,AlertAlert Details Detail>> - A list of alert details to group by (when matchingMethod is Selected)
- group
By List<String>Custom Details - A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.
- group
By List<Either<String,EntityEntities Mapping Type>> - A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.
- enabled boolean
- Grouping enabled
- lookback
Duration string - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)
- matching
Method string | MatchingMethod - Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
- reopen
Closed booleanIncident - Re-open closed matching incidents
- group
By (string | AlertAlert Details Detail)[] - A list of alert details to group by (when matchingMethod is Selected)
- group
By string[]Custom Details - A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.
- group
By (string | EntityEntities Mapping Type)[] - A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.
- enabled bool
- Grouping enabled
- lookback_
duration str - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)
- matching_
method str | MatchingMethod - Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
- reopen_
closed_ boolincident - Re-open closed matching incidents
- group_
by_ Sequence[Union[str, Alertalert_ details Detail]] - A list of alert details to group by (when matchingMethod is Selected)
- group_
by_ Sequence[str]custom_ details - A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.
- group_
by_ Sequence[Union[str, Entityentities Mapping Type]] - A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.
- enabled Boolean
- Grouping enabled
- lookback
Duration String - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)
- matching
Method String | "AllEntities" | "Any Alert" | "Selected" - Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
- reopen
Closed BooleanIncident - Re-open closed matching incidents
- group
By List<String | "DisplayAlert Details Name" | "Severity"> - A list of alert details to group by (when matchingMethod is Selected)
- group
By List<String>Custom Details - A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.
- group
By List<String | "Account" | "Host" | "IP" | "Malware" | "File" | "Process" | "CloudEntities Application" | "DNS" | "Azure Resource" | "File Hash" | "Registry Key" | "Registry Value" | "Security Group" | "URL" | "Mailbox" | "Mail Cluster" | "Mail Message" | "Submission Mail"> - A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.
GroupingConfigurationResponse, GroupingConfigurationResponseArgs
- Enabled bool
- Grouping enabled
- Lookback
Duration string - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)
- Matching
Method string - Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
- Reopen
Closed boolIncident - Re-open closed matching incidents
- Group
By List<string>Alert Details - A list of alert details to group by (when matchingMethod is Selected)
- Group
By List<string>Custom Details - A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.
- Group
By List<string>Entities - A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.
- Enabled bool
- Grouping enabled
- Lookback
Duration string - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)
- Matching
Method string - Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
- Reopen
Closed boolIncident - Re-open closed matching incidents
- Group
By []stringAlert Details - A list of alert details to group by (when matchingMethod is Selected)
- Group
By []stringCustom Details - A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.
- Group
By []stringEntities - A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.
- enabled Boolean
- Grouping enabled
- lookback
Duration String - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)
- matching
Method String - Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
- reopen
Closed BooleanIncident - Re-open closed matching incidents
- group
By List<String>Alert Details - A list of alert details to group by (when matchingMethod is Selected)
- group
By List<String>Custom Details - A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.
- group
By List<String>Entities - A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.
- enabled boolean
- Grouping enabled
- lookback
Duration string - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)
- matching
Method string - Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
- reopen
Closed booleanIncident - Re-open closed matching incidents
- group
By string[]Alert Details - A list of alert details to group by (when matchingMethod is Selected)
- group
By string[]Custom Details - A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.
- group
By string[]Entities - A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.
- enabled bool
- Grouping enabled
- lookback_
duration str - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)
- matching_
method str - Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
- reopen_
closed_ boolincident - Re-open closed matching incidents
- group_
by_ Sequence[str]alert_ details - A list of alert details to group by (when matchingMethod is Selected)
- group_
by_ Sequence[str]custom_ details - A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.
- group_
by_ Sequence[str]entities - A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.
- enabled Boolean
- Grouping enabled
- lookback
Duration String - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)
- matching
Method String - Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
- reopen
Closed BooleanIncident - Re-open closed matching incidents
- group
By List<String>Alert Details - A list of alert details to group by (when matchingMethod is Selected)
- group
By List<String>Custom Details - A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.
