1. Packages
  2. Azure Classic
  3. API Docs
  4. sentinel
  5. AlertRuleNrt

We recommend using Azure Native.

Azure v6.13.0 published on Monday, Dec 9, 2024 by Pulumi

azure.sentinel.AlertRuleNrt

Explore with Pulumi AI

azure logo

We recommend using Azure Native.

Azure v6.13.0 published on Monday, Dec 9, 2024 by Pulumi

    Manages a Sentinel NRT Alert Rule.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const example = new azure.core.ResourceGroup("example", {
        name: "example-resources",
        location: "West Europe",
    });
    const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", {
        name: "example-workspace",
        location: example.location,
        resourceGroupName: example.name,
        sku: "pergb2018",
    });
    const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", {workspaceId: exampleAnalyticsWorkspace.id});
    const exampleAlertRuleNrt = new azure.sentinel.AlertRuleNrt("example", {
        name: "example",
        logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId,
        displayName: "example",
        severity: "High",
        query: `AzureActivity |
      where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
      where ActivityStatus == "Succeeded" |
      make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
    `,
    });
    
    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example-resources",
        location="West Europe")
    example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("example",
        name="example-workspace",
        location=example.location,
        resource_group_name=example.name,
        sku="pergb2018")
    example_log_analytics_workspace_onboarding = azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", workspace_id=example_analytics_workspace.id)
    example_alert_rule_nrt = azure.sentinel.AlertRuleNrt("example",
        name="example",
        log_analytics_workspace_id=example_log_analytics_workspace_onboarding.workspace_id,
        display_name="example",
        severity="High",
        query="""AzureActivity |
      where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
      where ActivityStatus == "Succeeded" |
      make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
    """)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/operationalinsights"
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/sentinel"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example-resources"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "example", &operationalinsights.AnalyticsWorkspaceArgs{
    			Name:              pulumi.String("example-workspace"),
    			Location:          example.Location,
    			ResourceGroupName: example.Name,
    			Sku:               pulumi.String("pergb2018"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleLogAnalyticsWorkspaceOnboarding, err := sentinel.NewLogAnalyticsWorkspaceOnboarding(ctx, "example", &sentinel.LogAnalyticsWorkspaceOnboardingArgs{
    			WorkspaceId: exampleAnalyticsWorkspace.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = sentinel.NewAlertRuleNrt(ctx, "example", &sentinel.AlertRuleNrtArgs{
    			Name:                    pulumi.String("example"),
    			LogAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
    			DisplayName:             pulumi.String("example"),
    			Severity:                pulumi.String("High"),
    			Query:                   pulumi.String("AzureActivity |\n  where OperationName == \"Create or Update Virtual Machine\" or OperationName ==\"Create Deployment\" |\n  where ActivityStatus == \"Succeeded\" |\n  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example-resources",
            Location = "West Europe",
        });
    
        var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("example", new()
        {
            Name = "example-workspace",
            Location = example.Location,
            ResourceGroupName = example.Name,
            Sku = "pergb2018",
        });
    
        var exampleLogAnalyticsWorkspaceOnboarding = new Azure.Sentinel.LogAnalyticsWorkspaceOnboarding("example", new()
        {
            WorkspaceId = exampleAnalyticsWorkspace.Id,
        });
    
        var exampleAlertRuleNrt = new Azure.Sentinel.AlertRuleNrt("example", new()
        {
            Name = "example",
            LogAnalyticsWorkspaceId = exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
            DisplayName = "example",
            Severity = "High",
            Query = @"AzureActivity |
      where OperationName == ""Create or Update Virtual Machine"" or OperationName ==""Create Deployment"" |
      where ActivityStatus == ""Succeeded"" |
      make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
    ",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
    import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
    import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
    import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
    import com.pulumi.azure.sentinel.AlertRuleNrt;
    import com.pulumi.azure.sentinel.AlertRuleNrtArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()
                .name("example-resources")
                .location("West Europe")
                .build());
    
            var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()
                .name("example-workspace")
                .location(example.location())
                .resourceGroupName(example.name())
                .sku("pergb2018")
                .build());
    
            var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()
                .workspaceId(exampleAnalyticsWorkspace.id())
                .build());
    
            var exampleAlertRuleNrt = new AlertRuleNrt("exampleAlertRuleNrt", AlertRuleNrtArgs.builder()
                .name("example")
                .logAnalyticsWorkspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
                .displayName("example")
                .severity("High")
                .query("""
    AzureActivity |
      where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
      where ActivityStatus == "Succeeded" |
      make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
                """)
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example-resources
          location: West Europe
      exampleAnalyticsWorkspace:
        type: azure:operationalinsights:AnalyticsWorkspace
        name: example
        properties:
          name: example-workspace
          location: ${example.location}
          resourceGroupName: ${example.name}
          sku: pergb2018
      exampleLogAnalyticsWorkspaceOnboarding:
        type: azure:sentinel:LogAnalyticsWorkspaceOnboarding
        name: example
        properties:
          workspaceId: ${exampleAnalyticsWorkspace.id}
      exampleAlertRuleNrt:
        type: azure:sentinel:AlertRuleNrt
        name: example
        properties:
          name: example
          logAnalyticsWorkspaceId: ${exampleLogAnalyticsWorkspaceOnboarding.workspaceId}
          displayName: example
          severity: High
          query: |
            AzureActivity |
              where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
              where ActivityStatus == "Succeeded" |
              make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller        
    

