We recommend using Azure Native.
azure.sentinel.AlertRuleNrt
Explore with Pulumi AI
Manages a Sentinel NRT Alert Rule.
Example Usage
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new()
{
Location = "West Europe",
});
var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", new()
{
Location = exampleResourceGroup.Location,
ResourceGroupName = exampleResourceGroup.Name,
Sku = "pergb2018",
});
var exampleLogAnalyticsWorkspaceOnboarding = new Azure.Sentinel.LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", new()
{
WorkspaceId = exampleAnalyticsWorkspace.Id,
});
var exampleAlertRuleNrt = new Azure.Sentinel.AlertRuleNrt("exampleAlertRuleNrt", new()
{
LogAnalyticsWorkspaceId = exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
DisplayName = "example",
Severity = "High",
Query = @"AzureActivity |
where OperationName == ""Create or Update Virtual Machine"" or OperationName ==""Create Deployment"" |
where ActivityStatus == ""Succeeded"" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
",
});
});
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/operationalinsights"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/sentinel"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "exampleAnalyticsWorkspace", &operationalinsights.AnalyticsWorkspaceArgs{
Location: exampleResourceGroup.Location,
ResourceGroupName: exampleResourceGroup.Name,
Sku: pulumi.String("pergb2018"),
})
if err != nil {
return err
}
exampleLogAnalyticsWorkspaceOnboarding, err := sentinel.NewLogAnalyticsWorkspaceOnboarding(ctx, "exampleLogAnalyticsWorkspaceOnboarding", &sentinel.LogAnalyticsWorkspaceOnboardingArgs{
WorkspaceId: exampleAnalyticsWorkspace.ID(),
})
if err != nil {
return err
}
_, err = sentinel.NewAlertRuleNrt(ctx, "exampleAlertRuleNrt", &sentinel.AlertRuleNrtArgs{
LogAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
DisplayName: pulumi.String("example"),
Severity: pulumi.String("High"),
Query: pulumi.String("AzureActivity |\n where OperationName == \"Create or Update Virtual Machine\" or OperationName ==\"Create Deployment\" |\n where ActivityStatus == \"Succeeded\" |\n make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
import com.pulumi.azure.sentinel.AlertRuleNrt;
import com.pulumi.azure.sentinel.AlertRuleNrtArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()
.location("West Europe")
.build());
var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()
.location(exampleResourceGroup.location())
.resourceGroupName(exampleResourceGroup.name())
.sku("pergb2018")
.build());
var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()
.workspaceId(exampleAnalyticsWorkspace.id())
.build());
var exampleAlertRuleNrt = new AlertRuleNrt("exampleAlertRuleNrt", AlertRuleNrtArgs.builder()
.logAnalyticsWorkspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
.displayName("example")
.severity("High")
.query("""
AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")
.build());
}
}
import pulumi
import pulumi_azure as azure
example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace",
location=example_resource_group.location,
resource_group_name=example_resource_group.name,
sku="pergb2018")
example_log_analytics_workspace_onboarding = azure.sentinel.LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", workspace_id=example_analytics_workspace.id)
example_alert_rule_nrt = azure.sentinel.AlertRuleNrt("exampleAlertRuleNrt",
log_analytics_workspace_id=example_log_analytics_workspace_onboarding.workspace_id,
display_name="example",
severity="High",
query="""AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", {
location: exampleResourceGroup.location,
resourceGroupName: exampleResourceGroup.name,
sku: "pergb2018",
});
const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", {workspaceId: exampleAnalyticsWorkspace.id});
const exampleAlertRuleNrt = new azure.sentinel.AlertRuleNrt("exampleAlertRuleNrt", {
logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId,
displayName: "example",
severity: "High",
query: `AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
`,
});
resources:
exampleResourceGroup:
type: azure:core:ResourceGroup
properties:
location: West Europe
exampleAnalyticsWorkspace:
type: azure:operationalinsights:AnalyticsWorkspace
properties:
location: ${exampleResourceGroup.location}
resourceGroupName: ${exampleResourceGroup.name}
sku: pergb2018
exampleLogAnalyticsWorkspaceOnboarding:
type: azure:sentinel:LogAnalyticsWorkspaceOnboarding
properties:
workspaceId: ${exampleAnalyticsWorkspace.id}
exampleAlertRuleNrt:
type: azure:sentinel:AlertRuleNrt
properties:
logAnalyticsWorkspaceId: ${exampleLogAnalyticsWorkspaceOnboarding.workspaceId}
displayName: example
severity: High
query: |
AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
Create AlertRuleNrt Resource
new AlertRuleNrt(name: string, args: AlertRuleNrtArgs, opts?: CustomResourceOptions);
@overload
def AlertRuleNrt(resource_name: str,
opts: Optional[ResourceOptions] = None,
alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
alert_rule_template_guid: Optional[str] = None,
alert_rule_template_version: Optional[str] = None,
custom_details: Optional[Mapping[str, str]] = None,
