Azure Classic v5.38.0, Mar 21 23

azure.sentinel.AlertRuleNrt

Manages a Sentinel NRT Alert Rule.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Azure = Pulumi.Azure;

return await Deployment.RunAsync(() => 
{
    var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new()
    {
        Location = "West Europe",
    });

    var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", new()
    {
        Location = exampleResourceGroup.Location,
        ResourceGroupName = exampleResourceGroup.Name,
        Sku = "pergb2018",
    });

    var exampleAnalyticsSolution = new Azure.OperationalInsights.AnalyticsSolution("exampleAnalyticsSolution", new()
    {
        SolutionName = "SecurityInsights",
        Location = exampleResourceGroup.Location,
        ResourceGroupName = exampleResourceGroup.Name,
        WorkspaceResourceId = exampleAnalyticsWorkspace.Id,
        WorkspaceName = exampleAnalyticsWorkspace.Name,
        Plan = new Azure.OperationalInsights.Inputs.AnalyticsSolutionPlanArgs
        {
            Publisher = "Microsoft",
            Product = "OMSGallery/SecurityInsights",
        },
    });

    var exampleAlertRuleNrt = new Azure.Sentinel.AlertRuleNrt("exampleAlertRuleNrt", new()
    {
        LogAnalyticsWorkspaceId = exampleAnalyticsSolution.WorkspaceResourceId,
        DisplayName = "example",
        Severity = "High",
        Query = @"AzureActivity |
  where OperationName == ""Create or Update Virtual Machine"" or OperationName ==""Create Deployment"" |
  where ActivityStatus == ""Succeeded"" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
",
    });

});

package main

import (
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/operationalinsights"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/sentinel"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
			Location: pulumi.String("West Europe"),
		})
		if err != nil {
			return err
		}
		exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "exampleAnalyticsWorkspace", &operationalinsights.AnalyticsWorkspaceArgs{
			Location:          exampleResourceGroup.Location,
			ResourceGroupName: exampleResourceGroup.Name,
			Sku:               pulumi.String("pergb2018"),
		})
		if err != nil {
			return err
		}
		exampleAnalyticsSolution, err := operationalinsights.NewAnalyticsSolution(ctx, "exampleAnalyticsSolution", &operationalinsights.AnalyticsSolutionArgs{
			SolutionName:        pulumi.String("SecurityInsights"),
			Location:            exampleResourceGroup.Location,
			ResourceGroupName:   exampleResourceGroup.Name,
			WorkspaceResourceId: exampleAnalyticsWorkspace.ID(),
			WorkspaceName:       exampleAnalyticsWorkspace.Name,
			Plan: &operationalinsights.AnalyticsSolutionPlanArgs{
				Publisher: pulumi.String("Microsoft"),
				Product:   pulumi.String("OMSGallery/SecurityInsights"),
			},
		})
		if err != nil {
			return err
		}
		_, err = sentinel.NewAlertRuleNrt(ctx, "exampleAlertRuleNrt", &sentinel.AlertRuleNrtArgs{
			LogAnalyticsWorkspaceId: exampleAnalyticsSolution.WorkspaceResourceId,
			DisplayName:             pulumi.String("example"),
			Severity:                pulumi.String("High"),
			Query:                   pulumi.String("AzureActivity |\n  where OperationName == \"Create or Update Virtual Machine\" or OperationName ==\"Create Deployment\" |\n  where ActivityStatus == \"Succeeded\" |\n  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.operationalinsights.AnalyticsSolution;
import com.pulumi.azure.operationalinsights.AnalyticsSolutionArgs;
import com.pulumi.azure.operationalinsights.inputs.AnalyticsSolutionPlanArgs;
import com.pulumi.azure.sentinel.AlertRuleNrt;
import com.pulumi.azure.sentinel.AlertRuleNrtArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()        
            .location("West Europe")
            .build());

        var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()        
            .location(exampleResourceGroup.location())
            .resourceGroupName(exampleResourceGroup.name())
            .sku("pergb2018")
            .build());

        var exampleAnalyticsSolution = new AnalyticsSolution("exampleAnalyticsSolution", AnalyticsSolutionArgs.builder()        
            .solutionName("SecurityInsights")
            .location(exampleResourceGroup.location())
            .resourceGroupName(exampleResourceGroup.name())
            .workspaceResourceId(exampleAnalyticsWorkspace.id())
            .workspaceName(exampleAnalyticsWorkspace.name())
            .plan(AnalyticsSolutionPlanArgs.builder()
                .publisher("Microsoft")
                .product("OMSGallery/SecurityInsights")
                .build())
            .build());

        var exampleAlertRuleNrt = new AlertRuleNrt("exampleAlertRuleNrt", AlertRuleNrtArgs.builder()        
            .logAnalyticsWorkspaceId(exampleAnalyticsSolution.workspaceResourceId())
            .displayName("example")
            .severity("High")
            .query("""
AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
            """)
            .build());

