azure logo
Azure Classic v5.38.0, Mar 21 23

azure.sentinel.AlertRuleNrt

Manages a Sentinel NRT Alert Rule.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Azure = Pulumi.Azure;

return await Deployment.RunAsync(() => 
{
    var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new()
    {
        Location = "West Europe",
    });

    var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", new()
    {
        Location = exampleResourceGroup.Location,
        ResourceGroupName = exampleResourceGroup.Name,
        Sku = "pergb2018",
    });

    var exampleAnalyticsSolution = new Azure.OperationalInsights.AnalyticsSolution("exampleAnalyticsSolution", new()
    {
        SolutionName = "SecurityInsights",
        Location = exampleResourceGroup.Location,
        ResourceGroupName = exampleResourceGroup.Name,
        WorkspaceResourceId = exampleAnalyticsWorkspace.Id,
        WorkspaceName = exampleAnalyticsWorkspace.Name,
        Plan = new Azure.OperationalInsights.Inputs.AnalyticsSolutionPlanArgs
        {
            Publisher = "Microsoft",
            Product = "OMSGallery/SecurityInsights",
        },
    });

    var exampleAlertRuleNrt = new Azure.Sentinel.AlertRuleNrt("exampleAlertRuleNrt", new()
    {
        LogAnalyticsWorkspaceId = exampleAnalyticsSolution.WorkspaceResourceId,
        DisplayName = "example",
        Severity = "High",
        Query = @"AzureActivity |
  where OperationName == ""Create or Update Virtual Machine"" or OperationName ==""Create Deployment"" |
  where ActivityStatus == ""Succeeded"" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
",
    });

});
package main

import (
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/operationalinsights"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/sentinel"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
			Location: pulumi.String("West Europe"),
		})
		if err != nil {
			return err
		}
		exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "exampleAnalyticsWorkspace", &operationalinsights.AnalyticsWorkspaceArgs{
			Location:          exampleResourceGroup.Location,
			ResourceGroupName: exampleResourceGroup.Name,
			Sku:               pulumi.String("pergb2018"),
		})
		if err != nil {
			return err
		}
		exampleAnalyticsSolution, err := operationalinsights.NewAnalyticsSolution(ctx, "exampleAnalyticsSolution", &operationalinsights.AnalyticsSolutionArgs{
			SolutionName:        pulumi.String("SecurityInsights"),
			Location:            exampleResourceGroup.Location,
			ResourceGroupName:   exampleResourceGroup.Name,
			WorkspaceResourceId: exampleAnalyticsWorkspace.ID(),
			WorkspaceName:       exampleAnalyticsWorkspace.Name,
			Plan: &operationalinsights.AnalyticsSolutionPlanArgs{
				Publisher: pulumi.String("Microsoft"),
				Product:   pulumi.String("OMSGallery/SecurityInsights"),
			},
		})
		if err != nil {
			return err
		}
		_, err = sentinel.NewAlertRuleNrt(ctx, "exampleAlertRuleNrt", &sentinel.AlertRuleNrtArgs{
			LogAnalyticsWorkspaceId: exampleAnalyticsSolution.WorkspaceResourceId,
			DisplayName:             pulumi.String("example"),
			Severity:                pulumi.String("High"),
			Query:                   pulumi.String("AzureActivity |\n  where OperationName == \"Create or Update Virtual Machine\" or OperationName ==\"Create Deployment\" |\n  where ActivityStatus == \"Succeeded\" |\n  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.operationalinsights.AnalyticsSolution;
import com.pulumi.azure.operationalinsights.AnalyticsSolutionArgs;
import com.pulumi.azure.operationalinsights.inputs.AnalyticsSolutionPlanArgs;
import com.pulumi.azure.sentinel.AlertRuleNrt;
import com.pulumi.azure.sentinel.AlertRuleNrtArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()        
            .location("West Europe")
            .build());

        var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()        
            .location(exampleResourceGroup.location())
            .resourceGroupName(exampleResourceGroup.name())
            .sku("pergb2018")
            .build());