description: Optional[str] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
incident: Optional[AlertRuleNrtIncidentArgs] = None,
log_analytics_workspace_id: Optional[str] = None,
name: Optional[str] = None,
query: Optional[str] = None,
sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
severity: Optional[str] = None,
suppression_duration: Optional[str] = None,
suppression_enabled: Optional[bool] = None,
tactics: Optional[Sequence[str]] = None,
techniques: Optional[Sequence[str]] = None)
@overload
def AlertRuleNrt(resource_name: str,
args: AlertRuleNrtArgs,
opts: Optional[ResourceOptions] = None)
func NewAlertRuleNrt(ctx *Context, name string, args AlertRuleNrtArgs, opts ...ResourceOption) (*AlertRuleNrt, error)
public AlertRuleNrt(string name, AlertRuleNrtArgs args, CustomResourceOptions? opts = null)
public AlertRuleNrt(String name, AlertRuleNrtArgs args)
public AlertRuleNrt(String name, AlertRuleNrtArgs args, CustomResourceOptions options)
type: azure:sentinel:AlertRuleNrt
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AlertRuleNrtArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AlertRuleNrtArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AlertRuleNrtArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AlertRuleNrtArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AlertRuleNrtArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
AlertRuleNrt Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The AlertRuleNrt resource accepts the following input properties:
- Display
Name string The friendly name of this Sentinel NRT Alert Rule.
- Log
Analytics stringWorkspace Id The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Query string
The query of this Sentinel NRT Alert Rule.
- Severity string
The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
.- Alert
Details List<AlertOverrides Rule Nrt Alert Details Override> An
alert_details_override
block as defined below.- Alert
Rule stringTemplate Guid The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Alert
Rule stringTemplate Version The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Custom
Details Dictionary<string, string> A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- Description string
The description of this Sentinel NRT Alert Rule.
- Enabled bool
Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
.- Entity
Mappings List<AlertRule Nrt Entity Mapping> A list of
entity_mapping
blocks as defined below.- Event
Grouping AlertRule Nrt Event Grouping A
event_grouping
block as defined below.NOTE:
event_grouping
will be required in the next major version of the AzureRM Provider.- Incident
Alert
Rule Nrt Incident A
incident
block as defined below.- Name string
The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Sentinel
Entity List<AlertMappings Rule Nrt Sentinel Entity Mapping> A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- Suppression
Duration string If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
.- Suppression
Enabled bool Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
.- Tactics List<string>
A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,InitialAccess
,LateralMovement
,Persistence
,PrivilegeEscalation
andPreAttack
.- Techniques List<string>
A list of techniques of attacks by which to classify the rule.
- Display
Name string The friendly name of this Sentinel NRT Alert Rule.
- Log
Analytics stringWorkspace Id The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Query string
The query of this Sentinel NRT Alert Rule.
- Severity string
The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
.- Alert
Details []AlertOverrides Rule Nrt Alert Details Override Args An
alert_details_override
block as defined below.- Alert
Rule stringTemplate Guid The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Alert
Rule stringTemplate Version The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Custom
Details map[string]string A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- Description string
The description of this Sentinel NRT Alert Rule.
- Enabled bool
Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
.- Entity
Mappings []AlertRule Nrt Entity Mapping Args A list of
entity_mapping
blocks as defined below.- Event
Grouping AlertRule Nrt Event Grouping Args A
event_grouping
block as defined below.NOTE:
event_grouping
will be required in the next major version of the AzureRM Provider.- Incident
Alert
Rule Nrt Incident Args A
incident
block as defined below.- Name string
The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Sentinel
Entity []AlertMappings Rule Nrt Sentinel Entity Mapping Args A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- Suppression
Duration string If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
.- Suppression
Enabled bool Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
.- Tactics []string
A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,InitialAccess
,LateralMovement
,Persistence
,PrivilegeEscalation
andPreAttack
.- Techniques []string
A list of techniques of attacks by which to classify the rule.
- display
Name String The friendly name of this Sentinel NRT Alert Rule.