    }
}

import pulumi
import pulumi_azure as azure

example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    sku="pergb2018")
example_analytics_solution = azure.operationalinsights.AnalyticsSolution("exampleAnalyticsSolution",
    solution_name="SecurityInsights",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    workspace_resource_id=example_analytics_workspace.id,
    workspace_name=example_analytics_workspace.name,
    plan=azure.operationalinsights.AnalyticsSolutionPlanArgs(
        publisher="Microsoft",
        product="OMSGallery/SecurityInsights",
    ))
example_alert_rule_nrt = azure.sentinel.AlertRuleNrt("exampleAlertRuleNrt",
    log_analytics_workspace_id=example_analytics_solution.workspace_resource_id,
    display_name="example",
    severity="High",
    query="""AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    sku: "pergb2018",
});
const exampleAnalyticsSolution = new azure.operationalinsights.AnalyticsSolution("exampleAnalyticsSolution", {
    solutionName: "SecurityInsights",
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    workspaceResourceId: exampleAnalyticsWorkspace.id,
    workspaceName: exampleAnalyticsWorkspace.name,
    plan: {
        publisher: "Microsoft",
        product: "OMSGallery/SecurityInsights",
    },
});
const exampleAlertRuleNrt = new azure.sentinel.AlertRuleNrt("exampleAlertRuleNrt", {
    logAnalyticsWorkspaceId: exampleAnalyticsSolution.workspaceResourceId,
    displayName: "example",
    severity: "High",
    query: `AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
`,
});

resources:
  exampleResourceGroup:
    type: azure:core:ResourceGroup
    properties:
      location: West Europe
  exampleAnalyticsWorkspace:
    type: azure:operationalinsights:AnalyticsWorkspace
    properties:
      location: ${exampleResourceGroup.location}
      resourceGroupName: ${exampleResourceGroup.name}
      sku: pergb2018
  exampleAnalyticsSolution:
    type: azure:operationalinsights:AnalyticsSolution
    properties:
      solutionName: SecurityInsights
      location: ${exampleResourceGroup.location}
      resourceGroupName: ${exampleResourceGroup.name}
      workspaceResourceId: ${exampleAnalyticsWorkspace.id}
      workspaceName: ${exampleAnalyticsWorkspace.name}
      plan:
        publisher: Microsoft
        product: OMSGallery/SecurityInsights
  exampleAlertRuleNrt:
    type: azure:sentinel:AlertRuleNrt
    properties:
      logAnalyticsWorkspaceId: ${exampleAnalyticsSolution.workspaceResourceId}
      displayName: example
      severity: High
      query: |
        AzureActivity |
          where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
          where ActivityStatus == "Succeeded" |
          make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller

Create AlertRuleNrt Resource

new AlertRuleNrt(name: string, args: AlertRuleNrtArgs, opts?: CustomResourceOptions);

@overload
def AlertRuleNrt(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
                 alert_rule_template_guid: Optional[str] = None,
                 alert_rule_template_version: Optional[str] = None,
                 custom_details: Optional[Mapping[str, str]] = None,
                 description: Optional[str] = None,
                 display_name: Optional[str] = None,
                 enabled: Optional[bool] = None,
                 entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
                 event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
                 incident: Optional[AlertRuleNrtIncidentArgs] = None,
                 log_analytics_workspace_id: Optional[str] = None,
                 name: Optional[str] = None,
                 query: Optional[str] = None,
                 sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
                 severity: Optional[str] = None,
                 suppression_duration: Optional[str] = None,
                 suppression_enabled: Optional[bool] = None,
                 tactics: Optional[Sequence[str]] = None,
                 techniques: Optional[Sequence[str]] = None)
@overload
def AlertRuleNrt(resource_name: str,
                 args: AlertRuleNrtArgs,
                 opts: Optional[ResourceOptions] = None)