        var exampleAnalyticsSolution = new AnalyticsSolution("exampleAnalyticsSolution", AnalyticsSolutionArgs.builder()        
            .solutionName("SecurityInsights")
            .location(exampleResourceGroup.location())
            .resourceGroupName(exampleResourceGroup.name())
            .workspaceResourceId(exampleAnalyticsWorkspace.id())
            .workspaceName(exampleAnalyticsWorkspace.name())
            .plan(AnalyticsSolutionPlanArgs.builder()
                .publisher("Microsoft")
                .product("OMSGallery/SecurityInsights")
                .build())
            .build());

        var exampleAlertRuleNrt = new AlertRuleNrt("exampleAlertRuleNrt", AlertRuleNrtArgs.builder()        
            .logAnalyticsWorkspaceId(exampleAnalyticsSolution.workspaceResourceId())
            .displayName("example")
            .severity("High")
            .query("""
AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
            """)
            .build());

    }
}
import pulumi
import pulumi_azure as azure

example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    sku="pergb2018")
example_analytics_solution = azure.operationalinsights.AnalyticsSolution("exampleAnalyticsSolution",
    solution_name="SecurityInsights",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    workspace_resource_id=example_analytics_workspace.id,
    workspace_name=example_analytics_workspace.name,
    plan=azure.operationalinsights.AnalyticsSolutionPlanArgs(
        publisher="Microsoft",
        product="OMSGallery/SecurityInsights",
    ))
example_alert_rule_nrt = azure.sentinel.AlertRuleNrt("exampleAlertRuleNrt",
    log_analytics_workspace_id=example_analytics_solution.workspace_resource_id,
    display_name="example",
    severity="High",
    query="""AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    sku: "pergb2018",
});
const exampleAnalyticsSolution = new azure.operationalinsights.AnalyticsSolution("exampleAnalyticsSolution", {
    solutionName: "SecurityInsights",
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    workspaceResourceId: exampleAnalyticsWorkspace.id,
    workspaceName: exampleAnalyticsWorkspace.name,
    plan: {
        publisher: "Microsoft",
        product: "OMSGallery/SecurityInsights",
    },
});
const exampleAlertRuleNrt = new azure.sentinel.AlertRuleNrt("exampleAlertRuleNrt", {
    logAnalyticsWorkspaceId: exampleAnalyticsSolution.workspaceResourceId,
    displayName: "example",
    severity: "High",
    query: `AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
`,
});
resources:
  exampleResourceGroup:
    type: azure:core:ResourceGroup
    properties:
      location: West Europe
  exampleAnalyticsWorkspace:
    type: azure:operationalinsights:AnalyticsWorkspace
    properties:
      location: ${exampleResourceGroup.location}
      resourceGroupName: ${exampleResourceGroup.name}
      sku: pergb2018
  exampleAnalyticsSolution:
    type: azure:operationalinsights:AnalyticsSolution
    properties:
      solutionName: SecurityInsights
      location: ${exampleResourceGroup.location}
      resourceGroupName: ${exampleResourceGroup.name}
      workspaceResourceId: ${exampleAnalyticsWorkspace.id}
      workspaceName: ${exampleAnalyticsWorkspace.name}
      plan:
        publisher: Microsoft
        product: OMSGallery/SecurityInsights
  exampleAlertRuleNrt:
    type: azure:sentinel:AlertRuleNrt
    properties:
      logAnalyticsWorkspaceId: ${exampleAnalyticsSolution.workspaceResourceId}
      displayName: example
      severity: High
      query: |
        AzureActivity |
          where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
          where ActivityStatus == "Succeeded" |
          make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller        