- log
Analytics StringWorkspace Id The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query String
The query of this Sentinel NRT Alert Rule.
- severity String
The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
.- alert
Details List<AlertOverrides Rule Nrt Alert Details Override> An
alert_details_override
block as defined below.- alert
Rule StringTemplate Guid The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert
Rule StringTemplate Version The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom
Details Map<String,String> A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description String
The description of this Sentinel NRT Alert Rule.
- enabled Boolean
Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
.- entity
Mappings List<AlertRule Nrt Entity Mapping> A list of
entity_mapping
blocks as defined below.- event
Grouping AlertRule Nrt Event Grouping A
event_grouping
block as defined below.NOTE:
event_grouping
will be required in the next major version of the AzureRM Provider.- incident
Alert
Rule Nrt Incident A
incident
block as defined below.- name String
The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- sentinel
Entity List<AlertMappings Rule Nrt Sentinel Entity Mapping> A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- suppression
Duration String If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
.- suppression
Enabled Boolean Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
.- tactics List<String>
A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,InitialAccess
,LateralMovement
,Persistence
,PrivilegeEscalation
andPreAttack
.- techniques List<String>
A list of techniques of attacks by which to classify the rule.
- display
Name string The friendly name of this Sentinel NRT Alert Rule.
- log
Analytics stringWorkspace Id The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query string
The query of this Sentinel NRT Alert Rule.
- severity string
The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
.- alert
Details AlertOverrides Rule Nrt Alert Details Override[] An
alert_details_override
block as defined below.- alert
Rule stringTemplate Guid The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert
Rule stringTemplate Version The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom
Details {[key: string]: string} A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description string
The description of this Sentinel NRT Alert Rule.
- enabled boolean
Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
.- entity
Mappings AlertRule Nrt Entity Mapping[] A list of
entity_mapping
blocks as defined below.- event
Grouping AlertRule Nrt Event Grouping A
event_grouping
block as defined below.NOTE:
event_grouping
will be required in the next major version of the AzureRM Provider.- incident
Alert
Rule Nrt Incident A
incident
block as defined below.- name string
The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- sentinel
Entity AlertMappings Rule Nrt Sentinel Entity Mapping[] A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- suppression
Duration string If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
.- suppression
Enabled boolean Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
.- tactics string[]
A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,InitialAccess
,LateralMovement
,Persistence
,PrivilegeEscalation
andPreAttack
.- techniques string[]
A list of techniques of attacks by which to classify the rule.
- display_
name str The friendly name of this Sentinel NRT Alert Rule.
- log_
analytics_ strworkspace_ id The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query str
The query of this Sentinel NRT Alert Rule.
- severity str
The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
.- alert_
details_ Sequence[Alertoverrides Rule Nrt Alert Details Override Args] An
alert_details_override
block as defined below.- alert_
rule_ strtemplate_ guid The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert_
rule_ strtemplate_ version The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom_
details Mapping[str, str] A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description str
The description of this Sentinel NRT Alert Rule.
- enabled bool
Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
.- entity_
mappings Sequence[AlertRule Nrt Entity Mapping Args] A list of
entity_mapping
blocks as defined below.- event_
grouping AlertRule Nrt Event Grouping Args A
event_grouping
block as defined below.NOTE:
event_grouping
will be required in the next major version of the AzureRM Provider.- incident
Alert
Rule Nrt Incident Args A
incident
block as defined below.- name str
The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- sentinel_
entity_ Sequence[Alertmappings Rule Nrt Sentinel Entity Mapping Args] A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- suppression_
duration str If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
.- suppression_
enabled bool Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
.- tactics Sequence[str]
A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,InitialAccess
,LateralMovement
,Persistence
,PrivilegeEscalation
andPreAttack
.- techniques Sequence[str]
A list of techniques of attacks by which to classify the rule.
- display
Name String The friendly name of this Sentinel NRT Alert Rule.
- log
Analytics StringWorkspace Id The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query String
The query of this Sentinel NRT Alert Rule.
- severity String
The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
.- alert
Details List<Property Map>Overrides An
alert_details_override
block as defined below.- alert
Rule StringTemplate Guid The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert
Rule StringTemplate Version The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom
Details Map<String> A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description String
The description of this Sentinel NRT Alert Rule.
