1. Packages
  2. Azure Classic
  3. API Docs
  4. sentinel
  5. AlertRuleNrt

We recommend using Azure Native.

Azure Classic v5.49.0 published on Tuesday, Aug 29, 2023 by Pulumi

azure.sentinel.AlertRuleNrt

Explore with Pulumi AI

azure logo

We recommend using Azure Native.

Azure Classic v5.49.0 published on Tuesday, Aug 29, 2023 by Pulumi

    Manages a Sentinel NRT Alert Rule.

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new()
        {
            Location = "West Europe",
        });
    
        var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", new()
        {
            Location = exampleResourceGroup.Location,
            ResourceGroupName = exampleResourceGroup.Name,
            Sku = "pergb2018",
        });
    
        var exampleLogAnalyticsWorkspaceOnboarding = new Azure.Sentinel.LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", new()
        {
            WorkspaceId = exampleAnalyticsWorkspace.Id,
        });
    
        var exampleAlertRuleNrt = new Azure.Sentinel.AlertRuleNrt("exampleAlertRuleNrt", new()
        {
            LogAnalyticsWorkspaceId = exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
            DisplayName = "example",
            Severity = "High",
            Query = @"AzureActivity |
      where OperationName == ""Create or Update Virtual Machine"" or OperationName ==""Create Deployment"" |
      where ActivityStatus == ""Succeeded"" |
      make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
    ",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/operationalinsights"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/sentinel"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "exampleAnalyticsWorkspace", &operationalinsights.AnalyticsWorkspaceArgs{
    			Location:          exampleResourceGroup.Location,
    			ResourceGroupName: exampleResourceGroup.Name,
    			Sku:               pulumi.String("pergb2018"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleLogAnalyticsWorkspaceOnboarding, err := sentinel.NewLogAnalyticsWorkspaceOnboarding(ctx, "exampleLogAnalyticsWorkspaceOnboarding", &sentinel.LogAnalyticsWorkspaceOnboardingArgs{
    			WorkspaceId: exampleAnalyticsWorkspace.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = sentinel.NewAlertRuleNrt(ctx, "exampleAlertRuleNrt", &sentinel.AlertRuleNrtArgs{
    			LogAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
    			DisplayName:             pulumi.String("example"),
    			Severity:                pulumi.String("High"),
    			Query:                   pulumi.String("AzureActivity |\n  where OperationName == \"Create or Update Virtual Machine\" or OperationName ==\"Create Deployment\" |\n  where ActivityStatus == \"Succeeded\" |\n  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
    import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
    import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
    import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
    import com.pulumi.azure.sentinel.AlertRuleNrt;
    import com.pulumi.azure.sentinel.AlertRuleNrtArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()        
                .location("West Europe")
                .build());
    
            var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()        
                .location(exampleResourceGroup.location())
                .resourceGroupName(exampleResourceGroup.name())
                .sku("pergb2018")
                .build());
    
            var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()        
                .workspaceId(exampleAnalyticsWorkspace.id())
                .build());
    
            var exampleAlertRuleNrt = new AlertRuleNrt("exampleAlertRuleNrt", AlertRuleNrtArgs.builder()        
                .logAnalyticsWorkspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
                .displayName("example")
                .severity("High")
                .query("""
    AzureActivity |
      where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
      where ActivityStatus == "Succeeded" |
      make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
                """)
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_azure as azure
    
    example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
    example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace",
        location=example_resource_group.location,
        resource_group_name=example_resource_group.name,
        sku="pergb2018")
    example_log_analytics_workspace_onboarding = azure.sentinel.LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", workspace_id=example_analytics_workspace.id)
    example_alert_rule_nrt = azure.sentinel.AlertRuleNrt("exampleAlertRuleNrt",
        log_analytics_workspace_id=example_log_analytics_workspace_onboarding.workspace_id,
        display_name="example",
        severity="High",
        query="""AzureActivity |
      where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
      where ActivityStatus == "Succeeded" |
      make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
    """)
    