    Create AlertRuleNrt Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new AlertRuleNrt(name: string, args: AlertRuleNrtArgs, opts?: CustomResourceOptions);
    @overload
    def AlertRuleNrt(resource_name: str,
                     args: AlertRuleNrtArgs,
                     opts: Optional[ResourceOptions] = None)
    
    @overload
    def AlertRuleNrt(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     query: Optional[str] = None,
                     display_name: Optional[str] = None,
                     event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
                     severity: Optional[str] = None,
                     log_analytics_workspace_id: Optional[str] = None,
                     techniques: Optional[Sequence[str]] = None,
                     alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
                     entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
                     alert_rule_template_version: Optional[str] = None,
                     alert_rule_template_guid: Optional[str] = None,
                     name: Optional[str] = None,
                     description: Optional[str] = None,
                     enabled: Optional[bool] = None,
                     sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
                     custom_details: Optional[Mapping[str, str]] = None,
                     suppression_duration: Optional[str] = None,
                     suppression_enabled: Optional[bool] = None,
                     tactics: Optional[Sequence[str]] = None,
                     incident: Optional[AlertRuleNrtIncidentArgs] = None)
    func NewAlertRuleNrt(ctx *Context, name string, args AlertRuleNrtArgs, opts ...ResourceOption) (*AlertRuleNrt, error)
    public AlertRuleNrt(string name, AlertRuleNrtArgs args, CustomResourceOptions? opts = null)
    public AlertRuleNrt(String name, AlertRuleNrtArgs args)
    public AlertRuleNrt(String name, AlertRuleNrtArgs args, CustomResourceOptions options)
    
    type: azure:sentinel:AlertRuleNrt
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args AlertRuleNrtArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AlertRuleNrtArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AlertRuleNrtArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AlertRuleNrtArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AlertRuleNrtArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var alertRuleNrtResource = new Azure.Sentinel.AlertRuleNrt("alertRuleNrtResource", new()
    {
        Query = "string",
        DisplayName = "string",
        EventGrouping = new Azure.Sentinel.Inputs.AlertRuleNrtEventGroupingArgs
        {
            AggregationMethod = "string",
        },
        Severity = "string",
        LogAnalyticsWorkspaceId = "string",
        Techniques = new[]
        {
            "string",
        },
        AlertDetailsOverrides = new[]
        {
            new Azure.Sentinel.Inputs.AlertRuleNrtAlertDetailsOverrideArgs
            {
                DescriptionFormat = "string",
                DisplayNameFormat = "string",
                DynamicProperties = new[]
                {
                    new Azure.Sentinel.Inputs.AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs
                    {
                        Name = "string",
                        Value = "string",
                    },
                },
                SeverityColumnName = "string",
                TacticsColumnName = "string",
            },
        },
        EntityMappings = new[]
        {
            new Azure.Sentinel.Inputs.AlertRuleNrtEntityMappingArgs
            {
                EntityType = "string",
                FieldMappings = new[]
                {
                    new Azure.Sentinel.Inputs.AlertRuleNrtEntityMappingFieldMappingArgs
                    {
                        ColumnName = "string",
                        Identifier = "string",
                    },
                },
            },
        },
        AlertRuleTemplateVersion = "string",
        AlertRuleTemplateGuid = "string",
        Name = "string",
        Description = "string",
        Enabled = false,
        SentinelEntityMappings = new[]
        {
            new Azure.Sentinel.Inputs.AlertRuleNrtSentinelEntityMappingArgs
            {
                ColumnName = "string",
            },
        },
        CustomDetails = 
        {
            { "string", "string" },
        },
        SuppressionDuration = "string",
        SuppressionEnabled = false,
        Tactics = new[]
        {
            "string",
        },
        Incident = new Azure.Sentinel.Inputs.AlertRuleNrtIncidentArgs
        {
            CreateIncidentEnabled = false,
            Grouping = new Azure.Sentinel.Inputs.AlertRuleNrtIncidentGroupingArgs
            {
                ByAlertDetails = new[]
                {
                    "string",
                },
                ByCustomDetails = new[]
                {
                    "string",
                },
                ByEntities = new[]
                {
                    "string",
                },
                Enabled = false,
                EntityMatchingMethod = "string",
                LookbackDuration = "string",
                ReopenClosedIncidents = false,
            },
        },
    });
    