- enabled Boolean
Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
.- entity
Mappings List<Property Map> A list of
entity_mapping
blocks as defined below.- event
Grouping Property Map A
event_grouping
block as defined below.NOTE:
event_grouping
will be required in the next major version of the AzureRM Provider.- incident Property Map
A
incident
block as defined below.- name String
The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- sentinel
Entity List<Property Map>Mappings A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- suppression
Duration String If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
.- suppression
Enabled Boolean Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
.- tactics List<String>
A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,InitialAccess
,LateralMovement
,Persistence
,PrivilegeEscalation
andPreAttack
.- techniques List<String>
A list of techniques of attacks by which to classify the rule.
Outputs
All input properties are implicitly available as output properties. Additionally, the AlertRuleNrt resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Id string
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
- id string
The provider-assigned unique ID for this managed resource.
- id str
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
Look up Existing AlertRuleNrt Resource
Get an existing AlertRuleNrt resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AlertRuleNrtState, opts?: CustomResourceOptions): AlertRuleNrt
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
alert_rule_template_guid: Optional[str] = None,
alert_rule_template_version: Optional[str] = None,
custom_details: Optional[Mapping[str, str]] = None,
description: Optional[str] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
incident: Optional[AlertRuleNrtIncidentArgs] = None,
log_analytics_workspace_id: Optional[str] = None,
name: Optional[str] = None,
query: Optional[str] = None,
sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
severity: Optional[str] = None,
suppression_duration: Optional[str] = None,
suppression_enabled: Optional[bool] = None,
tactics: Optional[Sequence[str]] = None,
techniques: Optional[Sequence[str]] = None) -> AlertRuleNrt
func GetAlertRuleNrt(ctx *Context, name string, id IDInput, state *AlertRuleNrtState, opts ...ResourceOption) (*AlertRuleNrt, error)
public static AlertRuleNrt Get(string name, Input<string> id, AlertRuleNrtState? state, CustomResourceOptions? opts = null)
public static AlertRuleNrt get(String name, Output<String> id, AlertRuleNrtState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Alert
Details List<AlertOverrides Rule Nrt Alert Details Override> An
alert_details_override
block as defined below.- Alert
Rule stringTemplate Guid The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Alert
Rule stringTemplate Version The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Custom
Details Dictionary<string, string> A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- Description string
The description of this Sentinel NRT Alert Rule.
- Display
Name string The friendly name of this Sentinel NRT Alert Rule.
- Enabled bool
Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
.- Entity
Mappings List<AlertRule Nrt Entity Mapping> A list of
entity_mapping
blocks as defined below.- Event
Grouping AlertRule Nrt Event Grouping A
event_grouping
block as defined below.NOTE:
event_grouping
will be required in the next major version of the AzureRM Provider.- Incident
Alert
Rule Nrt Incident A
incident
block as defined below.- Log
Analytics stringWorkspace Id The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Name string
The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Query string
The query of this Sentinel NRT Alert Rule.
- Sentinel
Entity List<AlertMappings Rule Nrt Sentinel Entity Mapping> A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- Severity string
The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
.- Suppression
Duration string If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
.- Suppression
Enabled bool Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
.- Tactics List<string>
A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,InitialAccess
,LateralMovement
,Persistence
,PrivilegeEscalation
andPreAttack
.- Techniques List<string>
A list of techniques of attacks by which to classify the rule.
- Alert
Details []AlertOverrides Rule Nrt Alert Details Override Args An
alert_details_override
block as defined below.- Alert
Rule stringTemplate Guid The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Alert
Rule stringTemplate Version The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Custom
Details map[string]string A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- Description string
The description of this Sentinel NRT Alert Rule.
- Display
Name string The friendly name of this Sentinel NRT Alert Rule.
- Enabled bool
Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
.- Entity
Mappings []AlertRule Nrt Entity Mapping Args A list of
entity_mapping
blocks as defined below.- Event
Grouping AlertRule Nrt Event Grouping Args A
event_grouping
block as defined below.NOTE:
event_grouping
will be required in the next major version of the AzureRM Provider.- Incident
Alert
Rule Nrt Incident Args A
incident
block as defined below.- Log
Analytics stringWorkspace Id The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Name string
The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Query string
The query of this Sentinel NRT Alert Rule.
- Sentinel
Entity []AlertMappings Rule Nrt Sentinel Entity Mapping Args A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- Severity string
The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
.- Suppression
Duration string If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
.- Suppression
Enabled bool Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
.- Tactics []string
A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,InitialAccess
,LateralMovement
,Persistence
,PrivilegeEscalation
andPreAttack
.- Techniques []string
A list of techniques of attacks by which to classify the rule.