    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
    const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", {
        location: exampleResourceGroup.location,
        resourceGroupName: exampleResourceGroup.name,
        sku: "pergb2018",
    });
    const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", {workspaceId: exampleAnalyticsWorkspace.id});
    const exampleAlertRuleNrt = new azure.sentinel.AlertRuleNrt("exampleAlertRuleNrt", {
        logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId,
        displayName: "example",
        severity: "High",
        query: `AzureActivity |
      where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
      where ActivityStatus == "Succeeded" |
      make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
    `,
    });
    
    resources:
      exampleResourceGroup:
        type: azure:core:ResourceGroup
        properties:
          location: West Europe
      exampleAnalyticsWorkspace:
        type: azure:operationalinsights:AnalyticsWorkspace
        properties:
          location: ${exampleResourceGroup.location}
          resourceGroupName: ${exampleResourceGroup.name}
          sku: pergb2018
      exampleLogAnalyticsWorkspaceOnboarding:
        type: azure:sentinel:LogAnalyticsWorkspaceOnboarding
        properties:
          workspaceId: ${exampleAnalyticsWorkspace.id}
      exampleAlertRuleNrt:
        type: azure:sentinel:AlertRuleNrt
        properties:
          logAnalyticsWorkspaceId: ${exampleLogAnalyticsWorkspaceOnboarding.workspaceId}
          displayName: example
          severity: High
          query: |
            AzureActivity |
              where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
              where ActivityStatus == "Succeeded" |
              make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller        
    

    Create AlertRuleNrt Resource

    new AlertRuleNrt(name: string, args: AlertRuleNrtArgs, opts?: CustomResourceOptions);
    @overload
    def AlertRuleNrt(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
                     alert_rule_template_guid: Optional[str] = None,
                     alert_rule_template_version: Optional[str] = None,
                     custom_details: Optional[Mapping[str, str]] = None,
                     description: Optional[str] = None,
                     display_name: Optional[str] = None,
                     enabled: Optional[bool] = None,
                     entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
                     event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
                     incident: Optional[AlertRuleNrtIncidentArgs] = None,
                     log_analytics_workspace_id: Optional[str] = None,
                     name: Optional[str] = None,
                     query: Optional[str] = None,
                     sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
                     severity: Optional[str] = None,
                     suppression_duration: Optional[str] = None,
                     suppression_enabled: Optional[bool] = None,
                     tactics: Optional[Sequence[str]] = None,
                     techniques: Optional[Sequence[str]] = None)
    @overload
    def AlertRuleNrt(resource_name: str,
                     args: AlertRuleNrtArgs,
                     opts: Optional[ResourceOptions] = None)
    func NewAlertRuleNrt(ctx *Context, name string, args AlertRuleNrtArgs, opts ...ResourceOption) (*AlertRuleNrt, error)
    public AlertRuleNrt(string name, AlertRuleNrtArgs args, CustomResourceOptions? opts = null)
    public AlertRuleNrt(String name, AlertRuleNrtArgs args)
    public AlertRuleNrt(String name, AlertRuleNrtArgs args, CustomResourceOptions options)
    
    type: azure:sentinel:AlertRuleNrt
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args AlertRuleNrtArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AlertRuleNrtArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AlertRuleNrtArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AlertRuleNrtArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AlertRuleNrtArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    AlertRuleNrt Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The AlertRuleNrt resource accepts the following input properties:

    DisplayName string

    The friendly name of this Sentinel NRT Alert Rule.

    LogAnalyticsWorkspaceId string

    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

    Query string

    The query of this Sentinel NRT Alert Rule.

    Severity string

    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

    AlertDetailsOverrides List<AlertRuleNrtAlertDetailsOverride>

    An alert_details_override block as defined below.

    AlertRuleTemplateGuid string

    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    AlertRuleTemplateVersion string

    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    CustomDetails Dictionary<string, string>

    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

    Description string

    The description of this Sentinel NRT Alert Rule.

    Enabled bool

    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

    EntityMappings List<AlertRuleNrtEntityMapping>

    A list of entity_mapping blocks as defined below.

    EventGrouping AlertRuleNrtEventGrouping

    A event_grouping block as defined below.