    example, err := sentinel.NewAlertRuleNrt(ctx, "alertRuleNrtResource", &sentinel.AlertRuleNrtArgs{
    	Query:       pulumi.String("string"),
    	DisplayName: pulumi.String("string"),
    	EventGrouping: &sentinel.AlertRuleNrtEventGroupingArgs{
    		AggregationMethod: pulumi.String("string"),
    	},
    	Severity:                pulumi.String("string"),
    	LogAnalyticsWorkspaceId: pulumi.String("string"),
    	Techniques: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	AlertDetailsOverrides: sentinel.AlertRuleNrtAlertDetailsOverrideArray{
    		&sentinel.AlertRuleNrtAlertDetailsOverrideArgs{
    			DescriptionFormat: pulumi.String("string"),
    			DisplayNameFormat: pulumi.String("string"),
    			DynamicProperties: sentinel.AlertRuleNrtAlertDetailsOverrideDynamicPropertyArray{
    				&sentinel.AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs{
    					Name:  pulumi.String("string"),
    					Value: pulumi.String("string"),
    				},
    			},
    			SeverityColumnName: pulumi.String("string"),
    			TacticsColumnName:  pulumi.String("string"),
    		},
    	},
    	EntityMappings: sentinel.AlertRuleNrtEntityMappingArray{
    		&sentinel.AlertRuleNrtEntityMappingArgs{
    			EntityType: pulumi.String("string"),
    			FieldMappings: sentinel.AlertRuleNrtEntityMappingFieldMappingArray{
    				&sentinel.AlertRuleNrtEntityMappingFieldMappingArgs{
    					ColumnName: pulumi.String("string"),
    					Identifier: pulumi.String("string"),
    				},
    			},
    		},
    	},
    	AlertRuleTemplateVersion: pulumi.String("string"),
    	AlertRuleTemplateGuid:    pulumi.String("string"),
    	Name:                     pulumi.String("string"),
    	Description:              pulumi.String("string"),
    	Enabled:                  pulumi.Bool(false),
    	SentinelEntityMappings: sentinel.AlertRuleNrtSentinelEntityMappingArray{
    		&sentinel.AlertRuleNrtSentinelEntityMappingArgs{
    			ColumnName: pulumi.String("string"),
    		},
    	},
    	CustomDetails: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	SuppressionDuration: pulumi.String("string"),
    	SuppressionEnabled:  pulumi.Bool(false),
    	Tactics: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Incident: &sentinel.AlertRuleNrtIncidentArgs{
    		CreateIncidentEnabled: pulumi.Bool(false),
    		Grouping: &sentinel.AlertRuleNrtIncidentGroupingArgs{
    			ByAlertDetails: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			ByCustomDetails: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			ByEntities: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			Enabled:               pulumi.Bool(false),
    			EntityMatchingMethod:  pulumi.String("string"),
    			LookbackDuration:      pulumi.String("string"),
    			ReopenClosedIncidents: pulumi.Bool(false),
    		},
    	},
    })
    
    var alertRuleNrtResource = new AlertRuleNrt("alertRuleNrtResource", AlertRuleNrtArgs.builder()
        .query("string")
        .displayName("string")
        .eventGrouping(AlertRuleNrtEventGroupingArgs.builder()
            .aggregationMethod("string")
            .build())
        .severity("string")
        .logAnalyticsWorkspaceId("string")
        .techniques("string")
        .alertDetailsOverrides(AlertRuleNrtAlertDetailsOverrideArgs.builder()
            .descriptionFormat("string")
            .displayNameFormat("string")
            .dynamicProperties(AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs.builder()
                .name("string")
                .value("string")
                .build())
            .severityColumnName("string")
            .tacticsColumnName("string")
            .build())
        .entityMappings(AlertRuleNrtEntityMappingArgs.builder()
            .entityType("string")
            .fieldMappings(AlertRuleNrtEntityMappingFieldMappingArgs.builder()
                .columnName("string")
                .identifier("string")
                .build())
            .build())
        .alertRuleTemplateVersion("string")
        .alertRuleTemplateGuid("string")
        .name("string")
        .description("string")
        .enabled(false)
        .sentinelEntityMappings(AlertRuleNrtSentinelEntityMappingArgs.builder()
            .columnName("string")
            .build())
        .customDetails(Map.of("string", "string"))
        .suppressionDuration("string")
        .suppressionEnabled(false)
        .tactics("string")
        .incident(AlertRuleNrtIncidentArgs.builder()
            .createIncidentEnabled(false)
            .grouping(AlertRuleNrtIncidentGroupingArgs.builder()
                .byAlertDetails("string")
                .byCustomDetails("string")
                .byEntities("string")
                .enabled(false)
                .entityMatchingMethod("string")
                .lookbackDuration("string")
                .reopenClosedIncidents(false)
                .build())
            .build())
        .build());
    
    alert_rule_nrt_resource = azure.sentinel.AlertRuleNrt("alertRuleNrtResource",
        query="string",
        display_name="string",
        event_grouping={
            "aggregation_method": "string",
        },
        severity="string",
        log_analytics_workspace_id="string",
        techniques=["string"],
        alert_details_overrides=[{
            "description_format": "string",
            "display_name_format": "string",
            "dynamic_properties": [{
                "name": "string",
                "value": "string",
            }],
            "severity_column_name": "string",
            "tactics_column_name": "string",
        }],
        entity_mappings=[{
            "entity_type": "string",
            "field_mappings": [{
                "column_name": "string",
                "identifier": "string",
            }],
        }],
        alert_rule_template_version="string",
        alert_rule_template_guid="string",
        name="string",
        description="string",
        enabled=False,
        sentinel_entity_mappings=[{
            "column_name": "string",
        }],
        custom_details={
            "string": "string",
        },
        suppression_duration="string",
        suppression_enabled=False,
        tactics=["string"],
        incident={
            "create_incident_enabled": False,
            "grouping": {
                "by_alert_details": ["string"],
                "by_custom_details": ["string"],
                "by_entities": ["string"],
                "enabled": False,
                "entity_matching_method": "string",
                "lookback_duration": "string",
                "reopen_closed_incidents": False,
            },
        })
    
