Azure Classic

Pulumi Official
Package maintained by Pulumi
v5.5.0 published on Wednesday, May 4, 2022 by Pulumi

AuthomationRule

Deprecated:

azure.sentinel.AuthomationRule has been deprecated in favor of azure.sentinel.AutomationRule

Manages a Sentinel Automation Rule.

Example Usage

using Pulumi;
using Azure = Pulumi.Azure;

class MyStack : Stack
{
    public MyStack()
    {
        var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new Azure.Core.ResourceGroupArgs
        {
            Location = "west europe",
        });
        var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", new Azure.OperationalInsights.AnalyticsWorkspaceArgs
        {
            Location = exampleResourceGroup.Location,
            ResourceGroupName = exampleResourceGroup.Name,
            Sku = "pergb2018",
        });
        var sentinel = new Azure.OperationalInsights.AnalyticsSolution("sentinel", new Azure.OperationalInsights.AnalyticsSolutionArgs
        {
            SolutionName = "SecurityInsights",
            Location = exampleResourceGroup.Location,
            ResourceGroupName = exampleResourceGroup.Name,
            WorkspaceResourceId = exampleAnalyticsWorkspace.Id,
            WorkspaceName = exampleAnalyticsWorkspace.Name,
            Plan = new Azure.OperationalInsights.Inputs.AnalyticsSolutionPlanArgs
            {
                Publisher = "Microsoft",
                Product = "OMSGallery/SecurityInsights",
            },
        });
        var exampleAutomationRule = new Azure.Sentinel.AutomationRule("exampleAutomationRule", new Azure.Sentinel.AutomationRuleArgs
        {
            LogAnalyticsWorkspaceId = sentinel.WorkspaceResourceId,
            DisplayName = "automation_rule1",
            Order = 1,
            ActionIncidents = 
            {
                new Azure.Sentinel.Inputs.AutomationRuleActionIncidentArgs
                {
                    Order = 1,
                    Status = "Active",
                },
            },
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/operationalinsights"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/sentinel"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
			Location: pulumi.String("west europe"),
		})
		if err != nil {
			return err
		}
		exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "exampleAnalyticsWorkspace", &operationalinsights.AnalyticsWorkspaceArgs{
			Location:          exampleResourceGroup.Location,
			ResourceGroupName: exampleResourceGroup.Name,
			Sku:               pulumi.String("pergb2018"),
		})
		if err != nil {
			return err
		}
		sentinel, err := operationalinsights.NewAnalyticsSolution(ctx, "sentinel", &operationalinsights.AnalyticsSolutionArgs{
			SolutionName:        pulumi.String("SecurityInsights"),
			Location:            exampleResourceGroup.Location,
			ResourceGroupName:   exampleResourceGroup.Name,
			WorkspaceResourceId: exampleAnalyticsWorkspace.ID(),
			WorkspaceName:       exampleAnalyticsWorkspace.Name,
			Plan: &operationalinsights.AnalyticsSolutionPlanArgs{
				Publisher: pulumi.String("Microsoft"),
				Product:   pulumi.String("OMSGallery/SecurityInsights"),
			},
		})
		if err != nil {
			return err
		}
		_, err = sentinel.NewAutomationRule(ctx, "exampleAutomationRule", &sentinel.AutomationRuleArgs{
			LogAnalyticsWorkspaceId: sentinel.WorkspaceResourceId,
			DisplayName:             pulumi.String("automation_rule1"),
			Order:                   pulumi.Int(1),
			ActionIncidents: sentinel.AutomationRuleActionIncidentArray{
				&sentinel.AutomationRuleActionIncidentArgs{
					Order:  pulumi.Int(1),
					Status: pulumi.String("Active"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()        
            .location("west europe")
            .build());

        var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()        
            .location(exampleResourceGroup.getLocation())
            .resourceGroupName(exampleResourceGroup.getName())
            .sku("pergb2018")
            .build());