    NOTE: event_grouping will be required in the next major version of the AzureRM Provider.

    Incident AlertRuleNrtIncident

    A incident block as defined below.

    Name string

    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    SentinelEntityMappings List<AlertRuleNrtSentinelEntityMapping>

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    SuppressionDuration string

    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

    SuppressionEnabled bool

    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

    Tactics List<string>

    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

    Techniques List<string>

    A list of techniques of attacks by which to classify the rule.

    DisplayName string

    The friendly name of this Sentinel NRT Alert Rule.

    LogAnalyticsWorkspaceId string

    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

    Query string

    The query of this Sentinel NRT Alert Rule.

    Severity string

    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

    AlertDetailsOverrides []AlertRuleNrtAlertDetailsOverrideArgs

    An alert_details_override block as defined below.

    AlertRuleTemplateGuid string

    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    AlertRuleTemplateVersion string

    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    CustomDetails map[string]string

    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

    Description string

    The description of this Sentinel NRT Alert Rule.

    Enabled bool

    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

    EntityMappings []AlertRuleNrtEntityMappingArgs

    A list of entity_mapping blocks as defined below.

    EventGrouping AlertRuleNrtEventGroupingArgs

    A event_grouping block as defined below.

    NOTE: event_grouping will be required in the next major version of the AzureRM Provider.

    Incident AlertRuleNrtIncidentArgs

    A incident block as defined below.

    Name string

    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    SentinelEntityMappings []AlertRuleNrtSentinelEntityMappingArgs

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    SuppressionDuration string

    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

    SuppressionEnabled bool

    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

    Tactics []string

    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

    Techniques []string

    A list of techniques of attacks by which to classify the rule.

    displayName String

    The friendly name of this Sentinel NRT Alert Rule.

    logAnalyticsWorkspaceId String

    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

    query String

    The query of this Sentinel NRT Alert Rule.

    severity String

    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

    alertDetailsOverrides List<AlertRuleNrtAlertDetailsOverride>

    An alert_details_override block as defined below.

    alertRuleTemplateGuid String

    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    alertRuleTemplateVersion String

    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    customDetails Map<String,String>

    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

    description String

    The description of this Sentinel NRT Alert Rule.

    enabled Boolean

    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

    entityMappings List<AlertRuleNrtEntityMapping>

    A list of entity_mapping blocks as defined below.

    eventGrouping AlertRuleNrtEventGrouping

    A event_grouping block as defined below.

    NOTE: event_grouping will be required in the next major version of the AzureRM Provider.

    incident AlertRuleNrtIncident

    A incident block as defined below.

    name String

    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    sentinelEntityMappings List<AlertRuleNrtSentinelEntityMapping>

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    suppressionDuration String

    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

    suppressionEnabled Boolean

    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

    tactics List<String>

    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

    techniques List<String>

    A list of techniques of attacks by which to classify the rule.

    displayName string

    The friendly name of this Sentinel NRT Alert Rule.

    logAnalyticsWorkspaceId string

    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

    query string

    The query of this Sentinel NRT Alert Rule.

    severity string

    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

    alertDetailsOverrides AlertRuleNrtAlertDetailsOverride[]

    An alert_details_override block as defined below.

    alertRuleTemplateGuid string

    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    alertRuleTemplateVersion string

    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    customDetails {[key: string]: string}

    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

    description string

    The description of this Sentinel NRT Alert Rule.

    enabled boolean

    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

    entityMappings AlertRuleNrtEntityMapping[]

    A list of entity_mapping blocks as defined below.

    eventGrouping AlertRuleNrtEventGrouping

    A event_grouping block as defined below.

