azure.sentinel.AlertRuleScheduled (v4)

Azure v4.42.0 (4.x), Mar 9 26

We recommend using Azure Native.

Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi

Go to latest version

Schema (JSON)

pulumi/pulumi-azure

We recommend using Azure Native.

Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi

Go to latest version

Schema (JSON)

pulumi/pulumi-azure

Example Usage

using Pulumi;
using Azure = Pulumi.Azure;

class MyStack : Stack
{
    public MyStack()
    {
        var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new Azure.Core.ResourceGroupArgs
        {
            Location = "West Europe",
        });
        var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", new Azure.OperationalInsights.AnalyticsWorkspaceArgs
        {
            Location = exampleResourceGroup.Location,
            ResourceGroupName = exampleResourceGroup.Name,
            Sku = "pergb2018",
        });
        var exampleAnalyticsSolution = new Azure.OperationalInsights.AnalyticsSolution("exampleAnalyticsSolution", new Azure.OperationalInsights.AnalyticsSolutionArgs
        {
            SolutionName = "SecurityInsights",
            Location = exampleResourceGroup.Location,
            ResourceGroupName = exampleResourceGroup.Name,
            WorkspaceResourceId = exampleAnalyticsWorkspace.Id,
            WorkspaceName = exampleAnalyticsWorkspace.Name,
            Plan = new Azure.OperationalInsights.Inputs.AnalyticsSolutionPlanArgs
            {
                Publisher = "Microsoft",
                Product = "OMSGallery/SecurityInsights",
            },
        });
        var exampleAlertRuleScheduled = new Azure.Sentinel.AlertRuleScheduled("exampleAlertRuleScheduled", new Azure.Sentinel.AlertRuleScheduledArgs
        {
            LogAnalyticsWorkspaceId = exampleAnalyticsSolution.WorkspaceResourceId,
            DisplayName = "example",
            Severity = "High",
            Query = @"AzureActivity |
  where OperationName == ""Create or Update Virtual Machine"" or OperationName ==""Create Deployment"" |
  where ActivityStatus == ""Succeeded"" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
",
        });
    }

}

package main

import (
	"fmt"

	"github.com/pulumi/pulumi-azure/sdk/v4/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v4/go/azure/operationalinsights"
	"github.com/pulumi/pulumi-azure/sdk/v4/go/azure/sentinel"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
			Location: pulumi.String("West Europe"),
		})
		if err != nil {
			return err
		}
		exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "exampleAnalyticsWorkspace", &operationalinsights.AnalyticsWorkspaceArgs{
			Location:          exampleResourceGroup.Location,
			ResourceGroupName: exampleResourceGroup.Name,
			Sku:               pulumi.String("pergb2018"),
		})
		if err != nil {
			return err
		}
		exampleAnalyticsSolution, err := operationalinsights.NewAnalyticsSolution(ctx, "exampleAnalyticsSolution", &operationalinsights.AnalyticsSolutionArgs{
			SolutionName:        pulumi.String("SecurityInsights"),
			Location:            exampleResourceGroup.Location,
			ResourceGroupName:   exampleResourceGroup.Name,
			WorkspaceResourceId: exampleAnalyticsWorkspace.ID(),
			WorkspaceName:       exampleAnalyticsWorkspace.Name,
			Plan: &operationalinsights.AnalyticsSolutionPlanArgs{
				Publisher: pulumi.String("Microsoft"),
				Product:   pulumi.String("OMSGallery/SecurityInsights"),
			},
		})
		if err != nil {
			return err
		}
		_, err = sentinel.NewAlertRuleScheduled(ctx, "exampleAlertRuleScheduled", &sentinel.AlertRuleScheduledArgs{
			LogAnalyticsWorkspaceId: exampleAnalyticsSolution.WorkspaceResourceId,
			DisplayName:             pulumi.String("example"),
			Severity:                pulumi.String("High"),
			Query:                   pulumi.String(fmt.Sprintf("%v%v%v%v", "AzureActivity |\n", "  where OperationName == \"Create or Update Virtual Machine\" or OperationName ==\"Create Deployment\" |\n", "  where ActivityStatus == \"Succeeded\" |\n", "  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n")),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

Example coming soon!