    const alertRuleNrtResource = new azure.sentinel.AlertRuleNrt("alertRuleNrtResource", {
        query: "string",
        displayName: "string",
        eventGrouping: {
            aggregationMethod: "string",
        },
        severity: "string",
        logAnalyticsWorkspaceId: "string",
        techniques: ["string"],
        alertDetailsOverrides: [{
            descriptionFormat: "string",
            displayNameFormat: "string",
            dynamicProperties: [{
                name: "string",
                value: "string",
            }],
            severityColumnName: "string",
            tacticsColumnName: "string",
        }],
        entityMappings: [{
            entityType: "string",
            fieldMappings: [{
                columnName: "string",
                identifier: "string",
            }],
        }],
        alertRuleTemplateVersion: "string",
        alertRuleTemplateGuid: "string",
        name: "string",
        description: "string",
        enabled: false,
        sentinelEntityMappings: [{
            columnName: "string",
        }],
        customDetails: {
            string: "string",
        },
        suppressionDuration: "string",
        suppressionEnabled: false,
        tactics: ["string"],
        incident: {
            createIncidentEnabled: false,
            grouping: {
                byAlertDetails: ["string"],
                byCustomDetails: ["string"],
                byEntities: ["string"],
                enabled: false,
                entityMatchingMethod: "string",
                lookbackDuration: "string",
                reopenClosedIncidents: false,
            },
        },
    });
    
    type: azure:sentinel:AlertRuleNrt
    properties:
        alertDetailsOverrides:
            - descriptionFormat: string
              displayNameFormat: string
              dynamicProperties:
                - name: string
                  value: string
              severityColumnName: string
              tacticsColumnName: string
        alertRuleTemplateGuid: string
        alertRuleTemplateVersion: string
        customDetails:
            string: string
        description: string
        displayName: string
        enabled: false
        entityMappings:
            - entityType: string
              fieldMappings:
                - columnName: string
                  identifier: string
        eventGrouping:
            aggregationMethod: string
        incident:
            createIncidentEnabled: false
            grouping:
                byAlertDetails:
                    - string
                byCustomDetails:
                    - string
                byEntities:
                    - string
                enabled: false
                entityMatchingMethod: string
                lookbackDuration: string
                reopenClosedIncidents: false
        logAnalyticsWorkspaceId: string
        name: string
        query: string
        sentinelEntityMappings:
            - columnName: string
        severity: string
        suppressionDuration: string
        suppressionEnabled: false
        tactics:
            - string
        techniques:
            - string
    

    AlertRuleNrt Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The AlertRuleNrt resource accepts the following input properties:

    DisplayName string
    The friendly name of this Sentinel NRT Alert Rule.
    EventGrouping AlertRuleNrtEventGrouping
    A event_grouping block as defined below.
    LogAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
    Query string
    The query of this Sentinel NRT Alert Rule.
    Severity string
    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
    AlertDetailsOverrides List<AlertRuleNrtAlertDetailsOverride>
    An alert_details_override block as defined below.
    AlertRuleTemplateGuid string
    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    AlertRuleTemplateVersion string
    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    CustomDetails Dictionary<string, string>
    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
    Description string
    The description of this Sentinel NRT Alert Rule.
    Enabled bool
    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
    EntityMappings List<AlertRuleNrtEntityMapping>
    A list of entity_mapping blocks as defined below.
    Incident AlertRuleNrtIncident
    A incident block as defined below.
    Name string
    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    SentinelEntityMappings List<AlertRuleNrtSentinelEntityMapping>

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    SuppressionDuration string
    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
    SuppressionEnabled bool
    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
    Tactics List<string>
    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
    Techniques List<string>
    A list of techniques of attacks by which to classify the rule.
    DisplayName string
    The friendly name of this Sentinel NRT Alert Rule.
    EventGrouping AlertRuleNrtEventGroupingArgs
    A event_grouping block as defined below.
    LogAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
    Query string
    The query of this Sentinel NRT Alert Rule.
    Severity string
    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
    AlertDetailsOverrides []AlertRuleNrtAlertDetailsOverrideArgs
    An alert_details_override block as defined below.
    AlertRuleTemplateGuid string
    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    AlertRuleTemplateVersion string
    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    CustomDetails map[string]string
    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
    Description string
    The description of this Sentinel NRT Alert Rule.
    Enabled bool
    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
    EntityMappings []AlertRuleNrtEntityMappingArgs
    A list of entity_mapping blocks as defined below.
    Incident AlertRuleNrtIncidentArgs
    A incident block as defined below.
    Name string
    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    SentinelEntityMappings []AlertRuleNrtSentinelEntityMappingArgs