func NewAlertRuleNrt(ctx *Context, name string, args AlertRuleNrtArgs, opts ...ResourceOption) (*AlertRuleNrt, error)

public AlertRuleNrt(string name, AlertRuleNrtArgs args, CustomResourceOptions? opts = null)

public AlertRuleNrt(String name, AlertRuleNrtArgs args)
public AlertRuleNrt(String name, AlertRuleNrtArgs args, CustomResourceOptions options)

type: azure:sentinel:AlertRuleNrt
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AlertRuleNrtArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AlertRuleNrtArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AlertRuleNrtArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AlertRuleNrtArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AlertRuleNrtArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

AlertRuleNrt Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AlertRuleNrt resource accepts the following input properties:

DisplayName string: The friendly name of this Sentinel NRT Alert Rule.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
Query string: The query of this Sentinel NRT Alert Rule.
Severity string: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
AlertDetailsOverrides List<AlertRuleNrtAlertDetailsOverrideArgs>: An alert_details_override block as defined below.
AlertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
AlertRuleTemplateVersion string: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
CustomDetails Dictionary<string, string>: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
Description string: The description of this Sentinel NRT Alert Rule.
Enabled bool: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
EntityMappings List<AlertRuleNrtEntityMappingArgs>: A list of entity_mapping blocks as defined below.
EventGrouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
Incident AlertRuleNrtIncidentArgs: A incident block as defined below.
Name string: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
SentinelEntityMappings List<AlertRuleNrtSentinelEntityMappingArgs>: A list of sentinel_entity_mapping blocks as defined below.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics List<string>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.
Techniques List<string>: A list of techniques of attacks by which to classify the rule.

DisplayName string: The friendly name of this Sentinel NRT Alert Rule.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
Query string: The query of this Sentinel NRT Alert Rule.
Severity string: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
AlertDetailsOverrides []AlertRuleNrtAlertDetailsOverrideArgs: An alert_details_override block as defined below.
AlertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
AlertRuleTemplateVersion string: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
CustomDetails map[string]string: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
Description string: The description of this Sentinel NRT Alert Rule.
Enabled bool: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
EntityMappings []AlertRuleNrtEntityMappingArgs: A list of entity_mapping blocks as defined below.
EventGrouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
Incident AlertRuleNrtIncidentArgs: A incident block as defined below.
Name string: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
SentinelEntityMappings []AlertRuleNrtSentinelEntityMappingArgs: A list of sentinel_entity_mapping blocks as defined below.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics []string: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.
Techniques []string: A list of techniques of attacks by which to classify the rule.

displayName String: The friendly name of this Sentinel NRT Alert Rule.
logAnalyticsWorkspaceId String: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
query String: The query of this Sentinel NRT Alert Rule.
severity String: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
alertDetailsOverrides List<AlertRuleNrtAlertDetailsOverrideArgs>: An alert_details_override block as defined below.
alertRuleTemplateGuid String: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alertRuleTemplateVersion String: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
customDetails Map<String,String>: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description String: The description of this Sentinel NRT Alert Rule.
enabled Boolean: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entityMappings List<AlertRuleNrtEntityMappingArgs>: A list of entity_mapping blocks as defined below.
eventGrouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
incident AlertRuleNrtIncidentArgs: A incident block as defined below.
name String: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
sentinelEntityMappings List<AlertRuleNrtSentinelEntityMappingArgs>: A list of sentinel_entity_mapping blocks as defined below.
suppressionDuration String: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled Boolean: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List<String>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.
techniques List<String>: A list of techniques of attacks by which to classify the rule.

displayName string: The friendly name of this Sentinel NRT Alert Rule.
logAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
query string: The query of this Sentinel NRT Alert Rule.
severity string: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
alertDetailsOverrides AlertRuleNrtAlertDetailsOverrideArgs[]: An alert_details_override block as defined below.
alertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alertRuleTemplateVersion string: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
customDetails {[key: string]: string}: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description string: The description of this Sentinel NRT Alert Rule.
enabled boolean: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entityMappings AlertRuleNrtEntityMappingArgs[]: A list of entity_mapping blocks as defined below.
eventGrouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
incident AlertRuleNrtIncidentArgs: A incident block as defined below.
name string: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
sentinelEntityMappings AlertRuleNrtSentinelEntityMappingArgs[]: A list of sentinel_entity_mapping blocks as defined below.
suppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled boolean: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics string[]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.
techniques string[]: A list of techniques of attacks by which to classify the rule.