        var sentinel = new AnalyticsSolution("sentinel", AnalyticsSolutionArgs.builder()        
            .solutionName("SecurityInsights")
            .location(exampleResourceGroup.getLocation())
            .resourceGroupName(exampleResourceGroup.getName())
            .workspaceResourceId(exampleAnalyticsWorkspace.getId())
            .workspaceName(exampleAnalyticsWorkspace.getName())
            .plan(AnalyticsSolutionPlan.builder()
                .publisher("Microsoft")
                .product("OMSGallery/SecurityInsights")
                .build())
            .build());

        var exampleAutomationRule = new AutomationRule("exampleAutomationRule", AutomationRuleArgs.builder()        
            .logAnalyticsWorkspaceId(sentinel.getWorkspaceResourceId())
            .displayName("automation_rule1")
            .order(1)
            .actionIncidents(AutomationRuleActionIncident.builder()
                .order(1)
                .status("Active")
                .build())
            .build());

        }
}
import pulumi
import pulumi_azure as azure

example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="west europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    sku="pergb2018")
sentinel = azure.operationalinsights.AnalyticsSolution("sentinel",
    solution_name="SecurityInsights",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    workspace_resource_id=example_analytics_workspace.id,
    workspace_name=example_analytics_workspace.name,
    plan=azure.operationalinsights.AnalyticsSolutionPlanArgs(
        publisher="Microsoft",
        product="OMSGallery/SecurityInsights",
    ))
example_automation_rule = azure.sentinel.AutomationRule("exampleAutomationRule",
    log_analytics_workspace_id=sentinel.workspace_resource_id,
    display_name="automation_rule1",
    order=1,
    action_incidents=[azure.sentinel.AutomationRuleActionIncidentArgs(
        order=1,
        status="Active",
    )])
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "west europe"});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    sku: "pergb2018",
});
const sentinel = new azure.operationalinsights.AnalyticsSolution("sentinel", {
    solutionName: "SecurityInsights",
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    workspaceResourceId: exampleAnalyticsWorkspace.id,
    workspaceName: exampleAnalyticsWorkspace.name,
    plan: {
        publisher: "Microsoft",
        product: "OMSGallery/SecurityInsights",
    },
});
const exampleAutomationRule = new azure.sentinel.AutomationRule("exampleAutomationRule", {
    logAnalyticsWorkspaceId: sentinel.workspaceResourceId,
    displayName: "automation_rule1",
    order: 1,
    actionIncidents: [{
        order: 1,
        status: "Active",
    }],
});
resources:
  exampleResourceGroup:
    type: azure:core:ResourceGroup
    properties:
      location: west europe
  exampleAnalyticsWorkspace:
    type: azure:operationalinsights:AnalyticsWorkspace
    properties:
      location: ${exampleResourceGroup.location}
      resourceGroupName: ${exampleResourceGroup.name}
      sku: pergb2018
  sentinel:
    type: azure:operationalinsights:AnalyticsSolution
    properties:
      solutionName: SecurityInsights
      location: ${exampleResourceGroup.location}
      resourceGroupName: ${exampleResourceGroup.name}
      workspaceResourceId: ${exampleAnalyticsWorkspace.id}
      workspaceName: ${exampleAnalyticsWorkspace.name}
      plan:
        publisher: Microsoft
        product: OMSGallery/SecurityInsights
  exampleAutomationRule:
    type: azure:sentinel:AutomationRule
    properties:
      logAnalyticsWorkspaceId: ${sentinel.workspaceResourceId}
      displayName: automation_rule1
      order: 1
      actionIncidents:
        - order: 1
          status: Active