Create AlertRuleNrt Resource

new AlertRuleNrt(name: string, args: AlertRuleNrtArgs, opts?: CustomResourceOptions);
@overload
def AlertRuleNrt(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
                 alert_rule_template_guid: Optional[str] = None,
                 alert_rule_template_version: Optional[str] = None,
                 custom_details: Optional[Mapping[str, str]] = None,
                 description: Optional[str] = None,
                 display_name: Optional[str] = None,
                 enabled: Optional[bool] = None,
                 entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
                 event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
                 incident: Optional[AlertRuleNrtIncidentArgs] = None,
                 log_analytics_workspace_id: Optional[str] = None,
                 name: Optional[str] = None,
                 query: Optional[str] = None,
                 sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
                 severity: Optional[str] = None,
                 suppression_duration: Optional[str] = None,
                 suppression_enabled: Optional[bool] = None,
                 tactics: Optional[Sequence[str]] = None,
                 techniques: Optional[Sequence[str]] = None)
@overload
def AlertRuleNrt(resource_name: str,
                 args: AlertRuleNrtArgs,
                 opts: Optional[ResourceOptions] = None)
func NewAlertRuleNrt(ctx *Context, name string, args AlertRuleNrtArgs, opts ...ResourceOption) (*AlertRuleNrt, error)
public AlertRuleNrt(string name, AlertRuleNrtArgs args, CustomResourceOptions? opts = null)
public AlertRuleNrt(String name, AlertRuleNrtArgs args)
public AlertRuleNrt(String name, AlertRuleNrtArgs args, CustomResourceOptions options)
type: azure:sentinel:AlertRuleNrt
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AlertRuleNrtArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AlertRuleNrtArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AlertRuleNrtArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AlertRuleNrtArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AlertRuleNrtArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AlertRuleNrt Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AlertRuleNrt resource accepts the following input properties:

DisplayName string

The friendly name of this Sentinel NRT Alert Rule.

LogAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

Query string

The query of this Sentinel NRT Alert Rule.

Severity string

The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

AlertDetailsOverrides List<AlertRuleNrtAlertDetailsOverrideArgs>

An alert_details_override block as defined below.

AlertRuleTemplateGuid string

The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

AlertRuleTemplateVersion string

The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

CustomDetails Dictionary<string, string>

A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

Description string

The description of this Sentinel NRT Alert Rule.

Enabled bool

Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

EntityMappings List<AlertRuleNrtEntityMappingArgs>

A list of entity_mapping blocks as defined below.

EventGrouping AlertRuleNrtEventGroupingArgs

A event_grouping block as defined below.

Incident AlertRuleNrtIncidentArgs

A incident block as defined below.

Name string

The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

SentinelEntityMappings List<AlertRuleNrtSentinelEntityMappingArgs>

A list of sentinel_entity_mapping blocks as defined below.

SuppressionDuration string

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

SuppressionEnabled bool

Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

Tactics List<string>

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

Techniques List<string>

A list of techniques of attacks by which to classify the rule.

DisplayName string

The friendly name of this Sentinel NRT Alert Rule.

LogAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

Query string

The query of this Sentinel NRT Alert Rule.

Severity string

The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

AlertDetailsOverrides []AlertRuleNrtAlertDetailsOverrideArgs

An alert_details_override block as defined below.

AlertRuleTemplateGuid string

The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

AlertRuleTemplateVersion string

The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

CustomDetails map[string]string

A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

Description string

The description of this Sentinel NRT Alert Rule.

Enabled bool

Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

EntityMappings []AlertRuleNrtEntityMappingArgs

A list of entity_mapping blocks as defined below.

EventGrouping AlertRuleNrtEventGroupingArgs

A event_grouping block as defined below.

Incident AlertRuleNrtIncidentArgs

A incident block as defined below.

Name string

The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

SentinelEntityMappings []AlertRuleNrtSentinelEntityMappingArgs

A list of sentinel_entity_mapping blocks as defined below.