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    SuppressionDuration string
    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
    SuppressionEnabled bool
    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
    Tactics []string
    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
    Techniques []string
    A list of techniques of attacks by which to classify the rule.
    displayName String
    The friendly name of this Sentinel NRT Alert Rule.
    eventGrouping AlertRuleNrtEventGrouping
    A event_grouping block as defined below.
    logAnalyticsWorkspaceId String
    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
    query String
    The query of this Sentinel NRT Alert Rule.
    severity String
    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
    alertDetailsOverrides List<AlertRuleNrtAlertDetailsOverride>
    An alert_details_override block as defined below.
    alertRuleTemplateGuid String
    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    alertRuleTemplateVersion String
    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    customDetails Map<String,String>
    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
    description String
    The description of this Sentinel NRT Alert Rule.
    enabled Boolean
    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
    entityMappings List<AlertRuleNrtEntityMapping>
    A list of entity_mapping blocks as defined below.
    incident AlertRuleNrtIncident
    A incident block as defined below.
    name String
    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    sentinelEntityMappings List<AlertRuleNrtSentinelEntityMapping>

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    suppressionDuration String
    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
    suppressionEnabled Boolean
    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
    tactics List<String>
    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
    techniques List<String>
    A list of techniques of attacks by which to classify the rule.
    displayName string
    The friendly name of this Sentinel NRT Alert Rule.
    eventGrouping AlertRuleNrtEventGrouping
    A event_grouping block as defined below.
    logAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
    query string
    The query of this Sentinel NRT Alert Rule.
    severity string
    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
    alertDetailsOverrides AlertRuleNrtAlertDetailsOverride[]
    An alert_details_override block as defined below.
    alertRuleTemplateGuid string
    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    alertRuleTemplateVersion string
    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    customDetails {[key: string]: string}
    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
    description string
    The description of this Sentinel NRT Alert Rule.
    enabled boolean
    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
    entityMappings AlertRuleNrtEntityMapping[]
    A list of entity_mapping blocks as defined below.
    incident AlertRuleNrtIncident
    A incident block as defined below.
    name string
    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    sentinelEntityMappings AlertRuleNrtSentinelEntityMapping[]

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    suppressionDuration string
    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
    suppressionEnabled boolean
    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
    tactics string[]
    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
    techniques string[]
    A list of techniques of attacks by which to classify the rule.
    display_name str
    The friendly name of this Sentinel NRT Alert Rule.
    event_grouping AlertRuleNrtEventGroupingArgs
    A event_grouping block as defined below.
    log_analytics_workspace_id str
    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
    query str
    The query of this Sentinel NRT Alert Rule.
    severity str
    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
    alert_details_overrides Sequence[AlertRuleNrtAlertDetailsOverrideArgs]
    An alert_details_override block as defined below.
    alert_rule_template_guid str
    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    alert_rule_template_version str
    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    custom_details Mapping[str, str]
    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
    description str
    The description of this Sentinel NRT Alert Rule.
    enabled bool
    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
    entity_mappings Sequence[AlertRuleNrtEntityMappingArgs]
    A list of entity_mapping blocks as defined below.
    incident AlertRuleNrtIncidentArgs
    A incident block as defined below.
    name str
    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    sentinel_entity_mappings Sequence[AlertRuleNrtSentinelEntityMappingArgs]

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    suppression_duration str
    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
    suppression_enabled bool
    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
    tactics Sequence[str]
    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
    techniques Sequence[str]
    A list of techniques of attacks by which to classify the rule.
    displayName String
    The friendly name of this Sentinel NRT Alert Rule.
    eventGrouping Property Map
    A event_grouping block as defined below.
    logAnalyticsWorkspaceId String
    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
    query String
    The query of this Sentinel NRT Alert Rule.
    severity String
    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
    alertDetailsOverrides List<Property Map>
    An alert_details_override block as defined below.
    alertRuleTemplateGuid String
    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    alertRuleTemplateVersion String
    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    customDetails Map<String>
    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
    description String
    The description of this Sentinel NRT Alert Rule.
    enabled Boolean
    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
    entityMappings List<Property Map>
    A list of entity_mapping blocks as defined below.
    incident Property Map
    A incident block as defined below.
    name String
    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    sentinelEntityMappings List<Property Map>

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    suppressionDuration String
    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
    suppressionEnabled Boolean
    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
    tactics List<String>
    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
    techniques List<String>
    A list of techniques of attacks by which to classify the rule.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the AlertRuleNrt resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing AlertRuleNrt Resource