Create a AuthomationRule Resource

new AuthomationRule(name: string, args: AuthomationRuleArgs, opts?: CustomResourceOptions);
@overload
def AuthomationRule(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    action_incidents: Optional[Sequence[AuthomationRuleActionIncidentArgs]] = None,
                    action_playbooks: Optional[Sequence[AuthomationRuleActionPlaybookArgs]] = None,
                    conditions: Optional[Sequence[AuthomationRuleConditionArgs]] = None,
                    display_name: Optional[str] = None,
                    enabled: Optional[bool] = None,
                    expiration: Optional[str] = None,
                    log_analytics_workspace_id: Optional[str] = None,
                    name: Optional[str] = None,
                    order: Optional[int] = None)
@overload
def AuthomationRule(resource_name: str,
                    args: AuthomationRuleArgs,
                    opts: Optional[ResourceOptions] = None)
func NewAuthomationRule(ctx *Context, name string, args AuthomationRuleArgs, opts ...ResourceOption) (*AuthomationRule, error)
public AuthomationRule(string name, AuthomationRuleArgs args, CustomResourceOptions? opts = null)
public AuthomationRule(String name, AuthomationRuleArgs args)
public AuthomationRule(String name, AuthomationRuleArgs args, CustomResourceOptions options)
type: azure:sentinel:AuthomationRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AuthomationRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AuthomationRuleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AuthomationRuleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AuthomationRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AuthomationRuleArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AuthomationRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AuthomationRule resource accepts the following input properties:

DisplayName string

The display name which should be used for this Sentinel Automation Rule.

LogAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

Order int

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

ActionIncidents List<AuthomationRuleActionIncidentArgs>

One or more action_incident blocks as defined below.

ActionPlaybooks List<AuthomationRuleActionPlaybookArgs>

One or more action_playbook blocks as defined below.

Conditions List<AuthomationRuleConditionArgs>

One or more condition blocks as defined below.

Enabled bool

Whether this Sentinel Automation Rule is enabled? Defaults to true.

Expiration string

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

Name string

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

DisplayName string

The display name which should be used for this Sentinel Automation Rule.

LogAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

Order int

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

ActionIncidents []AuthomationRuleActionIncidentArgs

One or more action_incident blocks as defined below.

ActionPlaybooks []AuthomationRuleActionPlaybookArgs

One or more action_playbook blocks as defined below.

Conditions []AuthomationRuleConditionArgs

One or more condition blocks as defined below.

Enabled bool

Whether this Sentinel Automation Rule is enabled? Defaults to true.

Expiration string

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

Name string

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

displayName String

The display name which should be used for this Sentinel Automation Rule.

logAnalyticsWorkspaceId String

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

order Integer

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

actionIncidents ListRuleActionIncidentArgs>

One or more action_incident blocks as defined below.

actionPlaybooks ListRuleActionPlaybookArgs>

One or more action_playbook blocks as defined below.

conditions ListRuleConditionArgs>

One or more condition blocks as defined below.

enabled Boolean

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration String

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

name String

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

displayName string

The display name which should be used for this Sentinel Automation Rule.

logAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

order number

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

actionIncidents AuthomationRuleActionIncidentArgs[]

One or more action_incident blocks as defined below.

actionPlaybooks AuthomationRuleActionPlaybookArgs[]

One or more action_playbook blocks as defined below.

conditions AuthomationRuleConditionArgs[]

One or more condition blocks as defined below.

enabled boolean

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration string

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

name string

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

display_name str

The display name which should be used for this Sentinel Automation Rule.

log_analytics_workspace_id str

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

order int

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

action_incidents Sequence[AuthomationRuleActionIncidentArgs]

One or more action_incident blocks as defined below.

action_playbooks Sequence[AuthomationRuleActionPlaybookArgs]

One or more action_playbook blocks as defined below.

conditions Sequence[AuthomationRuleConditionArgs]

One or more condition blocks as defined below.

enabled bool

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration str

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

name str

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

displayName String

The display name which should be used for this Sentinel Automation Rule.

logAnalyticsWorkspaceId String

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

order Number

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

actionIncidents List

One or more action_incident blocks as defined below.

actionPlaybooks List

One or more action_playbook blocks as defined below.

conditions List

One or more condition blocks as defined below.

enabled Boolean

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration String

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

name String

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

Outputs

All input properties are implicitly available as output properties. Additionally, the AuthomationRule resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up an Existing AuthomationRule Resource