    NOTE: event_grouping will be required in the next major version of the AzureRM Provider.

    incident AlertRuleNrtIncident

    A incident block as defined below.

    name string

    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    sentinelEntityMappings AlertRuleNrtSentinelEntityMapping[]

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    suppressionDuration string

    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

    suppressionEnabled boolean

    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

    tactics string[]

    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

    techniques string[]

    A list of techniques of attacks by which to classify the rule.

    display_name str

    The friendly name of this Sentinel NRT Alert Rule.

    log_analytics_workspace_id str

    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

    query str

    The query of this Sentinel NRT Alert Rule.

    severity str

    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

    alert_details_overrides Sequence[AlertRuleNrtAlertDetailsOverrideArgs]

    An alert_details_override block as defined below.

    alert_rule_template_guid str

    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    alert_rule_template_version str

    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    custom_details Mapping[str, str]

    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

    description str

    The description of this Sentinel NRT Alert Rule.

    enabled bool

    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

    entity_mappings Sequence[AlertRuleNrtEntityMappingArgs]

    A list of entity_mapping blocks as defined below.

    event_grouping AlertRuleNrtEventGroupingArgs

    A event_grouping block as defined below.

    NOTE: event_grouping will be required in the next major version of the AzureRM Provider.

    incident AlertRuleNrtIncidentArgs

    A incident block as defined below.

    name str

    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    sentinel_entity_mappings Sequence[AlertRuleNrtSentinelEntityMappingArgs]

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    suppression_duration str

    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

    suppression_enabled bool

    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

    tactics Sequence[str]

    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

    techniques Sequence[str]

    A list of techniques of attacks by which to classify the rule.

    displayName String

    The friendly name of this Sentinel NRT Alert Rule.

    logAnalyticsWorkspaceId String

    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

    query String

    The query of this Sentinel NRT Alert Rule.

    severity String

    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

    alertDetailsOverrides List<Property Map>

    An alert_details_override block as defined below.

    alertRuleTemplateGuid String

    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    alertRuleTemplateVersion String

    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    customDetails Map<String>

    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

    description String

    The description of this Sentinel NRT Alert Rule.

    enabled Boolean

    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

    entityMappings List<Property Map>

    A list of entity_mapping blocks as defined below.

    eventGrouping Property Map

    A event_grouping block as defined below.

    NOTE: event_grouping will be required in the next major version of the AzureRM Provider.

    incident Property Map

    A incident block as defined below.

    name String

    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    sentinelEntityMappings List<Property Map>

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    suppressionDuration String

    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

    suppressionEnabled Boolean

    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

    tactics List<String>

    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

    techniques List<String>

    A list of techniques of attacks by which to classify the rule.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the AlertRuleNrt resource produces the following output properties:

    Id string

    The provider-assigned unique ID for this managed resource.

    Id string

    The provider-assigned unique ID for this managed resource.

    id String

    The provider-assigned unique ID for this managed resource.

    id string

    The provider-assigned unique ID for this managed resource.

    id str

    The provider-assigned unique ID for this managed resource.

    id String

    The provider-assigned unique ID for this managed resource.

    Look up Existing AlertRuleNrt Resource

    Get an existing AlertRuleNrt resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: AlertRuleNrtState, opts?: CustomResourceOptions): AlertRuleNrt
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
            alert_rule_template_guid: Optional[str] = None,
            alert_rule_template_version: Optional[str] = None,
            custom_details: Optional[Mapping[str, str]] = None,
            description: Optional[str] = None,
            display_name: Optional[str] = None,
            enabled: Optional[bool] = None,
            entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
            event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
            incident: Optional[AlertRuleNrtIncidentArgs] = None,
            log_analytics_workspace_id: Optional[str] = None,
            name: Optional[str] = None,
            query: Optional[str] = None,
            sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
            severity: Optional[str] = None,
            suppression_duration: Optional[str] = None,
            suppression_enabled: Optional[bool] = None,
            tactics: Optional[Sequence[str]] = None,
            techniques: Optional[Sequence[str]] = None) -> AlertRuleNrt
    func GetAlertRuleNrt(ctx *Context, name string, id IDInput, state *AlertRuleNrtState, opts ...ResourceOption) (*AlertRuleNrt, error)
    public static AlertRuleNrt Get(string name, Input<string> id, AlertRuleNrtState? state, CustomResourceOptions? opts = null)
    public static AlertRuleNrt get(String name, Output<String> id, AlertRuleNrtState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AlertDetailsOverrides List<AlertRuleNrtAlertDetailsOverride>

    An alert_details_override block as defined below.