display_name str: The friendly name of this Sentinel NRT Alert Rule.
log_analytics_workspace_id str: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
query str: The query of this Sentinel NRT Alert Rule.
severity str: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
alert_details_overrides Sequence[AlertRuleNrtAlertDetailsOverrideArgs]: An alert_details_override block as defined below.
alert_rule_template_guid str: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alert_rule_template_version str: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
custom_details Mapping[str, str]: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description str: The description of this Sentinel NRT Alert Rule.
enabled bool: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entity_mappings Sequence[AlertRuleNrtEntityMappingArgs]: A list of entity_mapping blocks as defined below.
event_grouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
incident AlertRuleNrtIncidentArgs: A incident block as defined below.
name str: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
sentinel_entity_mappings Sequence[AlertRuleNrtSentinelEntityMappingArgs]: A list of sentinel_entity_mapping blocks as defined below.
suppression_duration str: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppression_enabled bool: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics Sequence[str]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.
techniques Sequence[str]: A list of techniques of attacks by which to classify the rule.

displayName String: The friendly name of this Sentinel NRT Alert Rule.
logAnalyticsWorkspaceId String: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
query String: The query of this Sentinel NRT Alert Rule.
severity String: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
alertDetailsOverrides List<Property Map>: An alert_details_override block as defined below.
alertRuleTemplateGuid String: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alertRuleTemplateVersion String: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
customDetails Map<String>: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description String: The description of this Sentinel NRT Alert Rule.
enabled Boolean: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entityMappings List<Property Map>: A list of entity_mapping blocks as defined below.
eventGrouping Property Map: A event_grouping block as defined below.
incident Property Map: A incident block as defined below.
name String: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
sentinelEntityMappings List<Property Map>: A list of sentinel_entity_mapping blocks as defined below.
suppressionDuration String: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled Boolean: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List<String>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.
techniques List<String>: A list of techniques of attacks by which to classify the rule.

Outputs

All input properties are implicitly available as output properties. Additionally, the AlertRuleNrt resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing AlertRuleNrt Resource

Get an existing AlertRuleNrt resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AlertRuleNrtState, opts?: CustomResourceOptions): AlertRuleNrt

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
        alert_rule_template_guid: Optional[str] = None,
        alert_rule_template_version: Optional[str] = None,
        custom_details: Optional[Mapping[str, str]] = None,
        description: Optional[str] = None,
        display_name: Optional[str] = None,
        enabled: Optional[bool] = None,
        entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
        event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
        incident: Optional[AlertRuleNrtIncidentArgs] = None,
        log_analytics_workspace_id: Optional[str] = None,
        name: Optional[str] = None,
        query: Optional[str] = None,
        sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
        severity: Optional[str] = None,
        suppression_duration: Optional[str] = None,
        suppression_enabled: Optional[bool] = None,
        tactics: Optional[Sequence[str]] = None,
        techniques: Optional[Sequence[str]] = None) -> AlertRuleNrt

func GetAlertRuleNrt(ctx *Context, name string, id IDInput, state *AlertRuleNrtState, opts ...ResourceOption) (*AlertRuleNrt, error)

public static AlertRuleNrt Get(string name, Input<string> id, AlertRuleNrtState? state, CustomResourceOptions? opts = null)

public static AlertRuleNrt get(String name, Output<String> id, AlertRuleNrtState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AlertDetailsOverrides List<AlertRuleNrtAlertDetailsOverrideArgs>: An alert_details_override block as defined below.
AlertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
AlertRuleTemplateVersion string: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
CustomDetails Dictionary<string, string>: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
Description string: The description of this Sentinel NRT Alert Rule.
DisplayName string: The friendly name of this Sentinel NRT Alert Rule.
Enabled bool: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
EntityMappings List<AlertRuleNrtEntityMappingArgs>: A list of entity_mapping blocks as defined below.
EventGrouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
Incident AlertRuleNrtIncidentArgs: A incident block as defined below.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
Name string: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
Query string: The query of this Sentinel NRT Alert Rule.
SentinelEntityMappings List<AlertRuleNrtSentinelEntityMappingArgs>: A list of sentinel_entity_mapping blocks as defined below.
Severity string: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics List<string>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.
Techniques List<string>: A list of techniques of attacks by which to classify the rule.