SuppressionDuration string

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

SuppressionEnabled bool

Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

Tactics []string

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

Techniques []string

A list of techniques of attacks by which to classify the rule.

displayName String

The friendly name of this Sentinel NRT Alert Rule.

logAnalyticsWorkspaceId String

The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

query String

The query of this Sentinel NRT Alert Rule.

severity String

The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

alertDetailsOverrides List<AlertRuleNrtAlertDetailsOverrideArgs>

An alert_details_override block as defined below.

alertRuleTemplateGuid String

The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

alertRuleTemplateVersion String

The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

customDetails Map<String,String>

A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

description String

The description of this Sentinel NRT Alert Rule.

enabled Boolean

Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

entityMappings List<AlertRuleNrtEntityMappingArgs>

A list of entity_mapping blocks as defined below.

eventGrouping AlertRuleNrtEventGroupingArgs

A event_grouping block as defined below.

incident AlertRuleNrtIncidentArgs

A incident block as defined below.

name String

The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

sentinelEntityMappings List<AlertRuleNrtSentinelEntityMappingArgs>

A list of sentinel_entity_mapping blocks as defined below.

suppressionDuration String

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

suppressionEnabled Boolean

Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

tactics List<String>

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

techniques List<String>

A list of techniques of attacks by which to classify the rule.

displayName string

The friendly name of this Sentinel NRT Alert Rule.

logAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

query string

The query of this Sentinel NRT Alert Rule.

severity string

The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

alertDetailsOverrides AlertRuleNrtAlertDetailsOverrideArgs[]

An alert_details_override block as defined below.

alertRuleTemplateGuid string

The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

alertRuleTemplateVersion string

The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

customDetails {[key: string]: string}

A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

description string

The description of this Sentinel NRT Alert Rule.

enabled boolean

Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

entityMappings AlertRuleNrtEntityMappingArgs[]

A list of entity_mapping blocks as defined below.

eventGrouping AlertRuleNrtEventGroupingArgs

A event_grouping block as defined below.

incident AlertRuleNrtIncidentArgs

A incident block as defined below.

name string

The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

sentinelEntityMappings AlertRuleNrtSentinelEntityMappingArgs[]

A list of sentinel_entity_mapping blocks as defined below.

suppressionDuration string

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

suppressionEnabled boolean

Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

tactics string[]

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

techniques string[]

A list of techniques of attacks by which to classify the rule.

display_name str

The friendly name of this Sentinel NRT Alert Rule.

log_analytics_workspace_id str

The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

query str

The query of this Sentinel NRT Alert Rule.

severity str

The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

alert_details_overrides Sequence[AlertRuleNrtAlertDetailsOverrideArgs]

An alert_details_override block as defined below.

alert_rule_template_guid str

The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

alert_rule_template_version str

The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

custom_details Mapping[str, str]

A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

description str

The description of this Sentinel NRT Alert Rule.

enabled bool

Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

entity_mappings Sequence[AlertRuleNrtEntityMappingArgs]

A list of entity_mapping blocks as defined below.

event_grouping AlertRuleNrtEventGroupingArgs

A event_grouping block as defined below.

incident AlertRuleNrtIncidentArgs

A incident block as defined below.

name str

The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

sentinel_entity_mappings Sequence[AlertRuleNrtSentinelEntityMappingArgs]

A list of sentinel_entity_mapping blocks as defined below.

suppression_duration str

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

suppression_enabled bool

Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

tactics Sequence[str]

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

techniques Sequence[str]

A list of techniques of attacks by which to classify the rule.

displayName String

The friendly name of this Sentinel NRT Alert Rule.

logAnalyticsWorkspaceId String

The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

query String

The query of this Sentinel NRT Alert Rule.

severity String

The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

alertDetailsOverrides List<Property Map>

An alert_details_override block as defined below.

alertRuleTemplateGuid String

The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

alertRuleTemplateVersion String

The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

customDetails Map<String>

A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

description String

The description of this Sentinel NRT Alert Rule.

enabled Boolean

Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

entityMappings List<Property Map>

A list of entity_mapping blocks as defined below.

eventGrouping Property Map

A event_grouping block as defined below.

incident Property Map

A incident block as defined below.

name String

The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

sentinelEntityMappings List<Property Map>

A list of sentinel_entity_mapping blocks as defined below.

suppressionDuration String

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

suppressionEnabled Boolean

Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

tactics List<String>

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

techniques List<String>

A list of techniques of attacks by which to classify the rule.

