Azure Classic v5.58.0, Dec 2 23

We recommend using Azure Native.

Azure Classic v5.58.0 published on Saturday, Dec 2, 2023 by Pulumi

pulumi/pulumi-azure

azure.sentinel.AuthomationRule

Explore with Pulumi AI

We recommend using Azure Native.

Azure Classic v5.58.0 published on Saturday, Dec 2, 2023 by Pulumi

pulumi/pulumi-azure

Example Usage

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;

return await Deployment.RunAsync(() => 
{
    var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new()
    {
        Location = "west europe",
    });

    var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", new()
    {
        Location = exampleResourceGroup.Location,
        ResourceGroupName = exampleResourceGroup.Name,
        Sku = "PerGB2018",
    });

    var exampleLogAnalyticsWorkspaceOnboarding = new Azure.Sentinel.LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", new()
    {
        WorkspaceId = exampleAnalyticsWorkspace.Id,
    });

    var exampleAutomationRule = new Azure.Sentinel.AutomationRule("exampleAutomationRule", new()
    {
        LogAnalyticsWorkspaceId = exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
        DisplayName = "automation_rule1",
        Order = 1,
        ActionIncidents = new[]
        {
            new Azure.Sentinel.Inputs.AutomationRuleActionIncidentArgs
            {
                Order = 1,
                Status = "Active",
            },
        },
    });

});

package main

import (
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/operationalinsights"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/sentinel"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
			Location: pulumi.String("west europe"),
		})
		if err != nil {
			return err
		}
		exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "exampleAnalyticsWorkspace", &operationalinsights.AnalyticsWorkspaceArgs{
			Location:          exampleResourceGroup.Location,
			ResourceGroupName: exampleResourceGroup.Name,
			Sku:               pulumi.String("PerGB2018"),
		})
		if err != nil {
			return err
		}
		exampleLogAnalyticsWorkspaceOnboarding, err := sentinel.NewLogAnalyticsWorkspaceOnboarding(ctx, "exampleLogAnalyticsWorkspaceOnboarding", &sentinel.LogAnalyticsWorkspaceOnboardingArgs{
			WorkspaceId: exampleAnalyticsWorkspace.ID(),
		})
		if err != nil {
			return err
		}
		_, err = sentinel.NewAutomationRule(ctx, "exampleAutomationRule", &sentinel.AutomationRuleArgs{
			LogAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
			DisplayName:             pulumi.String("automation_rule1"),
			Order:                   pulumi.Int(1),
			ActionIncidents: sentinel.AutomationRuleActionIncidentArray{
				&sentinel.AutomationRuleActionIncidentArgs{
					Order:  pulumi.Int(1),
					Status: pulumi.String("Active"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
import com.pulumi.azure.sentinel.AutomationRule;
import com.pulumi.azure.sentinel.AutomationRuleArgs;
import com.pulumi.azure.sentinel.inputs.AutomationRuleActionIncidentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()        
            .location("west europe")
            .build());

        var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()        
            .location(exampleResourceGroup.location())
            .resourceGroupName(exampleResourceGroup.name())
            .sku("PerGB2018")
            .build());

        var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()        
            .workspaceId(exampleAnalyticsWorkspace.id())
            .build());

        var exampleAutomationRule = new AutomationRule("exampleAutomationRule", AutomationRuleArgs.builder()        
            .logAnalyticsWorkspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
            .displayName("automation_rule1")
            .order(1)
            .actionIncidents(AutomationRuleActionIncidentArgs.builder()
                .order(1)
                .status("Active")
                .build())
            .build());

    }
}

import pulumi
import pulumi_azure as azure

example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="west europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    sku="PerGB2018")
example_log_analytics_workspace_onboarding = azure.sentinel.LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", workspace_id=example_analytics_workspace.id)
example_automation_rule = azure.sentinel.AutomationRule("exampleAutomationRule",
    log_analytics_workspace_id=example_log_analytics_workspace_onboarding.workspace_id,
    display_name="automation_rule1",
    order=1,
    action_incidents=[azure.sentinel.AutomationRuleActionIncidentArgs(
        order=1,
        status="Active",
    )])