AlertDetailsOverrides []AlertRuleNrtAlertDetailsOverrideArgs: An alert_details_override block as defined below.
AlertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
AlertRuleTemplateVersion string: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
CustomDetails map[string]string: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
Description string: The description of this Sentinel NRT Alert Rule.
DisplayName string: The friendly name of this Sentinel NRT Alert Rule.
Enabled bool: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
EntityMappings []AlertRuleNrtEntityMappingArgs: A list of entity_mapping blocks as defined below.
EventGrouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
Incident AlertRuleNrtIncidentArgs: A incident block as defined below.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
Name string: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
Query string: The query of this Sentinel NRT Alert Rule.
SentinelEntityMappings []AlertRuleNrtSentinelEntityMappingArgs: A list of sentinel_entity_mapping blocks as defined below.
Severity string: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics []string: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.
Techniques []string: A list of techniques of attacks by which to classify the rule.

alertDetailsOverrides List<AlertRuleNrtAlertDetailsOverrideArgs>: An alert_details_override block as defined below.
alertRuleTemplateGuid String: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alertRuleTemplateVersion String: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
customDetails Map<String,String>: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description String: The description of this Sentinel NRT Alert Rule.
displayName String: The friendly name of this Sentinel NRT Alert Rule.
enabled Boolean: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entityMappings List<AlertRuleNrtEntityMappingArgs>: A list of entity_mapping blocks as defined below.
eventGrouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
incident AlertRuleNrtIncidentArgs: A incident block as defined below.
logAnalyticsWorkspaceId String: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
name String: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
query String: The query of this Sentinel NRT Alert Rule.
sentinelEntityMappings List<AlertRuleNrtSentinelEntityMappingArgs>: A list of sentinel_entity_mapping blocks as defined below.
severity String: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
suppressionDuration String: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled Boolean: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List<String>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.
techniques List<String>: A list of techniques of attacks by which to classify the rule.

alertDetailsOverrides AlertRuleNrtAlertDetailsOverrideArgs[]: An alert_details_override block as defined below.
alertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alertRuleTemplateVersion string: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
customDetails {[key: string]: string}: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description string: The description of this Sentinel NRT Alert Rule.
displayName string: The friendly name of this Sentinel NRT Alert Rule.
enabled boolean: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entityMappings AlertRuleNrtEntityMappingArgs[]: A list of entity_mapping blocks as defined below.
eventGrouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
incident AlertRuleNrtIncidentArgs: A incident block as defined below.
logAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
name string: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
query string: The query of this Sentinel NRT Alert Rule.
sentinelEntityMappings AlertRuleNrtSentinelEntityMappingArgs[]: A list of sentinel_entity_mapping blocks as defined below.
severity string: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
suppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled boolean: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics string[]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.
techniques string[]: A list of techniques of attacks by which to classify the rule.

alert_details_overrides Sequence[AlertRuleNrtAlertDetailsOverrideArgs]: An alert_details_override block as defined below.
alert_rule_template_guid str: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alert_rule_template_version str: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
custom_details Mapping[str, str]: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description str: The description of this Sentinel NRT Alert Rule.
display_name str: The friendly name of this Sentinel NRT Alert Rule.
enabled bool: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entity_mappings Sequence[AlertRuleNrtEntityMappingArgs]: A list of entity_mapping blocks as defined below.
event_grouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
incident AlertRuleNrtIncidentArgs: A incident block as defined below.
log_analytics_workspace_id str: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
name str: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
query str: The query of this Sentinel NRT Alert Rule.
sentinel_entity_mappings Sequence[AlertRuleNrtSentinelEntityMappingArgs]: A list of sentinel_entity_mapping blocks as defined below.
severity str: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
suppression_duration str: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppression_enabled bool: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics Sequence[str]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.
techniques Sequence[str]: A list of techniques of attacks by which to classify the rule.