    AlertRuleTemplateGuid string

    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    AlertRuleTemplateVersion string

    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    CustomDetails Dictionary<string, string>

    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

    Description string

    The description of this Sentinel NRT Alert Rule.

    DisplayName string

    The friendly name of this Sentinel NRT Alert Rule.

    Enabled bool

    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

    EntityMappings List<AlertRuleNrtEntityMapping>

    A list of entity_mapping blocks as defined below.

    EventGrouping AlertRuleNrtEventGrouping

    A event_grouping block as defined below.

    NOTE: event_grouping will be required in the next major version of the AzureRM Provider.

    Incident AlertRuleNrtIncident

    A incident block as defined below.

    LogAnalyticsWorkspaceId string

    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

    Name string

    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    Query string

    The query of this Sentinel NRT Alert Rule.

    SentinelEntityMappings List<AlertRuleNrtSentinelEntityMapping>

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    Severity string

    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

    SuppressionDuration string

    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

    SuppressionEnabled bool

    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

    Tactics List<string>

    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

    Techniques List<string>

    A list of techniques of attacks by which to classify the rule.

    AlertDetailsOverrides []AlertRuleNrtAlertDetailsOverrideArgs

    An alert_details_override block as defined below.

    AlertRuleTemplateGuid string

    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    AlertRuleTemplateVersion string

    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    CustomDetails map[string]string

    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

    Description string

    The description of this Sentinel NRT Alert Rule.

    DisplayName string

    The friendly name of this Sentinel NRT Alert Rule.

    Enabled bool

    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

    EntityMappings []AlertRuleNrtEntityMappingArgs

    A list of entity_mapping blocks as defined below.

    EventGrouping AlertRuleNrtEventGroupingArgs

    A event_grouping block as defined below.

    NOTE: event_grouping will be required in the next major version of the AzureRM Provider.

    Incident AlertRuleNrtIncidentArgs

    A incident block as defined below.

    LogAnalyticsWorkspaceId string

    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

    Name string

    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    Query string

    The query of this Sentinel NRT Alert Rule.

    SentinelEntityMappings []AlertRuleNrtSentinelEntityMappingArgs

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    Severity string

    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

    SuppressionDuration string

    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

    SuppressionEnabled bool

    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

    Tactics []string

    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

    Techniques []string

    A list of techniques of attacks by which to classify the rule.

    alertDetailsOverrides List<AlertRuleNrtAlertDetailsOverride>

    An alert_details_override block as defined below.

    alertRuleTemplateGuid String

    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    alertRuleTemplateVersion String

    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    customDetails Map<String,String>

    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

    description String

    The description of this Sentinel NRT Alert Rule.

    displayName String

    The friendly name of this Sentinel NRT Alert Rule.

    enabled Boolean

    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

    entityMappings List<AlertRuleNrtEntityMapping>

    A list of entity_mapping blocks as defined below.

    eventGrouping AlertRuleNrtEventGrouping

    A event_grouping block as defined below.

    NOTE: event_grouping will be required in the next major version of the AzureRM Provider.

    incident AlertRuleNrtIncident

    A incident block as defined below.

    logAnalyticsWorkspaceId String

    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

    name String

    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    query String

    The query of this Sentinel NRT Alert Rule.

    sentinelEntityMappings List<AlertRuleNrtSentinelEntityMapping>

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    severity String

    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

    suppressionDuration String

    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

    suppressionEnabled Boolean

    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

    tactics List<String>

    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

    techniques List<String>

    A list of techniques of attacks by which to classify the rule.

    alertDetailsOverrides AlertRuleNrtAlertDetailsOverride[]

    An alert_details_override block as defined below.

    alertRuleTemplateGuid string

    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    alertRuleTemplateVersion string

    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    customDetails {[key: string]: string}

    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

    description string

    The description of this Sentinel NRT Alert Rule.

    displayName string

    The friendly name of this Sentinel NRT Alert Rule.

    enabled boolean

    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

    entityMappings AlertRuleNrtEntityMapping[]

    A list of entity_mapping blocks as defined below.

    eventGrouping AlertRuleNrtEventGrouping

    A event_grouping block as defined below.