    Get an existing AlertRuleNrt resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: AlertRuleNrtState, opts?: CustomResourceOptions): AlertRuleNrt
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
            alert_rule_template_guid: Optional[str] = None,
            alert_rule_template_version: Optional[str] = None,
            custom_details: Optional[Mapping[str, str]] = None,
            description: Optional[str] = None,
            display_name: Optional[str] = None,
            enabled: Optional[bool] = None,
            entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
            event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
            incident: Optional[AlertRuleNrtIncidentArgs] = None,
            log_analytics_workspace_id: Optional[str] = None,
            name: Optional[str] = None,
            query: Optional[str] = None,
            sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
            severity: Optional[str] = None,
            suppression_duration: Optional[str] = None,
            suppression_enabled: Optional[bool] = None,
            tactics: Optional[Sequence[str]] = None,
            techniques: Optional[Sequence[str]] = None) -> AlertRuleNrt
    func GetAlertRuleNrt(ctx *Context, name string, id IDInput, state *AlertRuleNrtState, opts ...ResourceOption) (*AlertRuleNrt, error)
    public static AlertRuleNrt Get(string name, Input<string> id, AlertRuleNrtState? state, CustomResourceOptions? opts = null)
    public static AlertRuleNrt get(String name, Output<String> id, AlertRuleNrtState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AlertDetailsOverrides List<AlertRuleNrtAlertDetailsOverride>
    An alert_details_override block as defined below.
    AlertRuleTemplateGuid string
    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    AlertRuleTemplateVersion string
    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    CustomDetails Dictionary<string, string>
    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
    Description string
    The description of this Sentinel NRT Alert Rule.
    DisplayName string
    The friendly name of this Sentinel NRT Alert Rule.
    Enabled bool
    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
    EntityMappings List<AlertRuleNrtEntityMapping>
    A list of entity_mapping blocks as defined below.
    EventGrouping AlertRuleNrtEventGrouping
    A event_grouping block as defined below.
    Incident AlertRuleNrtIncident
    A incident block as defined below.
    LogAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
    Name string
    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    Query string
    The query of this Sentinel NRT Alert Rule.
    SentinelEntityMappings List<AlertRuleNrtSentinelEntityMapping>

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    Severity string
    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
    SuppressionDuration string
    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
    SuppressionEnabled bool
    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
    Tactics List<string>
    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
    Techniques List<string>
    A list of techniques of attacks by which to classify the rule.
    AlertDetailsOverrides []AlertRuleNrtAlertDetailsOverrideArgs
    An alert_details_override block as defined below.
    AlertRuleTemplateGuid string
    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    AlertRuleTemplateVersion string
    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    CustomDetails map[string]string
    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
    Description string
    The description of this Sentinel NRT Alert Rule.
    DisplayName string
    The friendly name of this Sentinel NRT Alert Rule.
    Enabled bool
    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
    EntityMappings []AlertRuleNrtEntityMappingArgs
    A list of entity_mapping blocks as defined below.
    EventGrouping AlertRuleNrtEventGroupingArgs
    A event_grouping block as defined below.
    Incident AlertRuleNrtIncidentArgs
    A incident block as defined below.
    LogAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
    Name string
    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    Query string
    The query of this Sentinel NRT Alert Rule.
    SentinelEntityMappings []AlertRuleNrtSentinelEntityMappingArgs

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    Severity string
    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
    SuppressionDuration string
    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
    SuppressionEnabled bool
    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
    Tactics []string
    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
    Techniques []string
    A list of techniques of attacks by which to classify the rule.
    alertDetailsOverrides List<AlertRuleNrtAlertDetailsOverride>
    An alert_details_override block as defined below.
    alertRuleTemplateGuid String
    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    alertRuleTemplateVersion String
    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    customDetails Map<String,String>
    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
    description String
    The description of this Sentinel NRT Alert Rule.
    displayName String
    The friendly name of this Sentinel NRT Alert Rule.
    enabled Boolean
    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
    entityMappings List<AlertRuleNrtEntityMapping>
    A list of entity_mapping blocks as defined below.
    eventGrouping AlertRuleNrtEventGrouping
    A event_grouping block as defined below.
    incident AlertRuleNrtIncident
    A incident block as defined below.
    logAnalyticsWorkspaceId String
    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
    name String
    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    query String
    The query of this Sentinel NRT Alert Rule.
    sentinelEntityMappings List<AlertRuleNrtSentinelEntityMapping>

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    severity String
    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
    suppressionDuration String
    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
    suppressionEnabled Boolean
    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
    tactics List<String>
    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
    techniques List<String>
    A list of techniques of attacks by which to classify the rule.
    alertDetailsOverrides AlertRuleNrtAlertDetailsOverride[]
    An alert_details_override block as defined below.
    alertRuleTemplateGuid string
    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    alertRuleTemplateVersion string
    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    customDetails {[key: string]: string}
    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
    description string
    The description of this Sentinel NRT Alert Rule.
    displayName string
    The friendly name of this Sentinel NRT Alert Rule.
    enabled boolean
    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
    entityMappings AlertRuleNrtEntityMapping[]
    A list of entity_mapping blocks as defined below.
    eventGrouping AlertRuleNrtEventGrouping
    A event_grouping block as defined below.
    incident AlertRuleNrtIncident
    A incident block as defined below.
    logAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
    name string
    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    query string
    The query of this Sentinel NRT Alert Rule.
    sentinelEntityMappings AlertRuleNrtSentinelEntityMapping[]

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    severity string
    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
    suppressionDuration string
    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
    suppressionEnabled boolean
    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
    tactics string[]
    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
    techniques string[]
    A list of techniques of attacks by which to classify the rule.
    alert_details_overrides Sequence[AlertRuleNrtAlertDetailsOverrideArgs]
    An alert_details_override block as defined below.
    alert_rule_template_guid str
    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    alert_rule_template_version str
    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    custom_details Mapping[str, str]
    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
    description str
    The description of this Sentinel NRT Alert Rule.
    display_name str
    The friendly name of this Sentinel NRT Alert Rule.
    enabled bool
    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
    entity_mappings Sequence[AlertRuleNrtEntityMappingArgs]
    A list of entity_mapping blocks as defined below.
    event_grouping AlertRuleNrtEventGroupingArgs
    A event_grouping block as defined below.
    incident AlertRuleNrtIncidentArgs
    A incident block as defined below.
    log_analytics_workspace_id str
    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
    name str
    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    query str
    The query of this Sentinel NRT Alert Rule.
    sentinel_entity_mappings Sequence[AlertRuleNrtSentinelEntityMappingArgs]