Outputs

All input properties are implicitly available as output properties. Additionally, the AlertRuleNrt resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up Existing AlertRuleNrt Resource

Get an existing AlertRuleNrt resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AlertRuleNrtState, opts?: CustomResourceOptions): AlertRuleNrt
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
        alert_rule_template_guid: Optional[str] = None,
        alert_rule_template_version: Optional[str] = None,
        custom_details: Optional[Mapping[str, str]] = None,
        description: Optional[str] = None,
        display_name: Optional[str] = None,
        enabled: Optional[bool] = None,
        entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
        event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
        incident: Optional[AlertRuleNrtIncidentArgs] = None,
        log_analytics_workspace_id: Optional[str] = None,
        name: Optional[str] = None,
        query: Optional[str] = None,
        sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
        severity: Optional[str] = None,
        suppression_duration: Optional[str] = None,
        suppression_enabled: Optional[bool] = None,
        tactics: Optional[Sequence[str]] = None,
        techniques: Optional[Sequence[str]] = None) -> AlertRuleNrt
func GetAlertRuleNrt(ctx *Context, name string, id IDInput, state *AlertRuleNrtState, opts ...ResourceOption) (*AlertRuleNrt, error)
public static AlertRuleNrt Get(string name, Input<string> id, AlertRuleNrtState? state, CustomResourceOptions? opts = null)
public static AlertRuleNrt get(String name, Output<String> id, AlertRuleNrtState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AlertDetailsOverrides List<AlertRuleNrtAlertDetailsOverrideArgs>

An alert_details_override block as defined below.

AlertRuleTemplateGuid string

The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

AlertRuleTemplateVersion string

The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

CustomDetails Dictionary<string, string>

A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

Description string

The description of this Sentinel NRT Alert Rule.

DisplayName string

The friendly name of this Sentinel NRT Alert Rule.

Enabled bool

Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

EntityMappings List<AlertRuleNrtEntityMappingArgs>

A list of entity_mapping blocks as defined below.

EventGrouping AlertRuleNrtEventGroupingArgs

A event_grouping block as defined below.

Incident AlertRuleNrtIncidentArgs

A incident block as defined below.

LogAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

Name string

The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

Query string

The query of this Sentinel NRT Alert Rule.

SentinelEntityMappings List<AlertRuleNrtSentinelEntityMappingArgs>

A list of sentinel_entity_mapping blocks as defined below.

Severity string

The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

SuppressionDuration string

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

SuppressionEnabled bool

Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

Tactics List<string>

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

Techniques List<string>

A list of techniques of attacks by which to classify the rule.

AlertDetailsOverrides []AlertRuleNrtAlertDetailsOverrideArgs

An alert_details_override block as defined below.

AlertRuleTemplateGuid string

The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

AlertRuleTemplateVersion string

The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

CustomDetails map[string]string

A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

Description string

The description of this Sentinel NRT Alert Rule.

DisplayName string

The friendly name of this Sentinel NRT Alert Rule.

Enabled bool

Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

EntityMappings []AlertRuleNrtEntityMappingArgs

A list of entity_mapping blocks as defined below.

EventGrouping AlertRuleNrtEventGroupingArgs

A event_grouping block as defined below.

Incident AlertRuleNrtIncidentArgs

A incident block as defined below.

LogAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

Name string

The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

Query string

The query of this Sentinel NRT Alert Rule.

SentinelEntityMappings []AlertRuleNrtSentinelEntityMappingArgs

A list of sentinel_entity_mapping blocks as defined below.