    NOTE: event_grouping will be required in the next major version of the AzureRM Provider.

    incident AlertRuleNrtIncident

    A incident block as defined below.

    logAnalyticsWorkspaceId string

    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

    name string

    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    query string

    The query of this Sentinel NRT Alert Rule.

    sentinelEntityMappings AlertRuleNrtSentinelEntityMapping[]

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    severity string

    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

    suppressionDuration string

    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

    suppressionEnabled boolean

    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

    tactics string[]

    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

    techniques string[]

    A list of techniques of attacks by which to classify the rule.

    alert_details_overrides Sequence[AlertRuleNrtAlertDetailsOverrideArgs]

    An alert_details_override block as defined below.

    alert_rule_template_guid str

    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    alert_rule_template_version str

    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    custom_details Mapping[str, str]

    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

    description str

    The description of this Sentinel NRT Alert Rule.

    display_name str

    The friendly name of this Sentinel NRT Alert Rule.

    enabled bool

    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

    entity_mappings Sequence[AlertRuleNrtEntityMappingArgs]

    A list of entity_mapping blocks as defined below.

    event_grouping AlertRuleNrtEventGroupingArgs

    A event_grouping block as defined below.

    NOTE: event_grouping will be required in the next major version of the AzureRM Provider.

    incident AlertRuleNrtIncidentArgs

    A incident block as defined below.

    log_analytics_workspace_id str

    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

    name str

    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    query str

    The query of this Sentinel NRT Alert Rule.

    sentinel_entity_mappings Sequence[AlertRuleNrtSentinelEntityMappingArgs]

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    severity str

    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

    suppression_duration str

    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

    suppression_enabled bool

    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

    tactics Sequence[str]

    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

    techniques Sequence[str]

    A list of techniques of attacks by which to classify the rule.

    alertDetailsOverrides List<Property Map>

    An alert_details_override block as defined below.

    alertRuleTemplateGuid String

    The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    alertRuleTemplateVersion String

    The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    customDetails Map<String>

    A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

    description String

    The description of this Sentinel NRT Alert Rule.

    displayName String

    The friendly name of this Sentinel NRT Alert Rule.

    enabled Boolean

    Should the Sentinel NRT Alert Rule be enabled? Defaults to true.

    entityMappings List<Property Map>

    A list of entity_mapping blocks as defined below.

    eventGrouping Property Map

    A event_grouping block as defined below.

    NOTE: event_grouping will be required in the next major version of the AzureRM Provider.

    incident Property Map

    A incident block as defined below.

    logAnalyticsWorkspaceId String

    The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.

    name String

    The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.

    query String

    The query of this Sentinel NRT Alert Rule.

    sentinelEntityMappings List<Property Map>

    A list of sentinel_entity_mapping blocks as defined below.

    NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.

    severity String

    The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.

    suppressionDuration String

    If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

    suppressionEnabled Boolean

    Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.

    tactics List<String>

    A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.

    techniques List<String>

    A list of techniques of attacks by which to classify the rule.

    Supporting Types

    AlertRuleNrtAlertDetailsOverride, AlertRuleNrtAlertDetailsOverrideArgs

    DescriptionFormat string

    The format containing columns name(s) to override the description of this Sentinel Alert Rule.

    DisplayNameFormat string

    The format containing columns name(s) to override the name of this Sentinel Alert Rule.

    DynamicProperties List<AlertRuleNrtAlertDetailsOverrideDynamicProperty>

    A list of dynamic_property blocks as defined below.

    SeverityColumnName string

    The column name to take the alert severity from.

    TacticsColumnName string

    The column name to take the alert tactics from.

    DescriptionFormat string

    The format containing columns name(s) to override the description of this Sentinel Alert Rule.

    DisplayNameFormat string

    The format containing columns name(s) to override the name of this Sentinel Alert Rule.

    DynamicProperties []AlertRuleNrtAlertDetailsOverrideDynamicProperty

    A list of dynamic_property blocks as defined below.