- group
By List<String>Entities - A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.
IncidentConfiguration, IncidentConfigurationArgs
- Create
Incident bool - Create incidents from alerts triggered by this analytics rule
- Grouping
Configuration Pulumi.Azure Native. Security Insights. Inputs. Grouping Configuration - Set how the alerts that are triggered by this analytics rule, are grouped into incidents
- Create
Incident bool - Create incidents from alerts triggered by this analytics rule
- Grouping
Configuration GroupingConfiguration - Set how the alerts that are triggered by this analytics rule, are grouped into incidents
- create
Incident Boolean - Create incidents from alerts triggered by this analytics rule
- grouping
Configuration GroupingConfiguration - Set how the alerts that are triggered by this analytics rule, are grouped into incidents
- create
Incident boolean - Create incidents from alerts triggered by this analytics rule
- grouping
Configuration GroupingConfiguration - Set how the alerts that are triggered by this analytics rule, are grouped into incidents
- create_
incident bool - Create incidents from alerts triggered by this analytics rule
- grouping_
configuration GroupingConfiguration - Set how the alerts that are triggered by this analytics rule, are grouped into incidents
- create
Incident Boolean - Create incidents from alerts triggered by this analytics rule
- grouping
Configuration Property Map - Set how the alerts that are triggered by this analytics rule, are grouped into incidents
IncidentConfigurationResponse, IncidentConfigurationResponseArgs
- Create
Incident bool - Create incidents from alerts triggered by this analytics rule
- Grouping
Configuration Pulumi.Azure Native. Security Insights. Inputs. Grouping Configuration Response - Set how the alerts that are triggered by this analytics rule, are grouped into incidents
- Create
Incident bool - Create incidents from alerts triggered by this analytics rule
- Grouping
Configuration GroupingConfiguration Response - Set how the alerts that are triggered by this analytics rule, are grouped into incidents
- create
Incident Boolean - Create incidents from alerts triggered by this analytics rule
- grouping
Configuration GroupingConfiguration Response - Set how the alerts that are triggered by this analytics rule, are grouped into incidents
- create
Incident boolean - Create incidents from alerts triggered by this analytics rule
- grouping
Configuration GroupingConfiguration Response - Set how the alerts that are triggered by this analytics rule, are grouped into incidents
- create_
incident bool - Create incidents from alerts triggered by this analytics rule
- grouping_
configuration GroupingConfiguration Response - Set how the alerts that are triggered by this analytics rule, are grouped into incidents
- create
Incident Boolean - Create incidents from alerts triggered by this analytics rule
- grouping
Configuration Property Map - Set how the alerts that are triggered by this analytics rule, are grouped into incidents
MatchingMethod, MatchingMethodArgs
- All
Entities - AllEntitiesGrouping alerts into a single incident if all the entities match
- Any
Alert - AnyAlertGrouping any alerts triggered by this rule into a single incident
- Selected
- SelectedGrouping alerts into a single incident if the selected entities, custom details and alert details match
- Matching
Method All Entities - AllEntitiesGrouping alerts into a single incident if all the entities match
- Matching
Method Any Alert - AnyAlertGrouping any alerts triggered by this rule into a single incident
- Matching
Method Selected - SelectedGrouping alerts into a single incident if the selected entities, custom details and alert details match
- All
Entities - AllEntitiesGrouping alerts into a single incident if all the entities match
- Any
Alert - AnyAlertGrouping any alerts triggered by this rule into a single incident
- Selected
- SelectedGrouping alerts into a single incident if the selected entities, custom details and alert details match
- All
Entities - AllEntitiesGrouping alerts into a single incident if all the entities match
- Any
Alert - AnyAlertGrouping any alerts triggered by this rule into a single incident
- Selected
- SelectedGrouping alerts into a single incident if the selected entities, custom details and alert details match
- ALL_ENTITIES
- AllEntitiesGrouping alerts into a single incident if all the entities match
- ANY_ALERT
- AnyAlertGrouping any alerts triggered by this rule into a single incident
- SELECTED
- SelectedGrouping alerts into a single incident if the selected entities, custom details and alert details match
- "All
Entities" - AllEntitiesGrouping alerts into a single incident if all the entities match
- "Any
Alert" - AnyAlertGrouping any alerts triggered by this rule into a single incident
- "Selected"
- SelectedGrouping alerts into a single incident if the selected entities, custom details and alert details match
SystemDataResponse, SystemDataResponseArgs
- Created
At string - The timestamp of resource creation (UTC).