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    sku: "pergb2018",
});
const exampleAnalyticsSolution = new azure.operationalinsights.AnalyticsSolution("exampleAnalyticsSolution", {
    solutionName: "SecurityInsights",
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    workspaceResourceId: exampleAnalyticsWorkspace.id,
    workspaceName: exampleAnalyticsWorkspace.name,
    plan: {
        publisher: "Microsoft",
        product: "OMSGallery/SecurityInsights",
    },
});
const exampleAlertRuleScheduled = new azure.sentinel.AlertRuleScheduled("exampleAlertRuleScheduled", {
    logAnalyticsWorkspaceId: exampleAnalyticsSolution.workspaceResourceId,
    displayName: "example",
    severity: "High",
    query: `AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
`,
});

import pulumi
import pulumi_azure as azure

example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    sku="pergb2018")
example_analytics_solution = azure.operationalinsights.AnalyticsSolution("exampleAnalyticsSolution",
    solution_name="SecurityInsights",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    workspace_resource_id=example_analytics_workspace.id,
    workspace_name=example_analytics_workspace.name,
    plan=azure.operationalinsights.AnalyticsSolutionPlanArgs(
        publisher="Microsoft",
        product="OMSGallery/SecurityInsights",
    ))
example_alert_rule_scheduled = azure.sentinel.AlertRuleScheduled("exampleAlertRuleScheduled",
    log_analytics_workspace_id=example_analytics_solution.workspace_resource_id,
    display_name="example",
    severity="High",
    query="""AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")

Example coming soon!

Create AlertRuleScheduled Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new AlertRuleScheduled(name: string, args: AlertRuleScheduledArgs, opts?: CustomResourceOptions);

@overload
def AlertRuleScheduled(resource_name: str,
                       args: AlertRuleScheduledArgs,
                       opts: Optional[ResourceOptions] = None)

@overload
def AlertRuleScheduled(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       log_analytics_workspace_id: Optional[str] = None,
                       severity: Optional[str] = None,
                       display_name: Optional[str] = None,
                       query: Optional[str] = None,
                       event_grouping: Optional[AlertRuleScheduledEventGroupingArgs] = None,
                       incident_configuration: Optional[AlertRuleScheduledIncidentConfigurationArgs] = None,
                       alert_rule_template_guid: Optional[str] = None,
                       name: Optional[str] = None,
                       enabled: Optional[bool] = None,
                       query_frequency: Optional[str] = None,
                       query_period: Optional[str] = None,
                       description: Optional[str] = None,
                       suppression_duration: Optional[str] = None,
                       suppression_enabled: Optional[bool] = None,
                       tactics: Optional[Sequence[str]] = None,
                       trigger_operator: Optional[str] = None,
                       trigger_threshold: Optional[int] = None)

func NewAlertRuleScheduled(ctx *Context, name string, args AlertRuleScheduledArgs, opts ...ResourceOption) (*AlertRuleScheduled, error)

public AlertRuleScheduled(string name, AlertRuleScheduledArgs args, CustomResourceOptions? opts = null)

public AlertRuleScheduled(String name, AlertRuleScheduledArgs args)
public AlertRuleScheduled(String name, AlertRuleScheduledArgs args, CustomResourceOptions options)

type: azure:sentinel:AlertRuleScheduled
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args AlertRuleScheduledArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AlertRuleScheduledArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AlertRuleScheduledArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AlertRuleScheduledArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AlertRuleScheduledArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var alertRuleScheduledResource = new Azure.Sentinel.AlertRuleScheduled("alertRuleScheduledResource", new()
{
    LogAnalyticsWorkspaceId = "string",
    Severity = "string",
    DisplayName = "string",
    Query = "string",
    EventGrouping = new Azure.Sentinel.Inputs.AlertRuleScheduledEventGroupingArgs
    {
        AggregationMethod = "string",
    },
    IncidentConfiguration = new Azure.Sentinel.Inputs.AlertRuleScheduledIncidentConfigurationArgs
    {
        CreateIncident = false,
        Grouping = new Azure.Sentinel.Inputs.AlertRuleScheduledIncidentConfigurationGroupingArgs
        {
            Enabled = false,
            EntityMatchingMethod = "string",
            GroupBies = new[]
            {
                "string",
            },
            LookbackDuration = "string",
            ReopenClosedIncidents = false,
        },
    },
    AlertRuleTemplateGuid = "string",
    Name = "string",
    Enabled = false,
    QueryFrequency = "string",
    QueryPeriod = "string",
    Description = "string",
    SuppressionDuration = "string",
    SuppressionEnabled = false,
    Tactics = new[]
    {
        "string",
    },
    TriggerOperator = "string",
    TriggerThreshold = 0,
});