    SeverityColumnName string

    The column name to take the alert severity from.

    TacticsColumnName string

    The column name to take the alert tactics from.

    descriptionFormat String

    The format containing columns name(s) to override the description of this Sentinel Alert Rule.

    displayNameFormat String

    The format containing columns name(s) to override the name of this Sentinel Alert Rule.

    dynamicProperties List<AlertRuleNrtAlertDetailsOverrideDynamicProperty>

    A list of dynamic_property blocks as defined below.

    severityColumnName String

    The column name to take the alert severity from.

    tacticsColumnName String

    The column name to take the alert tactics from.

    descriptionFormat string

    The format containing columns name(s) to override the description of this Sentinel Alert Rule.

    displayNameFormat string

    The format containing columns name(s) to override the name of this Sentinel Alert Rule.

    dynamicProperties AlertRuleNrtAlertDetailsOverrideDynamicProperty[]

    A list of dynamic_property blocks as defined below.

    severityColumnName string

    The column name to take the alert severity from.

    tacticsColumnName string

    The column name to take the alert tactics from.

    description_format str

    The format containing columns name(s) to override the description of this Sentinel Alert Rule.

    display_name_format str

    The format containing columns name(s) to override the name of this Sentinel Alert Rule.

    dynamic_properties Sequence[AlertRuleNrtAlertDetailsOverrideDynamicProperty]

    A list of dynamic_property blocks as defined below.

    severity_column_name str

    The column name to take the alert severity from.

    tactics_column_name str

    The column name to take the alert tactics from.

    descriptionFormat String

    The format containing columns name(s) to override the description of this Sentinel Alert Rule.

    displayNameFormat String

    The format containing columns name(s) to override the name of this Sentinel Alert Rule.

    dynamicProperties List<Property Map>

    A list of dynamic_property blocks as defined below.

    severityColumnName String

    The column name to take the alert severity from.

    tacticsColumnName String

    The column name to take the alert tactics from.

    AlertRuleNrtAlertDetailsOverrideDynamicProperty, AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs

    Name string

    The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.

    Value string

    The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

    Name string

    The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.

    Value string

    The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

    name String

    The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.

    value String

    The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

    name string

    The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.

    value string

    The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

    name str

    The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.

    value str

    The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

    name String

    The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.

    value String

    The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

    AlertRuleNrtEntityMapping, AlertRuleNrtEntityMappingArgs

    EntityType string

    The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

    FieldMappings List<AlertRuleNrtEntityMappingFieldMapping>

    A list of field_mapping blocks as defined below.

    EntityType string

    The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

    FieldMappings []AlertRuleNrtEntityMappingFieldMapping

    A list of field_mapping blocks as defined below.

    entityType String

    The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

    fieldMappings List<AlertRuleNrtEntityMappingFieldMapping>

    A list of field_mapping blocks as defined below.

    entityType string

    The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

    fieldMappings AlertRuleNrtEntityMappingFieldMapping[]

    A list of field_mapping blocks as defined below.

    entity_type str

    The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

    field_mappings Sequence[AlertRuleNrtEntityMappingFieldMapping]

    A list of field_mapping blocks as defined below.

    entityType String

    The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

    fieldMappings List<Property Map>

    A list of field_mapping blocks as defined below.

    AlertRuleNrtEntityMappingFieldMapping, AlertRuleNrtEntityMappingFieldMappingArgs

    ColumnName string

    The column name to be mapped to the identifier.

    Identifier string

    The identifier of the entity.

    ColumnName string

    The column name to be mapped to the identifier.

    Identifier string

    The identifier of the entity.

    columnName String

    The column name to be mapped to the identifier.

    identifier String

    The identifier of the entity.

    columnName string

    The column name to be mapped to the identifier.

    identifier string

    The identifier of the entity.

    column_name str

    The column name to be mapped to the identifier.

    identifier str

    The identifier of the entity.

    columnName String

    The column name to be mapped to the identifier.

    identifier String

    The identifier of the entity.