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "west europe"});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    sku: "PerGB2018",
});
const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", {workspaceId: exampleAnalyticsWorkspace.id});
const exampleAutomationRule = new azure.sentinel.AutomationRule("exampleAutomationRule", {
    logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId,
    displayName: "automation_rule1",
    order: 1,
    actionIncidents: [{
        order: 1,
        status: "Active",
    }],
});

resources:
  exampleResourceGroup:
    type: azure:core:ResourceGroup
    properties:
      location: west europe
  exampleAnalyticsWorkspace:
    type: azure:operationalinsights:AnalyticsWorkspace
    properties:
      location: ${exampleResourceGroup.location}
      resourceGroupName: ${exampleResourceGroup.name}
      sku: PerGB2018
  exampleLogAnalyticsWorkspaceOnboarding:
    type: azure:sentinel:LogAnalyticsWorkspaceOnboarding
    properties:
      workspaceId: ${exampleAnalyticsWorkspace.id}
  exampleAutomationRule:
    type: azure:sentinel:AutomationRule
    properties:
      logAnalyticsWorkspaceId: ${exampleLogAnalyticsWorkspaceOnboarding.workspaceId}
      displayName: automation_rule1
      order: 1
      actionIncidents:
        - order: 1
          status: Active

Create AuthomationRule Resource

new AuthomationRule(name: string, args: AuthomationRuleArgs, opts?: CustomResourceOptions);

@overload
def AuthomationRule(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    action_incidents: Optional[Sequence[AuthomationRuleActionIncidentArgs]] = None,
                    action_playbooks: Optional[Sequence[AuthomationRuleActionPlaybookArgs]] = None,
                    condition_json: Optional[str] = None,
                    conditions: Optional[Sequence[AuthomationRuleConditionArgs]] = None,
                    display_name: Optional[str] = None,
                    enabled: Optional[bool] = None,
                    expiration: Optional[str] = None,
                    log_analytics_workspace_id: Optional[str] = None,
                    name: Optional[str] = None,
                    order: Optional[int] = None,
                    triggers_on: Optional[str] = None,
                    triggers_when: Optional[str] = None)
@overload
def AuthomationRule(resource_name: str,
                    args: AuthomationRuleArgs,
                    opts: Optional[ResourceOptions] = None)

func NewAuthomationRule(ctx *Context, name string, args AuthomationRuleArgs, opts ...ResourceOption) (*AuthomationRule, error)

public AuthomationRule(string name, AuthomationRuleArgs args, CustomResourceOptions? opts = null)

public AuthomationRule(String name, AuthomationRuleArgs args)
public AuthomationRule(String name, AuthomationRuleArgs args, CustomResourceOptions options)

type: azure:sentinel:AuthomationRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AuthomationRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AuthomationRuleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AuthomationRuleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AuthomationRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AuthomationRuleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

AuthomationRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AuthomationRule resource accepts the following input properties:

DisplayName string

The display name which should be used for this Sentinel Automation Rule.

LogAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

Order int

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

ActionIncidents List<AuthomationRuleActionIncident>

One or more action_incident blocks as defined below.

ActionPlaybooks List<AuthomationRuleActionPlaybook>

One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

ConditionJson string

A JSON array of one or more condition JSON objects as is defined here.

Conditions List<AuthomationRuleCondition>

One or more condition blocks as defined below.

Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

Deprecated:

This is deprecated in favor of condition_json

Enabled bool

Whether this Sentinel Automation Rule is enabled? Defaults to true.

Expiration string

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

Name string

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

TriggersOn string

Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.

TriggersWhen string

Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

DisplayName string

The display name which should be used for this Sentinel Automation Rule.

LogAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

Order int

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

ActionIncidents []AuthomationRuleActionIncidentArgs

One or more action_incident blocks as defined below.