- alert
Details List<AlertOverrides Rule Nrt Alert Details Override> An
alert_details_override
block as defined below.- alert
Rule StringTemplate Guid The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert
Rule StringTemplate Version The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom
Details Map<String,String> A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description String
The description of this Sentinel NRT Alert Rule.
- display
Name String The friendly name of this Sentinel NRT Alert Rule.
- enabled Boolean
Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
.- entity
Mappings List<AlertRule Nrt Entity Mapping> A list of
entity_mapping
blocks as defined below.- event
Grouping AlertRule Nrt Event Grouping A
event_grouping
block as defined below.NOTE:
event_grouping
will be required in the next major version of the AzureRM Provider.- incident
Alert
Rule Nrt Incident A
incident
block as defined below.- log
Analytics StringWorkspace Id The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- name String
The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query String
The query of this Sentinel NRT Alert Rule.
- sentinel
Entity List<AlertMappings Rule Nrt Sentinel Entity Mapping> A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- severity String
The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
.- suppression
Duration String If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
.- suppression
Enabled Boolean Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
.- tactics List<String>
A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,InitialAccess
,LateralMovement
,Persistence
,PrivilegeEscalation
andPreAttack
.- techniques List<String>
A list of techniques of attacks by which to classify the rule.
- alert
Details AlertOverrides Rule Nrt Alert Details Override[] An
alert_details_override
block as defined below.- alert
Rule stringTemplate Guid The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert
Rule stringTemplate Version The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom
Details {[key: string]: string} A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description string
The description of this Sentinel NRT Alert Rule.
- display
Name string The friendly name of this Sentinel NRT Alert Rule.
- enabled boolean
Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
.- entity
Mappings AlertRule Nrt Entity Mapping[] A list of
entity_mapping
blocks as defined below.- event
Grouping AlertRule Nrt Event Grouping A
event_grouping
block as defined below.NOTE:
event_grouping
will be required in the next major version of the AzureRM Provider.- incident
Alert
Rule Nrt Incident A
incident
block as defined below.- log
Analytics stringWorkspace Id The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- name string
The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query string
The query of this Sentinel NRT Alert Rule.
- sentinel
Entity AlertMappings Rule Nrt Sentinel Entity Mapping[] A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- severity string
The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
.- suppression
Duration string If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
.- suppression
Enabled boolean Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
.- tactics string[]
A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,InitialAccess
,LateralMovement
,Persistence
,PrivilegeEscalation
andPreAttack
.- techniques string[]
A list of techniques of attacks by which to classify the rule.
- alert_
details_ Sequence[Alertoverrides Rule Nrt Alert Details Override Args] An
alert_details_override
block as defined below.- alert_
rule_ strtemplate_ guid The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert_
rule_ strtemplate_ version The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom_
details Mapping[str, str] A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description str
The description of this Sentinel NRT Alert Rule.
- display_
name str The friendly name of this Sentinel NRT Alert Rule.
- enabled bool
Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
.- entity_
mappings Sequence[AlertRule Nrt Entity Mapping Args] A list of
entity_mapping
blocks as defined below.- event_
grouping AlertRule Nrt Event Grouping Args A
event_grouping
block as defined below.NOTE:
event_grouping
will be required in the next major version of the AzureRM Provider.- incident
Alert
Rule Nrt Incident Args A
incident
block as defined below.- log_
analytics_ strworkspace_ id The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- name str
The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query str
The query of this Sentinel NRT Alert Rule.
- sentinel_
entity_ Sequence[Alertmappings Rule Nrt Sentinel Entity Mapping Args] A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- severity str
The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
.- suppression_
duration str If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
.- suppression_
enabled bool Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
.- tactics Sequence[str]
A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,InitialAccess
,LateralMovement
,Persistence
,PrivilegeEscalation
andPreAttack
.- techniques Sequence[str]
A list of techniques of attacks by which to classify the rule.
- alert
Details List<Property Map>Overrides An
alert_details_override
block as defined below.- alert
Rule StringTemplate Guid The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert
Rule StringTemplate Version The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom
Details Map<String> A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description String
The description of this Sentinel NRT Alert Rule.
- display
Name String The friendly name of this Sentinel NRT Alert Rule.
- enabled Boolean
Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
.- entity
Mappings List<Property Map> A list of
entity_mapping
blocks as defined below.- event
Grouping Property Map A
event_grouping
block as defined below.NOTE:
event_grouping
will be required in the next major version of the AzureRM Provider.- incident Property Map
A
incident
block as defined below.- log
Analytics StringWorkspace Id The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- name String
The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query String
The query of this Sentinel NRT Alert Rule.