example, err := sentinel.NewAlertRuleScheduled(ctx, "alertRuleScheduledResource", &sentinel.AlertRuleScheduledArgs{
	LogAnalyticsWorkspaceId: pulumi.String("string"),
	Severity:                pulumi.String("string"),
	DisplayName:             pulumi.String("string"),
	Query:                   pulumi.String("string"),
	EventGrouping: &sentinel.AlertRuleScheduledEventGroupingArgs{
		AggregationMethod: pulumi.String("string"),
	},
	IncidentConfiguration: &sentinel.AlertRuleScheduledIncidentConfigurationArgs{
		CreateIncident: pulumi.Bool(false),
		Grouping: &sentinel.AlertRuleScheduledIncidentConfigurationGroupingArgs{
			Enabled:              pulumi.Bool(false),
			EntityMatchingMethod: pulumi.String("string"),
			GroupBies: pulumi.StringArray{
				pulumi.String("string"),
			},
			LookbackDuration:      pulumi.String("string"),
			ReopenClosedIncidents: pulumi.Bool(false),
		},
	},
	AlertRuleTemplateGuid: pulumi.String("string"),
	Name:                  pulumi.String("string"),
	Enabled:               pulumi.Bool(false),
	QueryFrequency:        pulumi.String("string"),
	QueryPeriod:           pulumi.String("string"),
	Description:           pulumi.String("string"),
	SuppressionDuration:   pulumi.String("string"),
	SuppressionEnabled:    pulumi.Bool(false),
	Tactics: pulumi.StringArray{
		pulumi.String("string"),
	},
	TriggerOperator:  pulumi.String("string"),
	TriggerThreshold: pulumi.Int(0),
})

var alertRuleScheduledResource = new AlertRuleScheduled("alertRuleScheduledResource", AlertRuleScheduledArgs.builder()
    .logAnalyticsWorkspaceId("string")
    .severity("string")
    .displayName("string")
    .query("string")
    .eventGrouping(AlertRuleScheduledEventGroupingArgs.builder()
        .aggregationMethod("string")
        .build())
    .incidentConfiguration(AlertRuleScheduledIncidentConfigurationArgs.builder()
        .createIncident(false)
        .grouping(AlertRuleScheduledIncidentConfigurationGroupingArgs.builder()
            .enabled(false)
            .entityMatchingMethod("string")
            .groupBies("string")
            .lookbackDuration("string")
            .reopenClosedIncidents(false)
            .build())
        .build())
    .alertRuleTemplateGuid("string")
    .name("string")
    .enabled(false)
    .queryFrequency("string")
    .queryPeriod("string")
    .description("string")
    .suppressionDuration("string")
    .suppressionEnabled(false)
    .tactics("string")
    .triggerOperator("string")
    .triggerThreshold(0)
    .build());

alert_rule_scheduled_resource = azure.sentinel.AlertRuleScheduled("alertRuleScheduledResource",
    log_analytics_workspace_id="string",
    severity="string",
    display_name="string",
    query="string",
    event_grouping={
        "aggregation_method": "string",
    },
    incident_configuration={
        "create_incident": False,
        "grouping": {
            "enabled": False,
            "entity_matching_method": "string",
            "group_bies": ["string"],
            "lookback_duration": "string",
            "reopen_closed_incidents": False,
        },
    },
    alert_rule_template_guid="string",
    name="string",
    enabled=False,
    query_frequency="string",
    query_period="string",
    description="string",
    suppression_duration="string",
    suppression_enabled=False,
    tactics=["string"],
    trigger_operator="string",
    trigger_threshold=0)