ActionPlaybooks []AuthomationRuleActionPlaybookArgs

One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

ConditionJson string

A JSON array of one or more condition JSON objects as is defined here.

Conditions []AuthomationRuleConditionArgs

One or more condition blocks as defined below.

Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

Deprecated:

This is deprecated in favor of condition_json

Enabled bool

Whether this Sentinel Automation Rule is enabled? Defaults to true.

Expiration string

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

Name string

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

TriggersOn string

Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.

TriggersWhen string

Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

displayName String

The display name which should be used for this Sentinel Automation Rule.

logAnalyticsWorkspaceId String

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

order Integer

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

actionIncidents List<AuthomationRuleActionIncident>

One or more action_incident blocks as defined below.

actionPlaybooks List<AuthomationRuleActionPlaybook>

One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

conditionJson String

A JSON array of one or more condition JSON objects as is defined here.

conditions List<AuthomationRuleCondition>

One or more condition blocks as defined below.

Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

Deprecated:

This is deprecated in favor of condition_json

enabled Boolean

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration String

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

name String

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

triggersOn String

Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.

triggersWhen String

Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

displayName string

The display name which should be used for this Sentinel Automation Rule.

logAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

order number

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

actionIncidents AuthomationRuleActionIncident[]

One or more action_incident blocks as defined below.

actionPlaybooks AuthomationRuleActionPlaybook[]

One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

conditionJson string

A JSON array of one or more condition JSON objects as is defined here.

conditions AuthomationRuleCondition[]

One or more condition blocks as defined below.

Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

Deprecated:

This is deprecated in favor of condition_json

enabled boolean

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration string

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

name string

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

triggersOn string

Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.

triggersWhen string

Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

display_name str

The display name which should be used for this Sentinel Automation Rule.

log_analytics_workspace_id str

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

order int

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

action_incidents Sequence[AuthomationRuleActionIncidentArgs]

One or more action_incident blocks as defined below.

action_playbooks Sequence[AuthomationRuleActionPlaybookArgs]

One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

condition_json str

A JSON array of one or more condition JSON objects as is defined here.

conditions Sequence[AuthomationRuleConditionArgs]

One or more condition blocks as defined below.

Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

Deprecated:

This is deprecated in favor of condition_json

enabled bool

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration str

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

name str

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

triggers_on str

Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.

triggers_when str

Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

displayName String

The display name which should be used for this Sentinel Automation Rule.

logAnalyticsWorkspaceId String

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

order Number

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

actionIncidents List<Property Map>

One or more action_incident blocks as defined below.

actionPlaybooks List<Property Map>

One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

conditionJson String

A JSON array of one or more condition JSON objects as is defined here.

conditions List<Property Map>

One or more condition blocks as defined below.

Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

Deprecated:

This is deprecated in favor of condition_json

enabled Boolean

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration String

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

name String

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

triggersOn String

Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.

triggersWhen String

Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

Outputs

All input properties are implicitly available as output properties. Additionally, the AuthomationRule resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing AuthomationRule Resource

Get an existing AuthomationRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthomationRuleState, opts?: CustomResourceOptions): AuthomationRule

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        action_incidents: Optional[Sequence[AuthomationRuleActionIncidentArgs]] = None,
        action_playbooks: Optional[Sequence[AuthomationRuleActionPlaybookArgs]] = None,
        condition_json: Optional[str] = None,
        conditions: Optional[Sequence[AuthomationRuleConditionArgs]] = None,
        display_name: Optional[str] = None,
        enabled: Optional[bool] = None,
        expiration: Optional[str] = None,
        log_analytics_workspace_id: Optional[str] = None,
        name: Optional[str] = None,
        order: Optional[int] = None,
        triggers_on: Optional[str] = None,
        triggers_when: Optional[str] = None) -> AuthomationRule

func GetAuthomationRule(ctx *Context, name string, id IDInput, state *AuthomationRuleState, opts ...ResourceOption) (*AuthomationRule, error)

public static AuthomationRule Get(string name, Input<string> id, AuthomationRuleState? state, CustomResourceOptions? opts = null)

public static AuthomationRule get(String name, Output<String> id, AuthomationRuleState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

ActionIncidents List<AuthomationRuleActionIncident>

One or more action_incident blocks as defined below.