- sentinel
Entity List<Property Map>Mappings A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- severity String
The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
.- suppression
Duration String If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
.- suppression
Enabled Boolean Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
.- tactics List<String>
A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,InitialAccess
,LateralMovement
,Persistence
,PrivilegeEscalation
andPreAttack
.- techniques List<String>
A list of techniques of attacks by which to classify the rule.
Supporting Types
AlertRuleNrtAlertDetailsOverride, AlertRuleNrtAlertDetailsOverrideArgs
- Description
Format string The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- Display
Name stringFormat The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- Dynamic
Properties List<AlertRule Nrt Alert Details Override Dynamic Property> A list of
dynamic_property
blocks as defined below.- Severity
Column stringName The column name to take the alert severity from.
- Tactics
Column stringName The column name to take the alert tactics from.
- Description
Format string The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- Display
Name stringFormat The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- Dynamic
Properties []AlertRule Nrt Alert Details Override Dynamic Property A list of
dynamic_property
blocks as defined below.- Severity
Column stringName The column name to take the alert severity from.
- Tactics
Column stringName The column name to take the alert tactics from.
- description
Format String The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- display
Name StringFormat The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- dynamic
Properties List<AlertRule Nrt Alert Details Override Dynamic Property> A list of
dynamic_property
blocks as defined below.- severity
Column StringName The column name to take the alert severity from.
- tactics
Column StringName The column name to take the alert tactics from.
- description
Format string The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- display
Name stringFormat The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- dynamic
Properties AlertRule Nrt Alert Details Override Dynamic Property[] A list of
dynamic_property
blocks as defined below.- severity
Column stringName The column name to take the alert severity from.
- tactics
Column stringName The column name to take the alert tactics from.
- description_
format str The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- display_
name_ strformat The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- dynamic_
properties Sequence[AlertRule Nrt Alert Details Override Dynamic Property] A list of
dynamic_property
blocks as defined below.- severity_
column_ strname The column name to take the alert severity from.
- tactics_
column_ strname The column name to take the alert tactics from.
- description
Format String The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- display
Name StringFormat The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- dynamic
Properties List<Property Map> A list of
dynamic_property
blocks as defined below.- severity
Column StringName The column name to take the alert severity from.
- tactics
Column StringName The column name to take the alert tactics from.
AlertRuleNrtAlertDetailsOverrideDynamicProperty, AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs
- Name string
The name of the dynamic property. Possible Values are
AlertLink
,ConfidenceLevel
,ConfidenceScore
,ExtendedLinks
,ProductComponentName
,ProductName
,ProviderName
,RemediationSteps
andTechniques
.- Value string
The value of the dynamic property. Pssible Values are
Caller
,dcount_ResourceId
andEventSubmissionTimestamp
.
- Name string
The name of the dynamic property. Possible Values are
AlertLink
,ConfidenceLevel
,ConfidenceScore
,ExtendedLinks
,ProductComponentName
,ProductName
,ProviderName
,RemediationSteps
andTechniques
.- Value string
The value of the dynamic property. Pssible Values are
Caller
,dcount_ResourceId
andEventSubmissionTimestamp
.
- name String
The name of the dynamic property. Possible Values are
AlertLink
,ConfidenceLevel
,ConfidenceScore
,ExtendedLinks
,ProductComponentName
,ProductName
,ProviderName
,RemediationSteps
andTechniques
.- value String
The value of the dynamic property. Pssible Values are
Caller
,dcount_ResourceId
andEventSubmissionTimestamp
.
- name string
The name of the dynamic property. Possible Values are
AlertLink
,ConfidenceLevel
,ConfidenceScore
,ExtendedLinks
,ProductComponentName
,ProductName
,ProviderName
,RemediationSteps
andTechniques
.- value string
The value of the dynamic property. Pssible Values are
Caller
,dcount_ResourceId
andEventSubmissionTimestamp
.
- name str
The name of the dynamic property. Possible Values are
AlertLink
,ConfidenceLevel
,ConfidenceScore
,ExtendedLinks
,ProductComponentName
,ProductName
,ProviderName
,RemediationSteps
andTechniques
.- value str
The value of the dynamic property. Pssible Values are
Caller
,dcount_ResourceId
andEventSubmissionTimestamp
.