const alertRuleScheduledResource = new azure.sentinel.AlertRuleScheduled("alertRuleScheduledResource", {
    logAnalyticsWorkspaceId: "string",
    severity: "string",
    displayName: "string",
    query: "string",
    eventGrouping: {
        aggregationMethod: "string",
    },
    incidentConfiguration: {
        createIncident: false,
        grouping: {
            enabled: false,
            entityMatchingMethod: "string",
            groupBies: ["string"],
            lookbackDuration: "string",
            reopenClosedIncidents: false,
        },
    },
    alertRuleTemplateGuid: "string",
    name: "string",
    enabled: false,
    queryFrequency: "string",
    queryPeriod: "string",
    description: "string",
    suppressionDuration: "string",
    suppressionEnabled: false,
    tactics: ["string"],
    triggerOperator: "string",
    triggerThreshold: 0,
});

type: azure:sentinel:AlertRuleScheduled
properties:
    alertRuleTemplateGuid: string
    description: string
    displayName: string
    enabled: false
    eventGrouping:
        aggregationMethod: string
    incidentConfiguration:
        createIncident: false
        grouping:
            enabled: false
            entityMatchingMethod: string
            groupBies:
                - string
            lookbackDuration: string
            reopenClosedIncidents: false
    logAnalyticsWorkspaceId: string
    name: string
    query: string
    queryFrequency: string
    queryPeriod: string
    severity: string
    suppressionDuration: string
    suppressionEnabled: false
    tactics:
        - string
    triggerOperator: string
    triggerThreshold: 0

AlertRuleScheduled Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The AlertRuleScheduled resource accepts the following input properties:

DisplayName string: The friendly name of this Sentinel Scheduled Alert Rule.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Query string: The query of this Sentinel Scheduled Alert Rule.
Severity string: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
AlertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Description string: The description of this Sentinel Scheduled Alert Rule.
Enabled bool: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
EventGrouping AlertRuleScheduledEventGrouping: A event_grouping block as defined below.
IncidentConfiguration AlertRuleScheduledIncidentConfiguration: A incident_configuration block as defined below.
Name string: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
QueryFrequency string: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
QueryPeriod string: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics List<string>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
TriggerOperator string: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
TriggerThreshold int: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

DisplayName string: The friendly name of this Sentinel Scheduled Alert Rule.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Query string: The query of this Sentinel Scheduled Alert Rule.
Severity string: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
AlertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Description string: The description of this Sentinel Scheduled Alert Rule.
Enabled bool: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
EventGrouping AlertRuleScheduledEventGroupingArgs: A event_grouping block as defined below.
IncidentConfiguration AlertRuleScheduledIncidentConfigurationArgs: A incident_configuration block as defined below.
Name string: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
QueryFrequency string: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
QueryPeriod string: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics []string: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
TriggerOperator string: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
TriggerThreshold int: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

displayName String: The friendly name of this Sentinel Scheduled Alert Rule.
logAnalyticsWorkspaceId String: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query String: The query of this Sentinel Scheduled Alert Rule.
severity String: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
alertRuleTemplateGuid String: The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
description String: The description of this Sentinel Scheduled Alert Rule.
enabled Boolean: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
eventGrouping AlertRuleScheduledEventGrouping: A event_grouping block as defined below.
incidentConfiguration AlertRuleScheduledIncidentConfiguration: A incident_configuration block as defined below.
name String: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
queryFrequency String: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
queryPeriod String: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
suppressionDuration String: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled Boolean: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List<String>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
triggerOperator String: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
triggerThreshold Integer: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

displayName string: The friendly name of this Sentinel Scheduled Alert Rule.
logAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query string: The query of this Sentinel Scheduled Alert Rule.
severity string: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
alertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
description string: The description of this Sentinel Scheduled Alert Rule.
enabled boolean: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
eventGrouping AlertRuleScheduledEventGrouping: A event_grouping block as defined below.
incidentConfiguration AlertRuleScheduledIncidentConfiguration: A incident_configuration block as defined below.
name string: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
queryFrequency string: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
queryPeriod string: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
suppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled boolean: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
tactics string[]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
triggerOperator string: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
triggerThreshold number: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