ActionPlaybooks List<AuthomationRuleActionPlaybook>

One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

ConditionJson string

A JSON array of one or more condition JSON objects as is defined here.

Conditions List<AuthomationRuleCondition>

One or more condition blocks as defined below.

Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

Deprecated:

This is deprecated in favor of condition_json

DisplayName string

The display name which should be used for this Sentinel Automation Rule.

Enabled bool

Whether this Sentinel Automation Rule is enabled? Defaults to true.

Expiration string

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

LogAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

Name string

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

Order int

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

TriggersOn string

Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.

TriggersWhen string

Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

ActionIncidents []AuthomationRuleActionIncidentArgs

One or more action_incident blocks as defined below.

ActionPlaybooks []AuthomationRuleActionPlaybookArgs

One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

ConditionJson string

A JSON array of one or more condition JSON objects as is defined here.

Conditions []AuthomationRuleConditionArgs

One or more condition blocks as defined below.

Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

Deprecated:

This is deprecated in favor of condition_json

DisplayName string

The display name which should be used for this Sentinel Automation Rule.

Enabled bool

Whether this Sentinel Automation Rule is enabled? Defaults to true.

Expiration string

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

LogAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

Name string

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

Order int

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

TriggersOn string

Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.

TriggersWhen string

Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

actionIncidents List<AuthomationRuleActionIncident>

One or more action_incident blocks as defined below.

actionPlaybooks List<AuthomationRuleActionPlaybook>

One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

conditionJson String

A JSON array of one or more condition JSON objects as is defined here.

conditions List<AuthomationRuleCondition>

One or more condition blocks as defined below.

Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

Deprecated:

This is deprecated in favor of condition_json

displayName String

The display name which should be used for this Sentinel Automation Rule.

enabled Boolean

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration String

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

logAnalyticsWorkspaceId String

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

name String

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

order Integer

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

triggersOn String

Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.

triggersWhen String

Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

actionIncidents AuthomationRuleActionIncident[]

One or more action_incident blocks as defined below.

actionPlaybooks AuthomationRuleActionPlaybook[]

One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

conditionJson string

A JSON array of one or more condition JSON objects as is defined here.

conditions AuthomationRuleCondition[]

One or more condition blocks as defined below.

Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

Deprecated:

This is deprecated in favor of condition_json

displayName string

The display name which should be used for this Sentinel Automation Rule.

enabled boolean

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration string

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

logAnalyticsWorkspaceId string

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

name string

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

order number

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

triggersOn string

Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.

triggersWhen string

Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

action_incidents Sequence[AuthomationRuleActionIncidentArgs]

One or more action_incident blocks as defined below.

action_playbooks Sequence[AuthomationRuleActionPlaybookArgs]

One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

condition_json str

A JSON array of one or more condition JSON objects as is defined here.

conditions Sequence[AuthomationRuleConditionArgs]

One or more condition blocks as defined below.

Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

Deprecated:

This is deprecated in favor of condition_json

display_name str

The display name which should be used for this Sentinel Automation Rule.

enabled bool

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration str

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

log_analytics_workspace_id str

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

name str

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

order int

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

triggers_on str

Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.

triggers_when str

Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

actionIncidents List<Property Map>

One or more action_incident blocks as defined below.

actionPlaybooks List<Property Map>

One or more action_playbook blocks as defined below.

Note: Either one action_incident block or action_playbook block has to be specified.

conditionJson String

A JSON array of one or more condition JSON objects as is defined here.

conditions List<Property Map>

One or more condition blocks as defined below.

Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

Deprecated:

This is deprecated in favor of condition_json

displayName String

The display name which should be used for this Sentinel Automation Rule.

enabled Boolean

Whether this Sentinel Automation Rule is enabled? Defaults to true.

expiration String

The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.

logAnalyticsWorkspaceId String

The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.

name String

The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.

order Number

The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.

triggersOn String

Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.

triggersWhen String

Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

Supporting Types

AuthomationRuleActionIncident, AuthomationRuleActionIncidentArgs

Order int: The execution order of this action.
Classification string: The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.
Note: The classification is required when status is Closed.
ClassificationComment string: The comment why the incident is to be closed.
Note: The classification_comment is allowed to set only when status is Closed.
Labels List<string>: Specifies a list of labels to add to the incident.
OwnerId string: The object ID of the entity this incident is assigned to.
Severity string: The severity to add to the incident. Possible values are High, Informational, Low and Medium.
Note:: At least one of status, labels, owner_id and severity has to be set.
Status string: The status to set to the incident. Possible values are: Active, Closed, New.

Order int: The execution order of this action.
Classification string: The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.
Note: The classification is required when status is Closed.
ClassificationComment string: The comment why the incident is to be closed.
Note: The classification_comment is allowed to set only when status is Closed.
Labels []string: Specifies a list of labels to add to the incident.
OwnerId string: The object ID of the entity this incident is assigned to.
Severity string: The severity to add to the incident. Possible values are High, Informational, Low and Medium.
Note:: At least one of status, labels, owner_id and severity has to be set.
Status string: The status to set to the incident. Possible values are: Active, Closed, New.

order Integer: The execution order of this action.
classification String: The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.
Note: The classification is required when status is Closed.
classificationComment String: The comment why the incident is to be closed.
Note: The classification_comment is allowed to set only when status is Closed.
labels List<String>: Specifies a list of labels to add to the incident.
ownerId String: The object ID of the entity this incident is assigned to.
severity String: The severity to add to the incident. Possible values are High, Informational, Low and Medium.
Note:: At least one of status, labels, owner_id and severity has to be set.
status String: The status to set to the incident. Possible values are: Active, Closed, New.

order number: The execution order of this action.
classification string: The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.
Note: The classification is required when status is Closed.
classificationComment string: The comment why the incident is to be closed.
Note: The classification_comment is allowed to set only when status is Closed.
labels string[]: Specifies a list of labels to add to the incident.
ownerId string: The object ID of the entity this incident is assigned to.
severity string: The severity to add to the incident. Possible values are High, Informational, Low and Medium.
Note:: At least one of status, labels, owner_id and severity has to be set.
status string: The status to set to the incident. Possible values are: Active, Closed, New.

order int: The execution order of this action.
classification str: The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.
Note: The classification is required when status is Closed.
classification_comment str: The comment why the incident is to be closed.
Note: The classification_comment is allowed to set only when status is Closed.
labels Sequence[str]: Specifies a list of labels to add to the incident.
owner_id str: The object ID of the entity this incident is assigned to.
severity str: The severity to add to the incident. Possible values are High, Informational, Low and Medium.
Note:: At least one of status, labels, owner_id and severity has to be set.
status str: The status to set to the incident. Possible values are: Active, Closed, New.

order Number: The execution order of this action.
classification String: The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.
Note: The classification is required when status is Closed.
classificationComment String: The comment why the incident is to be closed.
Note: The classification_comment is allowed to set only when status is Closed.
labels List<String>: Specifies a list of labels to add to the incident.
ownerId String: The object ID of the entity this incident is assigned to.
severity String: The severity to add to the incident. Possible values are High, Informational, Low and Medium.
Note:: At least one of status, labels, owner_id and severity has to be set.
status String: The status to set to the incident. Possible values are: Active, Closed, New.

AuthomationRuleActionPlaybook, AuthomationRuleActionPlaybookArgs

LogicAppId string: The ID of the Logic App that defines the playbook's logic.
Order int: The execution order of this action.
TenantId string: The ID of the Tenant that owns the playbook.