- name String
The name of the dynamic property. Possible Values are
AlertLink
,ConfidenceLevel
,ConfidenceScore
,ExtendedLinks
,ProductComponentName
,ProductName
,ProviderName
,RemediationSteps
andTechniques
.- value String
The value of the dynamic property. Pssible Values are
Caller
,dcount_ResourceId
andEventSubmissionTimestamp
.
AlertRuleNrtEntityMapping, AlertRuleNrtEntityMappingArgs
- Entity
Type string The type of the entity. Possible values are
Account
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
.- Field
Mappings List<AlertRule Nrt Entity Mapping Field Mapping> A list of
field_mapping
blocks as defined below.
- Entity
Type string The type of the entity. Possible values are
Account
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
.- Field
Mappings []AlertRule Nrt Entity Mapping Field Mapping A list of
field_mapping
blocks as defined below.
- entity
Type String The type of the entity. Possible values are
Account
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
.- field
Mappings List<AlertRule Nrt Entity Mapping Field Mapping> A list of
field_mapping
blocks as defined below.
- entity
Type string The type of the entity. Possible values are
Account
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
.- field
Mappings AlertRule Nrt Entity Mapping Field Mapping[] A list of
field_mapping
blocks as defined below.
- entity_
type str The type of the entity. Possible values are
Account
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
.- field_
mappings Sequence[AlertRule Nrt Entity Mapping Field Mapping] A list of
field_mapping
blocks as defined below.
- entity
Type String The type of the entity. Possible values are
Account
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
.- field
Mappings List<Property Map> A list of
field_mapping
blocks as defined below.
AlertRuleNrtEntityMappingFieldMapping, AlertRuleNrtEntityMappingFieldMappingArgs
- Column
Name string The column name to be mapped to the identifier.
- Identifier string
The identifier of the entity.
- Column
Name string The column name to be mapped to the identifier.
- Identifier string
The identifier of the entity.
- column
Name String The column name to be mapped to the identifier.
- identifier String
The identifier of the entity.
- column
Name string The column name to be mapped to the identifier.
- identifier string
The identifier of the entity.
- column_
name str The column name to be mapped to the identifier.
- identifier str
The identifier of the entity.
- column
Name String The column name to be mapped to the identifier.
- identifier String
The identifier of the entity.
AlertRuleNrtEventGrouping, AlertRuleNrtEventGroupingArgs
- Aggregation
Method string The aggregation type of grouping the events. Possible values are
AlertPerResult
andSingleAlert
.
- Aggregation
Method string The aggregation type of grouping the events. Possible values are
AlertPerResult
andSingleAlert
.
- aggregation
Method String The aggregation type of grouping the events. Possible values are
AlertPerResult
andSingleAlert
.
- aggregation
Method string The aggregation type of grouping the events. Possible values are
AlertPerResult
andSingleAlert
.
- aggregation_
method str The aggregation type of grouping the events. Possible values are
AlertPerResult
andSingleAlert
.
- aggregation
Method String The aggregation type of grouping the events. Possible values are
AlertPerResult
andSingleAlert
.
AlertRuleNrtIncident, AlertRuleNrtIncidentArgs
- Create
Incident boolEnabled Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
- Grouping
Alert
Rule Nrt Incident Grouping A
grouping
block as defined below.
- Create
Incident boolEnabled Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
- Grouping
Alert
Rule Nrt Incident Grouping A
grouping
block as defined below.
- create
Incident BooleanEnabled Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
- grouping
Alert
Rule Nrt Incident Grouping A
grouping
block as defined below.
- create
Incident booleanEnabled Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
- grouping
Alert
Rule Nrt Incident Grouping A
grouping
block as defined below.
- create_
incident_ boolenabled Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
- grouping
Alert
Rule Nrt Incident Grouping A
grouping
block as defined below.
- create
Incident BooleanEnabled Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
- grouping Property Map
A
grouping
block as defined below.
AlertRuleNrtIncidentGrouping, AlertRuleNrtIncidentGroupingArgs
- By
Alert List<string>Details A list of alert details to group by, only when the
entity_matching_method
isSelected
. Possible values areDisplayName
andSeverity
.- By
Custom List<string>Details A list of custom details keys to group by, only when the
entity_matching_method
isSelected
. Only keys defined in thecustom_details
may be used.- By
Entities List<string> A list of entity types to group by, only when the
entity_matching_method
isSelected
. Possible values areAccount
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
.- Enabled bool
Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to
true
.- Entity
Matching stringMethod The method used to group incidents. Possible values are
AnyAlert
,Selected
andAllEntities
. Defaults toAnyAlert
.- Lookback
Duration string Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M
.- Reopen
Closed boolIncidents Whether to re-open closed matching incidents? Defaults to
false
.