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    severity str
    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
    suppression_duration str
    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
    suppression_enabled bool
    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
    tactics Sequence[str]
    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
    techniques Sequence[str]
    A list of techniques of attacks by which to classify the rule.
    alertDetailsOverrides List<Property Map>
    An alert_details_override block as defined below.
    alertRuleTemplateGuid String
    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    alertRuleTemplateVersion String
    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    customDetails Map<String>
    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
    description String
    The description of this Sentinel NRT Alert Rule.
    displayName String
    The friendly name of this Sentinel NRT Alert Rule.
    enabled Boolean
    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
    entityMappings List<Property Map>
    A list of entity_mapping blocks as defined below.
    eventGrouping Property Map
    A event_grouping block as defined below.
    incident Property Map
    A incident block as defined below.
    logAnalyticsWorkspaceId String
    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
    name String
    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
    query String
    The query of this Sentinel NRT Alert Rule.
    sentinelEntityMappings List<Property Map>

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    severity String
    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
    suppressionDuration String
    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
    suppressionEnabled Boolean
    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
    tactics List<String>
    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
    techniques List<String>
    A list of techniques of attacks by which to classify the rule.

    Supporting Types

    AlertRuleNrtAlertDetailsOverride, AlertRuleNrtAlertDetailsOverrideArgs

    DescriptionFormat string
    The format containing columns name(s) to override the description of this Sentinel Alert Rule.
    DisplayNameFormat string
    The format containing columns name(s) to override the name of this Sentinel Alert Rule.
    DynamicProperties List<AlertRuleNrtAlertDetailsOverrideDynamicProperty>
    A list of dynamic_property blocks as defined below.
    SeverityColumnName string
    The column name to take the alert severity from.
    TacticsColumnName string
    The column name to take the alert tactics from.
    DescriptionFormat string
    The format containing columns name(s) to override the description of this Sentinel Alert Rule.
    DisplayNameFormat string
    The format containing columns name(s) to override the name of this Sentinel Alert Rule.
    DynamicProperties []AlertRuleNrtAlertDetailsOverrideDynamicProperty
    A list of dynamic_property blocks as defined below.
    SeverityColumnName string
    The column name to take the alert severity from.
    TacticsColumnName string
    The column name to take the alert tactics from.
    descriptionFormat String
    The format containing columns name(s) to override the description of this Sentinel Alert Rule.
    displayNameFormat String
    The format containing columns name(s) to override the name of this Sentinel Alert Rule.
    dynamicProperties List<AlertRuleNrtAlertDetailsOverrideDynamicProperty>
    A list of dynamic_property blocks as defined below.
    severityColumnName String
    The column name to take the alert severity from.
    tacticsColumnName String
    The column name to take the alert tactics from.
    descriptionFormat string
    The format containing columns name(s) to override the description of this Sentinel Alert Rule.
    displayNameFormat string
    The format containing columns name(s) to override the name of this Sentinel Alert Rule.
    dynamicProperties AlertRuleNrtAlertDetailsOverrideDynamicProperty[]
    A list of dynamic_property blocks as defined below.
    severityColumnName string
    The column name to take the alert severity from.
    tacticsColumnName string
    The column name to take the alert tactics from.
    description_format str
    The format containing columns name(s) to override the description of this Sentinel Alert Rule.
    display_name_format str
    The format containing columns name(s) to override the name of this Sentinel Alert Rule.
    dynamic_properties Sequence[AlertRuleNrtAlertDetailsOverrideDynamicProperty]
    A list of dynamic_property blocks as defined below.
    severity_column_name str
    The column name to take the alert severity from.
    tactics_column_name str
    The column name to take the alert tactics from.
    descriptionFormat String
    The format containing columns name(s) to override the description of this Sentinel Alert Rule.
    displayNameFormat String
    The format containing columns name(s) to override the name of this Sentinel Alert Rule.
    dynamicProperties List<Property Map>
    A list of dynamic_property blocks as defined below.
    severityColumnName String
    The column name to take the alert severity from.
    tacticsColumnName String
    The column name to take the alert tactics from.

    AlertRuleNrtAlertDetailsOverrideDynamicProperty, AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs

    Name string
    The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
    Value string
    The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.
    Name string
    The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
    Value string
    The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.
    name String
    The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
    value String
    The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.
    name string
    The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
    value string
    The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.
    name str
    The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
    value str
    The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.
    name String
    The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
    value String
    The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

    AlertRuleNrtEntityMapping, AlertRuleNrtEntityMappingArgs

    EntityType string
    The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
    FieldMappings List<AlertRuleNrtEntityMappingFieldMapping>
    A list of field_mapping blocks as defined below.
    EntityType string
    The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
    FieldMappings []AlertRuleNrtEntityMappingFieldMapping
    A list of field_mapping blocks as defined below.
    entityType String
    The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
    fieldMappings List<AlertRuleNrtEntityMappingFieldMapping>
    A list of field_mapping blocks as defined below.
    entityType string
    The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
    fieldMappings AlertRuleNrtEntityMappingFieldMapping[]
    A list of field_mapping blocks as defined below.
    entity_type str
    The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
    field_mappings Sequence[AlertRuleNrtEntityMappingFieldMapping]
    A list of field_mapping blocks as defined below.
    entityType String
    The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
    fieldMappings List<Property Map>
    A list of field_mapping blocks as defined below.