display_name str: The friendly name of this Sentinel Scheduled Alert Rule.
log_analytics_workspace_id str: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query str: The query of this Sentinel Scheduled Alert Rule.
severity str: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
alert_rule_template_guid str: The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
description str: The description of this Sentinel Scheduled Alert Rule.
enabled bool: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
event_grouping AlertRuleScheduledEventGroupingArgs: A event_grouping block as defined below.
incident_configuration AlertRuleScheduledIncidentConfigurationArgs: A incident_configuration block as defined below.
name str: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query_frequency str: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
query_period str: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
suppression_duration str: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppression_enabled bool: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
tactics Sequence[str]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
trigger_operator str: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
trigger_threshold int: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

displayName String: The friendly name of this Sentinel Scheduled Alert Rule.
logAnalyticsWorkspaceId String: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query String: The query of this Sentinel Scheduled Alert Rule.
severity String: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
alertRuleTemplateGuid String: The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
description String: The description of this Sentinel Scheduled Alert Rule.
enabled Boolean: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
eventGrouping Property Map: A event_grouping block as defined below.
incidentConfiguration Property Map: A incident_configuration block as defined below.
name String: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
queryFrequency String: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
queryPeriod String: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
suppressionDuration String: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled Boolean: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List<String>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
triggerOperator String: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
triggerThreshold Number: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

Outputs

All input properties are implicitly available as output properties. Additionally, the AlertRuleScheduled resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing AlertRuleScheduled Resource

Get an existing AlertRuleScheduled resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AlertRuleScheduledState, opts?: CustomResourceOptions): AlertRuleScheduled

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        alert_rule_template_guid: Optional[str] = None,
        description: Optional[str] = None,
        display_name: Optional[str] = None,
        enabled: Optional[bool] = None,
        event_grouping: Optional[AlertRuleScheduledEventGroupingArgs] = None,
        incident_configuration: Optional[AlertRuleScheduledIncidentConfigurationArgs] = None,
        log_analytics_workspace_id: Optional[str] = None,
        name: Optional[str] = None,
        query: Optional[str] = None,
        query_frequency: Optional[str] = None,
        query_period: Optional[str] = None,
        severity: Optional[str] = None,
        suppression_duration: Optional[str] = None,
        suppression_enabled: Optional[bool] = None,
        tactics: Optional[Sequence[str]] = None,
        trigger_operator: Optional[str] = None,
        trigger_threshold: Optional[int] = None) -> AlertRuleScheduled

func GetAlertRuleScheduled(ctx *Context, name string, id IDInput, state *AlertRuleScheduledState, opts ...ResourceOption) (*AlertRuleScheduled, error)

public static AlertRuleScheduled Get(string name, Input<string> id, AlertRuleScheduledState? state, CustomResourceOptions? opts = null)

public static AlertRuleScheduled get(String name, Output<String> id, AlertRuleScheduledState state, CustomResourceOptions options)

resources:  _:    type: azure:sentinel:AlertRuleScheduled    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AlertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Description string: The description of this Sentinel Scheduled Alert Rule.
DisplayName string: The friendly name of this Sentinel Scheduled Alert Rule.
Enabled bool: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
EventGrouping AlertRuleScheduledEventGrouping: A event_grouping block as defined below.
IncidentConfiguration AlertRuleScheduledIncidentConfiguration: A incident_configuration block as defined below.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Name string: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Query string: The query of this Sentinel Scheduled Alert Rule.
QueryFrequency string: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
QueryPeriod string: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
Severity string: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics List<string>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
TriggerOperator string: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
TriggerThreshold int: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

AlertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Description string: The description of this Sentinel Scheduled Alert Rule.
DisplayName string: The friendly name of this Sentinel Scheduled Alert Rule.
Enabled bool: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
EventGrouping AlertRuleScheduledEventGroupingArgs: A event_grouping block as defined below.
IncidentConfiguration AlertRuleScheduledIncidentConfigurationArgs: A incident_configuration block as defined below.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Name string: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Query string: The query of this Sentinel Scheduled Alert Rule.
QueryFrequency string: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
QueryPeriod string: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
Severity string: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics []string: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
TriggerOperator string: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
TriggerThreshold int: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