- By
Alert []stringDetails A list of alert details to group by, only when the
entity_matching_method
isSelected
. Possible values areDisplayName
andSeverity
.- By
Custom []stringDetails A list of custom details keys to group by, only when the
entity_matching_method
isSelected
. Only keys defined in thecustom_details
may be used.- By
Entities []string A list of entity types to group by, only when the
entity_matching_method
isSelected
. Possible values areAccount
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
.- Enabled bool
Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to
true
.- Entity
Matching stringMethod The method used to group incidents. Possible values are
AnyAlert
,Selected
andAllEntities
. Defaults toAnyAlert
.- Lookback
Duration string Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M
.- Reopen
Closed boolIncidents Whether to re-open closed matching incidents? Defaults to
false
.
- by
Alert List<String>Details A list of alert details to group by, only when the
entity_matching_method
isSelected
. Possible values areDisplayName
andSeverity
.- by
Custom List<String>Details A list of custom details keys to group by, only when the
entity_matching_method
isSelected
. Only keys defined in thecustom_details
may be used.- by
Entities List<String> A list of entity types to group by, only when the
entity_matching_method
isSelected
. Possible values areAccount
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
.- enabled Boolean
Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to
true
.- entity
Matching StringMethod The method used to group incidents. Possible values are
AnyAlert
,Selected
andAllEntities
. Defaults toAnyAlert
.- lookback
Duration String Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M
.- reopen
Closed BooleanIncidents Whether to re-open closed matching incidents? Defaults to
false
.
- by
Alert string[]Details A list of alert details to group by, only when the
entity_matching_method
isSelected
. Possible values areDisplayName
andSeverity
.- by
Custom string[]Details A list of custom details keys to group by, only when the
entity_matching_method
isSelected
. Only keys defined in thecustom_details
may be used.- by
Entities string[] A list of entity types to group by, only when the
entity_matching_method
isSelected
. Possible values areAccount
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
.- enabled boolean
Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to
true
.- entity
Matching stringMethod The method used to group incidents. Possible values are
AnyAlert
,Selected
andAllEntities
. Defaults toAnyAlert
.- lookback
Duration string Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M
.- reopen
Closed booleanIncidents Whether to re-open closed matching incidents? Defaults to
false
.
- by_
alert_ Sequence[str]details A list of alert details to group by, only when the
entity_matching_method
isSelected
. Possible values areDisplayName
andSeverity
.- by_
custom_ Sequence[str]details A list of custom details keys to group by, only when the
entity_matching_method
isSelected
. Only keys defined in thecustom_details
may be used.- by_
entities Sequence[str] A list of entity types to group by, only when the
entity_matching_method
isSelected
. Possible values areAccount
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
.- enabled bool
Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to
true
.- entity_
matching_ strmethod The method used to group incidents. Possible values are
AnyAlert
,Selected
andAllEntities
. Defaults toAnyAlert
.- lookback_
duration str Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M
.- reopen_
closed_ boolincidents Whether to re-open closed matching incidents? Defaults to
false
.
- by
Alert List<String>Details A list of alert details to group by, only when the
entity_matching_method
isSelected
. Possible values areDisplayName
andSeverity
.- by
Custom List<String>Details A list of custom details keys to group by, only when the
entity_matching_method
isSelected
. Only keys defined in thecustom_details
may be used.- by
Entities List<String> A list of entity types to group by, only when the
entity_matching_method
isSelected
. Possible values areAccount
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
.- enabled Boolean
Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to
true
.- entity
Matching StringMethod The method used to group incidents. Possible values are
AnyAlert
,Selected
andAllEntities
. Defaults toAnyAlert
.- lookback
Duration String Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M
.- reopen
Closed BooleanIncidents Whether to re-open closed matching incidents? Defaults to
false
.
AlertRuleNrtSentinelEntityMapping, AlertRuleNrtSentinelEntityMappingArgs
- Column
Name string The column name to be mapped to the identifier.
- Column
Name string The column name to be mapped to the identifier.
- column
Name String The column name to be mapped to the identifier.
- column
Name string The column name to be mapped to the identifier.
- column_
name str The column name to be mapped to the identifier.
- column
Name String The column name to be mapped to the identifier.
Import
Sentinel NRT Alert Rules can be imported using the resource id
, e.g.
$ pulumi import azure:sentinel/alertRuleNrt:AlertRuleNrt example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
azurerm
Terraform Provider.