Severity string

The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

SuppressionDuration string

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

SuppressionEnabled bool

Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

Tactics []string

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

Techniques []string

A list of techniques of attacks by which to classify the rule.

alertDetailsOverrides List<AlertRuleNrtAlertDetailsOverrideArgs>

An alert_details_override block as defined below.

alertRuleTemplateGuid String

The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

alertRuleTemplateVersion String

The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

customDetails Map<String,String>

A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

description String

The description of this Sentinel NRT Alert Rule.

displayName String

The friendly name of this Sentinel NRT Alert Rule.

enabled Boolean

Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

entityMappings List<AlertRuleNrtEntityMappingArgs>

A list of entity_mapping blocks as defined below.

eventGrouping AlertRuleNrtEventGroupingArgs

A event_grouping block as defined below.

incident AlertRuleNrtIncidentArgs

A incident block as defined below.

logAnalyticsWorkspaceId String

The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

name String

The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

query String

The query of this Sentinel NRT Alert Rule.

sentinelEntityMappings List<AlertRuleNrtSentinelEntityMappingArgs>

A list of sentinel_entity_mapping blocks as defined below.

severity String

The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

suppressionDuration String

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

suppressionEnabled Boolean

Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

tactics List<String>

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

techniques List<String>

A list of techniques of attacks by which to classify the rule.

alertDetailsOverrides AlertRuleNrtAlertDetailsOverrideArgs[]

An alert_details_override block as defined below.

alertRuleTemplateGuid string

The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

alertRuleTemplateVersion string

The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

customDetails {[key: string]: string}

A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

description string

The description of this Sentinel NRT Alert Rule.

displayName string

The friendly name of this Sentinel NRT Alert Rule.

enabled boolean

Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

entityMappings AlertRuleNrtEntityMappingArgs[]

A list of entity_mapping blocks as defined below.

eventGrouping AlertRuleNrtEventGroupingArgs

A event_grouping block as defined below.

incident AlertRuleNrtIncidentArgs

A incident block as defined below.

logAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

name string

The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

query string

The query of this Sentinel NRT Alert Rule.

sentinelEntityMappings AlertRuleNrtSentinelEntityMappingArgs[]

A list of sentinel_entity_mapping blocks as defined below.

severity string

The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

suppressionDuration string

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

suppressionEnabled boolean

Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

tactics string[]

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

techniques string[]

A list of techniques of attacks by which to classify the rule.

alert_details_overrides Sequence[AlertRuleNrtAlertDetailsOverrideArgs]

An alert_details_override block as defined below.

alert_rule_template_guid str

The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

alert_rule_template_version str

The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

custom_details Mapping[str, str]

A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

description str

The description of this Sentinel NRT Alert Rule.

display_name str

The friendly name of this Sentinel NRT Alert Rule.

enabled bool

Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

entity_mappings Sequence[AlertRuleNrtEntityMappingArgs]

A list of entity_mapping blocks as defined below.

event_grouping AlertRuleNrtEventGroupingArgs

A event_grouping block as defined below.

incident AlertRuleNrtIncidentArgs

A incident block as defined below.

log_analytics_workspace_id str

The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

name str

The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

query str

The query of this Sentinel NRT Alert Rule.

sentinel_entity_mappings Sequence[AlertRuleNrtSentinelEntityMappingArgs]

A list of sentinel_entity_mapping blocks as defined below.

severity str

The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

suppression_duration str

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

suppression_enabled bool

Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

tactics Sequence[str]

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

techniques Sequence[str]

A list of techniques of attacks by which to classify the rule.

alertDetailsOverrides List<Property Map>

An alert_details_override block as defined below.

alertRuleTemplateGuid String

The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

alertRuleTemplateVersion String

The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

customDetails Map<String>

A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

description String

The description of this Sentinel NRT Alert Rule.

displayName String

The friendly name of this Sentinel NRT Alert Rule.

enabled Boolean

Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

entityMappings List<Property Map>

A list of entity_mapping blocks as defined below.

eventGrouping Property Map

A event_grouping block as defined below.

incident Property Map

A incident block as defined below.

logAnalyticsWorkspaceId String

The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

name String

The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

query String

The query of this Sentinel NRT Alert Rule.

sentinelEntityMappings List<Property Map>

A list of sentinel_entity_mapping blocks as defined below.

severity String

The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

suppressionDuration String

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

suppressionEnabled Boolean

Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

tactics List<String>

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

techniques List<String>

A list of techniques of attacks by which to classify the rule.