    AlertRuleNrtEntityMappingFieldMapping, AlertRuleNrtEntityMappingFieldMappingArgs

    ColumnName string
    The column name to be mapped to the identifier.
    Identifier string
    The identifier of the entity.
    ColumnName string
    The column name to be mapped to the identifier.
    Identifier string
    The identifier of the entity.
    columnName String
    The column name to be mapped to the identifier.
    identifier String
    The identifier of the entity.
    columnName string
    The column name to be mapped to the identifier.
    identifier string
    The identifier of the entity.
    column_name str
    The column name to be mapped to the identifier.
    identifier str
    The identifier of the entity.
    columnName String
    The column name to be mapped to the identifier.
    identifier String
    The identifier of the entity.

    AlertRuleNrtEventGrouping, AlertRuleNrtEventGroupingArgs

    AggregationMethod string
    The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.
    AggregationMethod string
    The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.
    aggregationMethod String
    The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.
    aggregationMethod string
    The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.
    aggregation_method str
    The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.
    aggregationMethod String
    The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

    AlertRuleNrtIncident, AlertRuleNrtIncidentArgs

    CreateIncidentEnabled bool
    Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
    Grouping AlertRuleNrtIncidentGrouping
    A grouping block as defined below.
    CreateIncidentEnabled bool
    Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
    Grouping AlertRuleNrtIncidentGrouping
    A grouping block as defined below.
    createIncidentEnabled Boolean
    Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
    grouping AlertRuleNrtIncidentGrouping
    A grouping block as defined below.
    createIncidentEnabled boolean
    Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
    grouping AlertRuleNrtIncidentGrouping
    A grouping block as defined below.
    create_incident_enabled bool
    Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
    grouping AlertRuleNrtIncidentGrouping
    A grouping block as defined below.
    createIncidentEnabled Boolean
    Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
    grouping Property Map
    A grouping block as defined below.

    AlertRuleNrtIncidentGrouping, AlertRuleNrtIncidentGroupingArgs

    ByAlertDetails List<string>
    A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
    ByCustomDetails List<string>
    A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
    ByEntities List<string>
    A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
    Enabled bool
    Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
    EntityMatchingMethod string
    The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
    LookbackDuration string
    Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
    ReopenClosedIncidents bool
    Whether to re-open closed matching incidents? Defaults to false.
    ByAlertDetails []string
    A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
    ByCustomDetails []string
    A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
    ByEntities []string
    A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
    Enabled bool
    Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
    EntityMatchingMethod string
    The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
    LookbackDuration string
    Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
    ReopenClosedIncidents bool
    Whether to re-open closed matching incidents? Defaults to false.
    byAlertDetails List<String>
    A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
    byCustomDetails List<String>
    A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
    byEntities List<String>
    A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
    enabled Boolean
    Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
    entityMatchingMethod String
    The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
    lookbackDuration String
    Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
    reopenClosedIncidents Boolean
    Whether to re-open closed matching incidents? Defaults to false.
    byAlertDetails string[]
    A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
    byCustomDetails string[]
    A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
    byEntities string[]
    A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
    enabled boolean
    Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
    entityMatchingMethod string
    The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
    lookbackDuration string
    Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
    reopenClosedIncidents boolean
    Whether to re-open closed matching incidents? Defaults to false.
    by_alert_details Sequence[str]
    A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
    by_custom_details Sequence[str]
    A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
    by_entities Sequence[str]
    A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
    enabled bool
    Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
    entity_matching_method str
    The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
    lookback_duration str
    Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
    reopen_closed_incidents bool
    Whether to re-open closed matching incidents? Defaults to false.
    byAlertDetails List<String>
    A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
    byCustomDetails List<String>
    A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
    byEntities List<String>
    A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
    enabled Boolean
    Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
    entityMatchingMethod String
    The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
    lookbackDuration String
    Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
    reopenClosedIncidents Boolean
    Whether to re-open closed matching incidents? Defaults to false.

    AlertRuleNrtSentinelEntityMapping, AlertRuleNrtSentinelEntityMappingArgs

    ColumnName string
    The column name to be mapped to the identifier.
    ColumnName string
    The column name to be mapped to the identifier.
    columnName String
    The column name to be mapped to the identifier.
    columnName string
    The column name to be mapped to the identifier.
    column_name str
    The column name to be mapped to the identifier.
    columnName String
    The column name to be mapped to the identifier.

    Import

    Sentinel NRT Alert Rules can be imported using the resource id, e.g.

    $ pulumi import azure:sentinel/alertRuleNrt:AlertRuleNrt example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Azure Classic pulumi/pulumi-azure
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azurerm Terraform Provider.
    azure logo

    We recommend using Azure Native.

    Azure v6.13.0 published on Monday, Dec 9, 2024 by Pulumi