LogicAppId string: The ID of the Logic App that defines the playbook's logic.
Order int: The execution order of this action.
TenantId string: The ID of the Tenant that owns the playbook.

logicAppId String: The ID of the Logic App that defines the playbook's logic.
order Integer: The execution order of this action.
tenantId String: The ID of the Tenant that owns the playbook.

logicAppId string: The ID of the Logic App that defines the playbook's logic.
order number: The execution order of this action.
tenantId string: The ID of the Tenant that owns the playbook.

logic_app_id str: The ID of the Logic App that defines the playbook's logic.
order int: The execution order of this action.
tenant_id str: The ID of the Tenant that owns the playbook.

logicAppId String: The ID of the Logic App that defines the playbook's logic.
order Number: The execution order of this action.
tenantId String: The ID of the Tenant that owns the playbook.

AuthomationRuleCondition, AuthomationRuleConditionArgs

Operator string: The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.
Property string: The property to use for evaluate the condition. Possible values are AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AlertAnalyticRuleIds, AlertProductNames, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentCustomDetailsKey, IncidentCustomDetailsValue, IncidentDescription, IncidentLabel, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IncidentUpdatedBySource, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData and Url.
Values List<string>: Specifies a list of values to use for evaluate the condition.

Operator string: The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.
Property string: The property to use for evaluate the condition. Possible values are AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AlertAnalyticRuleIds, AlertProductNames, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentCustomDetailsKey, IncidentCustomDetailsValue, IncidentDescription, IncidentLabel, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IncidentUpdatedBySource, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData and Url.
Values []string: Specifies a list of values to use for evaluate the condition.

operator String: The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.
property String: The property to use for evaluate the condition. Possible values are AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AlertAnalyticRuleIds, AlertProductNames, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentCustomDetailsKey, IncidentCustomDetailsValue, IncidentDescription, IncidentLabel, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IncidentUpdatedBySource, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData and Url.
values List<String>: Specifies a list of values to use for evaluate the condition.

operator string: The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.
property string: The property to use for evaluate the condition. Possible values are AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AlertAnalyticRuleIds, AlertProductNames, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentCustomDetailsKey, IncidentCustomDetailsValue, IncidentDescription, IncidentLabel, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IncidentUpdatedBySource, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData and Url.
values string[]: Specifies a list of values to use for evaluate the condition.

operator str: The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.
property str: The property to use for evaluate the condition. Possible values are AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AlertAnalyticRuleIds, AlertProductNames, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentCustomDetailsKey, IncidentCustomDetailsValue, IncidentDescription, IncidentLabel, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IncidentUpdatedBySource, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData and Url.
values Sequence[str]: Specifies a list of values to use for evaluate the condition.

operator String: The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.
property String: The property to use for evaluate the condition. Possible values are AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AlertAnalyticRuleIds, AlertProductNames, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentCustomDetailsKey, IncidentCustomDetailsValue, IncidentDescription, IncidentLabel, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IncidentUpdatedBySource, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData and Url.
values List<String>: Specifies a list of values to use for evaluate the condition.

Import

Sentinel Automation Rules can be imported using the resource id, e.g.

 $ pulumi import azure:sentinel/authomationRule:AuthomationRule example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/automationRules/rule1

Package Details

Repository: Azure Classic pulumi/pulumi-azure
License: Apache-2.0
Notes: This Pulumi package is based on the azurerm Terraform Provider.

We recommend using Azure Native.

Azure Classic v5.58.0 published on Saturday, Dec 2, 2023 by Pulumi

pulumi/pulumi-azure

azure.sentinel.AuthomationRule

On this page

On this page

Example Usage

Create AuthomationRule Resource

AuthomationRule Resource Properties

Inputs

Outputs

Look up Existing AuthomationRule Resource

Supporting Types

AuthomationRuleActionIncident, AuthomationRuleActionIncidentArgs

AuthomationRuleActionPlaybook, AuthomationRuleActionPlaybookArgs

AuthomationRuleCondition, AuthomationRuleConditionArgs

Import

Package Details

On this page

On this page