alertDetailsOverrides List<Property Map>: An alert_details_override block as defined below.
alertRuleTemplateGuid String: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alertRuleTemplateVersion String: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
customDetails Map<String>: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description String: The description of this Sentinel NRT Alert Rule.
displayName String: The friendly name of this Sentinel NRT Alert Rule.
enabled Boolean: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entityMappings List<Property Map>: A list of entity_mapping blocks as defined below.
eventGrouping Property Map: A event_grouping block as defined below.
incident Property Map: A incident block as defined below.
logAnalyticsWorkspaceId String: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
name String: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
query String: The query of this Sentinel NRT Alert Rule.
sentinelEntityMappings List<Property Map>: A list of sentinel_entity_mapping blocks as defined below.
severity String: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
suppressionDuration String: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled Boolean: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List<String>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation and PreAttack.
techniques List<String>: A list of techniques of attacks by which to classify the rule.

Supporting Types

AlertRuleNrtAlertDetailsOverride

DescriptionFormat string: The format containing columns name(s) to override the description of this Sentinel Alert Rule.
DisplayNameFormat string: The format containing columns name(s) to override the name of this Sentinel Alert Rule.
DynamicProperties List<AlertRuleNrtAlertDetailsOverrideDynamicProperty>: A list of dynamic_property blocks as defined below.
SeverityColumnName string: The column name to take the alert severity from.
TacticsColumnName string: The column name to take the alert tactics from.

DescriptionFormat string: The format containing columns name(s) to override the description of this Sentinel Alert Rule.
DisplayNameFormat string: The format containing columns name(s) to override the name of this Sentinel Alert Rule.
DynamicProperties []AlertRuleNrtAlertDetailsOverrideDynamicProperty: A list of dynamic_property blocks as defined below.
SeverityColumnName string: The column name to take the alert severity from.
TacticsColumnName string: The column name to take the alert tactics from.

descriptionFormat String: The format containing columns name(s) to override the description of this Sentinel Alert Rule.
displayNameFormat String: The format containing columns name(s) to override the name of this Sentinel Alert Rule.
dynamicProperties List<AlertRuleNrtAlertDetailsOverrideDynamicProperty>: A list of dynamic_property blocks as defined below.
severityColumnName String: The column name to take the alert severity from.
tacticsColumnName String: The column name to take the alert tactics from.

descriptionFormat string: The format containing columns name(s) to override the description of this Sentinel Alert Rule.
displayNameFormat string: The format containing columns name(s) to override the name of this Sentinel Alert Rule.
dynamicProperties AlertRuleNrtAlertDetailsOverrideDynamicProperty[]: A list of dynamic_property blocks as defined below.
severityColumnName string: The column name to take the alert severity from.
tacticsColumnName string: The column name to take the alert tactics from.

description_format str: The format containing columns name(s) to override the description of this Sentinel Alert Rule.
display_name_format str: The format containing columns name(s) to override the name of this Sentinel Alert Rule.
dynamic_properties Sequence[AlertRuleNrtAlertDetailsOverrideDynamicProperty]: A list of dynamic_property blocks as defined below.
severity_column_name str: The column name to take the alert severity from.
tactics_column_name str: The column name to take the alert tactics from.

descriptionFormat String: The format containing columns name(s) to override the description of this Sentinel Alert Rule.
displayNameFormat String: The format containing columns name(s) to override the name of this Sentinel Alert Rule.
dynamicProperties List<Property Map>: A list of dynamic_property blocks as defined below.
severityColumnName String: The column name to take the alert severity from.
tacticsColumnName String: The column name to take the alert tactics from.

AlertRuleNrtAlertDetailsOverrideDynamicProperty

Name string: The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
Value string: The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

Name string: The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
Value string: The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

name String: The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
value String: The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

name string: The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
value string: The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

name str: The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
value str: The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

name String: The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
value String: The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

AlertRuleNrtEntityMapping

EntityType string: The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
FieldMappings List<AlertRuleNrtEntityMappingFieldMapping>: A list of field_mapping blocks as defined below.

EntityType string: The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
FieldMappings []AlertRuleNrtEntityMappingFieldMapping: A list of field_mapping blocks as defined below.

entityType String: The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
fieldMappings List<AlertRuleNrtEntityMappingFieldMapping>: A list of field_mapping blocks as defined below.

entityType string: The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
fieldMappings AlertRuleNrtEntityMappingFieldMapping[]: A list of field_mapping blocks as defined below.

entity_type str: The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
field_mappings Sequence[AlertRuleNrtEntityMappingFieldMapping]: A list of field_mapping blocks as defined below.

entityType String: The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
fieldMappings List<Property Map>: A list of field_mapping blocks as defined below.