- Created
By string - The identity that created the resource.
- Created
By stringType - The type of identity that created the resource.
- Last
Modified stringAt - The timestamp of resource last modification (UTC)
- Last
Modified stringBy - The identity that last modified the resource.
- Last
Modified stringBy Type - The type of identity that last modified the resource.
- Created
At string - The timestamp of resource creation (UTC).
- Created
By string - The identity that created the resource.
- Created
By stringType - The type of identity that created the resource.
- Last
Modified stringAt - The timestamp of resource last modification (UTC)
- Last
Modified stringBy - The identity that last modified the resource.
- Last
Modified stringBy Type - The type of identity that last modified the resource.
- created
At String - The timestamp of resource creation (UTC).
- created
By String - The identity that created the resource.
- created
By StringType - The type of identity that created the resource.
- last
Modified StringAt - The timestamp of resource last modification (UTC)
- last
Modified StringBy - The identity that last modified the resource.
- last
Modified StringBy Type - The type of identity that last modified the resource.
- created
At string - The timestamp of resource creation (UTC).
- created
By string - The identity that created the resource.
- created
By stringType - The type of identity that created the resource.
- last
Modified stringAt - The timestamp of resource last modification (UTC)
- last
Modified stringBy - The identity that last modified the resource.
- last
Modified stringBy Type - The type of identity that last modified the resource.
- created_
at str - The timestamp of resource creation (UTC).
- created_
by str - The identity that created the resource.
- created_
by_ strtype - The type of identity that created the resource.
- last_
modified_ strat - The timestamp of resource last modification (UTC)
- last_
modified_ strby - The identity that last modified the resource.
- last_
modified_ strby_ type - The type of identity that last modified the resource.
- created
At String - The timestamp of resource creation (UTC).
- created
By String - The identity that created the resource.
- created
By StringType - The type of identity that created the resource.
- last
Modified StringAt - The timestamp of resource last modification (UTC)
- last
Modified StringBy - The identity that last modified the resource.
- last
Modified StringBy Type - The type of identity that last modified the resource.
TriggerOperator, TriggerOperatorArgs
- Greater
Than - GreaterThan
- Less
Than - LessThan
- Equal
- Equal
- Not
Equal - NotEqual
- Trigger
Operator Greater Than - GreaterThan
- Trigger
Operator Less Than - LessThan
- Trigger
Operator Equal - Equal
- Trigger
Operator Not Equal - NotEqual
- Greater
Than - GreaterThan
- Less
Than - LessThan
- Equal
- Equal
- Not
Equal - NotEqual
- Greater
Than - GreaterThan
- Less
Than - LessThan
- Equal
- Equal
- Not
Equal - NotEqual
- GREATER_THAN
- GreaterThan
- LESS_THAN
- LessThan
- EQUAL
- Equal
- NOT_EQUAL
- NotEqual
- "Greater
Than" - GreaterThan
- "Less
Than" - LessThan
- "Equal"
- Equal
- "Not
Equal" - NotEqual
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:securityinsights:ScheduledAlertRule 73e01a99-5cd7-4139-a149-9f2736ff2ab5 /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Native pulumi/pulumi-azure-native
- License
- Apache-2.0
This is the latest version of Azure Native. Use the Azure Native v1 docs if using the v1 version of this package.
Azure Native v2.38.0 published on Monday, Apr 22, 2024 by Pulumi