    AlertRuleNrtEventGrouping, AlertRuleNrtEventGroupingArgs

    AggregationMethod string

    The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

    AggregationMethod string

    The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

    aggregationMethod String

    The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

    aggregationMethod string

    The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

    aggregation_method str

    The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

    aggregationMethod String

    The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

    AlertRuleNrtIncident, AlertRuleNrtIncidentArgs

    CreateIncidentEnabled bool

    Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

    Grouping AlertRuleNrtIncidentGrouping

    A grouping block as defined below.

    CreateIncidentEnabled bool

    Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

    Grouping AlertRuleNrtIncidentGrouping

    A grouping block as defined below.

    createIncidentEnabled Boolean

    Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

    grouping AlertRuleNrtIncidentGrouping

    A grouping block as defined below.

    createIncidentEnabled boolean

    Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

    grouping AlertRuleNrtIncidentGrouping

    A grouping block as defined below.

    create_incident_enabled bool

    Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

    grouping AlertRuleNrtIncidentGrouping

    A grouping block as defined below.

    createIncidentEnabled Boolean

    Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?

    grouping Property Map

    A grouping block as defined below.

    AlertRuleNrtIncidentGrouping, AlertRuleNrtIncidentGroupingArgs

    ByAlertDetails List<string>

    A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.

    ByCustomDetails List<string>

    A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.

    ByEntities List<string>

    A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

    Enabled bool

    Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

    EntityMatchingMethod string

    The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.

    LookbackDuration string

    Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.

    ReopenClosedIncidents bool

    Whether to re-open closed matching incidents? Defaults to false.

    ByAlertDetails []string

    A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.

    ByCustomDetails []string

    A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.

    ByEntities []string

    A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

    Enabled bool

    Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

    EntityMatchingMethod string

    The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.

    LookbackDuration string

    Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.

    ReopenClosedIncidents bool

    Whether to re-open closed matching incidents? Defaults to false.

    byAlertDetails List<String>

    A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.

    byCustomDetails List<String>

    A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.

    byEntities List<String>

    A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

    enabled Boolean

    Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

    entityMatchingMethod String

    The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.

    lookbackDuration String

    Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.

    reopenClosedIncidents Boolean

    Whether to re-open closed matching incidents? Defaults to false.

    byAlertDetails string[]

    A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.

    byCustomDetails string[]

    A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.

    byEntities string[]

    A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

    enabled boolean

    Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

    entityMatchingMethod string

    The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.

    lookbackDuration string

    Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.

    reopenClosedIncidents boolean

    Whether to re-open closed matching incidents? Defaults to false.

    by_alert_details Sequence[str]

    A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.

    by_custom_details Sequence[str]

    A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.

    by_entities Sequence[str]

    A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

    enabled bool

    Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

    entity_matching_method str

    The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.

    lookback_duration str

    Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.

    reopen_closed_incidents bool

    Whether to re-open closed matching incidents? Defaults to false.

    byAlertDetails List<String>

    A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.

    byCustomDetails List<String>

    A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.

    byEntities List<String>

    A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.

    enabled Boolean

    Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.

    entityMatchingMethod String

    The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.

    lookbackDuration String

    Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.

    reopenClosedIncidents Boolean

    Whether to re-open closed matching incidents? Defaults to false.

    AlertRuleNrtSentinelEntityMapping, AlertRuleNrtSentinelEntityMappingArgs

    ColumnName string

    The column name to be mapped to the identifier.

    ColumnName string

    The column name to be mapped to the identifier.

    columnName String

    The column name to be mapped to the identifier.

    columnName string

    The column name to be mapped to the identifier.

    column_name str

    The column name to be mapped to the identifier.

    columnName String

    The column name to be mapped to the identifier.

    Import

    Sentinel NRT Alert Rules can be imported using the resource id, e.g.

     $ pulumi import azure:sentinel/alertRuleNrt:AlertRuleNrt example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1
    

    Package Details

    Repository
    Azure Classic pulumi/pulumi-azure
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the azurerm Terraform Provider.

    azure logo

    We recommend using Azure Native.

    Azure Classic v5.49.0 published on Tuesday, Aug 29, 2023 by Pulumi