AlertRuleNrtEntityMappingFieldMapping

ColumnName string: The column name to be mapped to the identifier.
Identifier string: The identifier of the entity.

ColumnName string: The column name to be mapped to the identifier.
Identifier string: The identifier of the entity.

columnName String: The column name to be mapped to the identifier.
identifier String: The identifier of the entity.

columnName string: The column name to be mapped to the identifier.
identifier string: The identifier of the entity.

column_name str: The column name to be mapped to the identifier.
identifier str: The identifier of the entity.

columnName String: The column name to be mapped to the identifier.
identifier String: The identifier of the entity.

AlertRuleNrtEventGrouping

AggregationMethod string: The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

AggregationMethod string: The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

aggregationMethod String: The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

aggregationMethod string: The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

aggregation_method str: The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

aggregationMethod String: The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

AlertRuleNrtIncident

CreateIncidentEnabled bool: Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
Grouping AlertRuleNrtIncidentGrouping: A grouping block as defined below.

CreateIncidentEnabled bool: Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
Grouping AlertRuleNrtIncidentGrouping: A grouping block as defined below.

createIncidentEnabled Boolean: Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
grouping AlertRuleNrtIncidentGrouping: A grouping block as defined below.

createIncidentEnabled boolean: Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
grouping AlertRuleNrtIncidentGrouping: A grouping block as defined below.

create_incident_enabled bool: Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
grouping AlertRuleNrtIncidentGrouping: A grouping block as defined below.

createIncidentEnabled Boolean: Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
grouping Property Map: A grouping block as defined below.

AlertRuleNrtIncidentGrouping

ByAlertDetails List<string>: A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
ByCustomDetails List<string>: A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
ByEntities List<string>: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
Enabled bool: Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
EntityMatchingMethod string: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
LookbackDuration string: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
ReopenClosedIncidents bool: Whether to re-open closed matching incidents? Defaults to false.

ByAlertDetails []string: A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
ByCustomDetails []string: A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
ByEntities []string: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
Enabled bool: Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
EntityMatchingMethod string: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
LookbackDuration string: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
ReopenClosedIncidents bool: Whether to re-open closed matching incidents? Defaults to false.

byAlertDetails List<String>: A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
byCustomDetails List<String>: A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
byEntities List<String>: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
enabled Boolean: Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
entityMatchingMethod String: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
lookbackDuration String: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
reopenClosedIncidents Boolean: Whether to re-open closed matching incidents? Defaults to false.

byAlertDetails string[]: A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
byCustomDetails string[]: A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
byEntities string[]: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
enabled boolean: Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
entityMatchingMethod string: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
lookbackDuration string: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
reopenClosedIncidents boolean: Whether to re-open closed matching incidents? Defaults to false.

by_alert_details Sequence[str]: A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
by_custom_details Sequence[str]: A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
by_entities Sequence[str]: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
enabled bool: Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
entity_matching_method str: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
lookback_duration str: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
reopen_closed_incidents bool: Whether to re-open closed matching incidents? Defaults to false.

byAlertDetails List<String>: A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
byCustomDetails List<String>: A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
byEntities List<String>: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
enabled Boolean: Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
entityMatchingMethod String: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
lookbackDuration String: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
reopenClosedIncidents Boolean: Whether to re-open closed matching incidents? Defaults to false.

AlertRuleNrtSentinelEntityMapping

ColumnName string: The column name to be mapped to the identifier.

ColumnName string: The column name to be mapped to the identifier.

columnName String: The column name to be mapped to the identifier.

columnName string: The column name to be mapped to the identifier.

column_name str: The column name to be mapped to the identifier.

columnName String: The column name to be mapped to the identifier.

Import

Sentinel NRT Alert Rules can be imported using the resource id, e.g.

 $ pulumi import azure:sentinel/alertRuleNrt:AlertRuleNrt example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1

Package Details

Repository: Azure Classic pulumi/pulumi-azure
License: Apache-2.0
Notes: This Pulumi package is based on the azurerm Terraform Provider.