Supporting Types

AlertRuleNrtAlertDetailsOverride

DescriptionFormat string

The format containing columns name(s) to override the description of this Sentinel Alert Rule.

DisplayNameFormat string

The format containing columns name(s) to override the name of this Sentinel Alert Rule.

DynamicProperties List<AlertRuleNrtAlertDetailsOverrideDynamicProperty>

A list of dynamic_property blocks as defined below.

SeverityColumnName string

The column name to take the alert severity from.

TacticsColumnName string

The column name to take the alert tactics from.

DescriptionFormat string

The format containing columns name(s) to override the description of this Sentinel Alert Rule.

DisplayNameFormat string

The format containing columns name(s) to override the name of this Sentinel Alert Rule.

DynamicProperties []AlertRuleNrtAlertDetailsOverrideDynamicProperty

A list of dynamic_property blocks as defined below.

SeverityColumnName string

The column name to take the alert severity from.

TacticsColumnName string

The column name to take the alert tactics from.

descriptionFormat String

The format containing columns name(s) to override the description of this Sentinel Alert Rule.

displayNameFormat String

The format containing columns name(s) to override the name of this Sentinel Alert Rule.

dynamicProperties List<AlertRuleNrtAlertDetailsOverrideDynamicProperty>

A list of dynamic_property blocks as defined below.

severityColumnName String

The column name to take the alert severity from.

tacticsColumnName String

The column name to take the alert tactics from.

descriptionFormat string

The format containing columns name(s) to override the description of this Sentinel Alert Rule.

displayNameFormat string

The format containing columns name(s) to override the name of this Sentinel Alert Rule.

dynamicProperties AlertRuleNrtAlertDetailsOverrideDynamicProperty[]

A list of dynamic_property blocks as defined below.

severityColumnName string

The column name to take the alert severity from.

tacticsColumnName string

The column name to take the alert tactics from.

description_format str

The format containing columns name(s) to override the description of this Sentinel Alert Rule.

display_name_format str

The format containing columns name(s) to override the name of this Sentinel Alert Rule.

dynamic_properties Sequence[AlertRuleNrtAlertDetailsOverrideDynamicProperty]

A list of dynamic_property blocks as defined below.

severity_column_name str

The column name to take the alert severity from.

tactics_column_name str

The column name to take the alert tactics from.

descriptionFormat String

The format containing columns name(s) to override the description of this Sentinel Alert Rule.

displayNameFormat String

The format containing columns name(s) to override the name of this Sentinel Alert Rule.

dynamicProperties List<Property Map>

A list of dynamic_property blocks as defined below.

severityColumnName String

The column name to take the alert severity from.

tacticsColumnName String

The column name to take the alert tactics from.

AlertRuleNrtAlertDetailsOverrideDynamicProperty

Name string

The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.

Value string

The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

Name string

The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.

Value string

The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

name String

The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.

value String

The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

name string

The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.

value string

The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

name str

The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.

value str

The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

name String

The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.

value String

The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

AlertRuleNrtEntityMapping

EntityType string

The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

FieldMappings List<AlertRuleNrtEntityMappingFieldMapping>

A list of field_mapping blocks as defined below.

EntityType string

The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

FieldMappings []AlertRuleNrtEntityMappingFieldMapping

A list of field_mapping blocks as defined below.

entityType String

The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

fieldMappings List<AlertRuleNrtEntityMappingFieldMapping>

A list of field_mapping blocks as defined below.

entityType string

The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

fieldMappings AlertRuleNrtEntityMappingFieldMapping[]

A list of field_mapping blocks as defined below.

entity_type str

The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

field_mappings Sequence[AlertRuleNrtEntityMappingFieldMapping]

A list of field_mapping blocks as defined below.

entityType String

The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

fieldMappings List<Property Map>

A list of field_mapping blocks as defined below.

AlertRuleNrtEntityMappingFieldMapping

ColumnName string

The column name to be mapped to the identifier.