Get an existing AuthomationRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthomationRuleState, opts?: CustomResourceOptions): AuthomationRule
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        action_incidents: Optional[Sequence[AuthomationRuleActionIncidentArgs]] = None,
        action_playbooks: Optional[Sequence[AuthomationRuleActionPlaybookArgs]] = None,
        conditions: Optional[Sequence[AuthomationRuleConditionArgs]] = None,
        display_name: Optional[str] = None,
        enabled: Optional[bool] = None,
        expiration: Optional[str] = None,
        log_analytics_workspace_id: Optional[str] = None,
        name: Optional[str] = None,
        order: Optional[int] = None) -> AuthomationRule
func GetAuthomationRule(ctx *Context, name string, id IDInput, state *AuthomationRuleState, opts ...ResourceOption) (*AuthomationRule, error)
public static AuthomationRule Get(string name, Input<string> id, AuthomationRuleState? state, CustomResourceOptions? opts = null)
public static AuthomationRule get(String name, Output<String> id, AuthomationRuleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
ActionIncidents List<AuthomationRuleActionIncidentArgs>

One or more action_incident blocks as defined below.

ActionPlaybooks List<AuthomationRuleActionPlaybookArgs>

One or more action_playbook blocks as defined below.

Conditions List<AuthomationRuleConditionArgs>

One or more condition blocks as defined below.

DisplayName string

The display name which should be used for this Sentinel Automation Rule.

Enabled bool

Whether this Sentinel Automation Rule is enabled? Defaults to true.

Expiration string

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

LogAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

Name string

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

Order int

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

ActionIncidents []AuthomationRuleActionIncidentArgs

One or more action_incident blocks as defined below.

ActionPlaybooks []AuthomationRuleActionPlaybookArgs

One or more action_playbook blocks as defined below.

Conditions []AuthomationRuleConditionArgs

One or more condition blocks as defined below.

DisplayName string

The display name which should be used for this Sentinel Automation Rule.

Enabled bool

Whether this Sentinel Automation Rule is enabled? Defaults to true.

Expiration string

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

LogAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

Name string

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

Order int

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

actionIncidents ListRuleActionIncidentArgs>

One or more action_incident blocks as defined below.

actionPlaybooks ListRuleActionPlaybookArgs>

One or more action_playbook blocks as defined below.

conditions ListRuleConditionArgs>

One or more condition blocks as defined below.

displayName String

The display name which should be used for this Sentinel Automation Rule.

enabled Boolean

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration String

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

logAnalyticsWorkspaceId String

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

name String

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

order Integer

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

actionIncidents AuthomationRuleActionIncidentArgs[]

One or more action_incident blocks as defined below.

actionPlaybooks AuthomationRuleActionPlaybookArgs[]

One or more action_playbook blocks as defined below.

conditions AuthomationRuleConditionArgs[]

One or more condition blocks as defined below.

displayName string

The display name which should be used for this Sentinel Automation Rule.

enabled boolean

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration string

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

logAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

name string

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

order number

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

action_incidents Sequence[AuthomationRuleActionIncidentArgs]

One or more action_incident blocks as defined below.

action_playbooks Sequence[AuthomationRuleActionPlaybookArgs]

One or more action_playbook blocks as defined below.

conditions Sequence[AuthomationRuleConditionArgs]

One or more condition blocks as defined below.

display_name str

The display name which should be used for this Sentinel Automation Rule.

enabled bool

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration str

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

log_analytics_workspace_id str

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

name str

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

order int

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

actionIncidents List

One or more action_incident blocks as defined below.

actionPlaybooks List

One or more action_playbook blocks as defined below.

conditions List

One or more condition blocks as defined below.

displayName String

The display name which should be used for this Sentinel Automation Rule.

enabled Boolean

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration String

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

logAnalyticsWorkspaceId String

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

name String

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

order Number

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

Supporting Types

AuthomationRuleActionIncident

Order int

The execution order of this action.

Classification string

The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

ClassificationComment string

The comment why the incident is to be closed.

Labels List<string>

Specifies a list of labels to add to the incident.

OwnerId string

The object ID of the entity this incident is assigned to.

Severity string

The severity to add to the incident.

Status string

The status to set to the incident. Possible values are: Active, Closed, New.

Order int

The execution order of this action.