Identifier string

The identifier of the entity.

ColumnName string

The column name to be mapped to the identifier.

Identifier string

The identifier of the entity.

columnName String

The column name to be mapped to the identifier.

identifier String

The identifier of the entity.

columnName string

The column name to be mapped to the identifier.

identifier string

The identifier of the entity.

column_name str

The column name to be mapped to the identifier.

identifier str

The identifier of the entity.

columnName String

The column name to be mapped to the identifier.

identifier String

The identifier of the entity.

AlertRuleNrtEventGrouping

AggregationMethod string

The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

AggregationMethod string

The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

aggregationMethod String

The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

aggregationMethod string

The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

aggregation_method str

The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

aggregationMethod String

The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

AlertRuleNrtIncident

CreateIncidentEnabled bool

Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

Grouping AlertRuleNrtIncidentGrouping

A grouping block as defined below.

CreateIncidentEnabled bool

Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

Grouping AlertRuleNrtIncidentGrouping

A grouping block as defined below.

createIncidentEnabled Boolean

Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

grouping AlertRuleNrtIncidentGrouping

A grouping block as defined below.

createIncidentEnabled boolean

Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

grouping AlertRuleNrtIncidentGrouping

A grouping block as defined below.

create_incident_enabled bool

Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

grouping AlertRuleNrtIncidentGrouping

A grouping block as defined below.

createIncidentEnabled Boolean

Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

grouping Property Map

A grouping block as defined below.

AlertRuleNrtIncidentGrouping

ByAlertDetails List<string>

A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.

ByCustomDetails List<string>

A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.

ByEntities List<string>

A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

Enabled bool

Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

EntityMatchingMethod string

The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.

LookbackDuration string

Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.

ReopenClosedIncidents bool

Whether to re-open closed matching incidents? Defaults to false.

ByAlertDetails []string

A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.

ByCustomDetails []string

A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.

ByEntities []string

A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

Enabled bool

Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

EntityMatchingMethod string

The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.

LookbackDuration string

Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.

ReopenClosedIncidents bool

Whether to re-open closed matching incidents? Defaults to false.

byAlertDetails List<String>

A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.

byCustomDetails List<String>

A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.

byEntities List<String>

A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

enabled Boolean

Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

entityMatchingMethod String

The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.

lookbackDuration String

Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.

reopenClosedIncidents Boolean

Whether to re-open closed matching incidents? Defaults to false.

byAlertDetails string[]

A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.

byCustomDetails string[]

A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.

byEntities string[]

A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

enabled boolean

Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

entityMatchingMethod string

The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.

lookbackDuration string

Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.

reopenClosedIncidents boolean

Whether to re-open closed matching incidents? Defaults to false.

by_alert_details Sequence[str]

A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.

by_custom_details Sequence[str]

A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.

by_entities Sequence[str]

A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

enabled bool

Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

entity_matching_method str

The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.

lookback_duration str

Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.

reopen_closed_incidents bool

Whether to re-open closed matching incidents? Defaults to false.

byAlertDetails List<String>

A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.

byCustomDetails List<String>

A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.

byEntities List<String>

A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

enabled Boolean

Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

entityMatchingMethod String

The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.

lookbackDuration String

Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.

reopenClosedIncidents Boolean

Whether to re-open closed matching incidents? Defaults to false.

AlertRuleNrtSentinelEntityMapping

ColumnName string

The column name to be mapped to the identifier.

ColumnName string

The column name to be mapped to the identifier.

columnName String

The column name to be mapped to the identifier.

columnName string

The column name to be mapped to the identifier.

column_name str

The column name to be mapped to the identifier.

columnName String

The column name to be mapped to the identifier.

Import

Sentinel NRT Alert Rules can be imported using the resource id, e.g.

 $ pulumi import azure:sentinel/alertRuleNrt:AlertRuleNrt example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1

Package Details

Repository
Azure Classic pulumi/pulumi-azure
License
Apache-2.0
Notes

This Pulumi package is based on the azurerm Terraform Provider.