Classification string

The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

ClassificationComment string

The comment why the incident is to be closed.

Labels []string

Specifies a list of labels to add to the incident.

OwnerId string

The object ID of the entity this incident is assigned to.

Severity string

The severity to add to the incident.

Status string

The status to set to the incident. Possible values are: Active, Closed, New.

order Integer

The execution order of this action.

classification String

The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

classificationComment String

The comment why the incident is to be closed.

labels List

Specifies a list of labels to add to the incident.

ownerId String

The object ID of the entity this incident is assigned to.

severity String

The severity to add to the incident.

status String

The status to set to the incident. Possible values are: Active, Closed, New.

order number

The execution order of this action.

classification string

The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

classificationComment string

The comment why the incident is to be closed.

labels string[]

Specifies a list of labels to add to the incident.

ownerId string

The object ID of the entity this incident is assigned to.

severity string

The severity to add to the incident.

status string

The status to set to the incident. Possible values are: Active, Closed, New.

order int

The execution order of this action.

classification str

The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

classification_comment str

The comment why the incident is to be closed.

labels Sequence[str]

Specifies a list of labels to add to the incident.

owner_id str

The object ID of the entity this incident is assigned to.

severity str

The severity to add to the incident.

status str

The status to set to the incident. Possible values are: Active, Closed, New.

order Number

The execution order of this action.

classification String

The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

classificationComment String

The comment why the incident is to be closed.

labels List

Specifies a list of labels to add to the incident.

ownerId String

The object ID of the entity this incident is assigned to.

severity String

The severity to add to the incident.

status String

The status to set to the incident. Possible values are: Active, Closed, New.

AuthomationRuleActionPlaybook

LogicAppId string

The ID of the Logic App that defines the playbook's logic.

Order int

The execution order of this action.

TenantId string

The ID of the Tenant that owns the playbook.

LogicAppId string

The ID of the Logic App that defines the playbook's logic.

Order int

The execution order of this action.

TenantId string

The ID of the Tenant that owns the playbook.

logicAppId String

The ID of the Logic App that defines the playbook's logic.

order Integer

The execution order of this action.

tenantId String

The ID of the Tenant that owns the playbook.

logicAppId string

The ID of the Logic App that defines the playbook's logic.

order number

The execution order of this action.

tenantId string

The ID of the Tenant that owns the playbook.

logic_app_id str

The ID of the Logic App that defines the playbook's logic.

order int

The execution order of this action.

tenant_id str

The ID of the Tenant that owns the playbook.

logicAppId String

The ID of the Logic App that defines the playbook's logic.

order Number

The execution order of this action.

tenantId String

The ID of the Tenant that owns the playbook.

AuthomationRuleCondition

Operator string

The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.

Property string

The property to use for evaluate the condition. Possible values include: AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentDescription, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData, Url.

Values List<string>

Specifies a list of values to use for evaluate the condition.

Operator string

The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.

Property string

The property to use for evaluate the condition. Possible values include: AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentDescription, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData, Url.

Values []string

Specifies a list of values to use for evaluate the condition.

operator String

The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.

property String

The property to use for evaluate the condition. Possible values include: AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentDescription, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData, Url.

values List

Specifies a list of values to use for evaluate the condition.

operator string

The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.

property string

The property to use for evaluate the condition. Possible values include: AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentDescription, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData, Url.

values string[]

Specifies a list of values to use for evaluate the condition.

operator str

The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.

property str

The property to use for evaluate the condition. Possible values include: AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentDescription, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData, Url.

values Sequence[str]

Specifies a list of values to use for evaluate the condition.

operator String

The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.

property String

The property to use for evaluate the condition. Possible values include: AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentDescription, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData, Url.

values List

Specifies a list of values to use for evaluate the condition.

Import

Sentinel Automation Rules can be imported using the resource id, e.g.

 $ pulumi import azure:sentinel/authomationRule:AuthomationRule example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/AutomationRules/rule1

Package Details

Repository
https://github.com/pulumi/pulumi-azure
License
Apache-2.0
Notes

This Pulumi package is based on the azurerm Terraform Provider.