alertRuleTemplateGuid String: The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
description String: The description of this Sentinel Scheduled Alert Rule.
displayName String: The friendly name of this Sentinel Scheduled Alert Rule.
enabled Boolean: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
eventGrouping AlertRuleScheduledEventGrouping: A event_grouping block as defined below.
incidentConfiguration AlertRuleScheduledIncidentConfiguration: A incident_configuration block as defined below.
logAnalyticsWorkspaceId String: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
name String: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query String: The query of this Sentinel Scheduled Alert Rule.
queryFrequency String: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
queryPeriod String: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
severity String: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
suppressionDuration String: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled Boolean: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List<String>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
triggerOperator String: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
triggerThreshold Integer: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

alertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
description string: The description of this Sentinel Scheduled Alert Rule.
displayName string: The friendly name of this Sentinel Scheduled Alert Rule.
enabled boolean: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
eventGrouping AlertRuleScheduledEventGrouping: A event_grouping block as defined below.
incidentConfiguration AlertRuleScheduledIncidentConfiguration: A incident_configuration block as defined below.
logAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
name string: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query string: The query of this Sentinel Scheduled Alert Rule.
queryFrequency string: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
queryPeriod string: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
severity string: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
suppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled boolean: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
tactics string[]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
triggerOperator string: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
triggerThreshold number: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

alert_rule_template_guid str: The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
description str: The description of this Sentinel Scheduled Alert Rule.
display_name str: The friendly name of this Sentinel Scheduled Alert Rule.
enabled bool: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
event_grouping AlertRuleScheduledEventGroupingArgs: A event_grouping block as defined below.
incident_configuration AlertRuleScheduledIncidentConfigurationArgs: A incident_configuration block as defined below.
log_analytics_workspace_id str: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
name str: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query str: The query of this Sentinel Scheduled Alert Rule.
query_frequency str: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
query_period str: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
severity str: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
suppression_duration str: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppression_enabled bool: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
tactics Sequence[str]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
trigger_operator str: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
trigger_threshold int: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

alertRuleTemplateGuid String: The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
description String: The description of this Sentinel Scheduled Alert Rule.
displayName String: The friendly name of this Sentinel Scheduled Alert Rule.
enabled Boolean: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
eventGrouping Property Map: A event_grouping block as defined below.
incidentConfiguration Property Map: A incident_configuration block as defined below.
logAnalyticsWorkspaceId String: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
name String: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query String: The query of this Sentinel Scheduled Alert Rule.
queryFrequency String: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
queryPeriod String: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
severity String: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
suppressionDuration String: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled Boolean: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List<String>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
triggerOperator String: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
triggerThreshold Number: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

Supporting Types

AlertRuleScheduledEventGrouping, AlertRuleScheduledEventGroupingArgs

AggregationMethod string: The aggregation type of grouping the events.

AggregationMethod string: The aggregation type of grouping the events.

aggregationMethod String: The aggregation type of grouping the events.

aggregationMethod string: The aggregation type of grouping the events.

aggregation_method str: The aggregation type of grouping the events.

aggregationMethod String: The aggregation type of grouping the events.

AlertRuleScheduledIncidentConfiguration, AlertRuleScheduledIncidentConfigurationArgs

CreateIncident bool: Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule?
Grouping AlertRuleScheduledIncidentConfigurationGrouping: A grouping block as defined below.

CreateIncident bool: Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule?
Grouping AlertRuleScheduledIncidentConfigurationGrouping: A grouping block as defined below.

createIncident Boolean: Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule?
grouping AlertRuleScheduledIncidentConfigurationGrouping: A grouping block as defined below.

createIncident boolean: Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule?
grouping AlertRuleScheduledIncidentConfigurationGrouping: A grouping block as defined below.

create_incident bool: Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule?
grouping AlertRuleScheduledIncidentConfigurationGrouping: A grouping block as defined below.

createIncident Boolean: Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule?
grouping Property Map: A grouping block as defined below.

AlertRuleScheduledIncidentConfigurationGrouping, AlertRuleScheduledIncidentConfigurationGroupingArgs

Enabled bool: Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults to true.
EntityMatchingMethod string: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
GroupBies List<string>: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
LookbackDuration string: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
ReopenClosedIncidents bool: Whether to re-open closed matching incidents? Defaults to false.

Enabled bool: Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults to true.
EntityMatchingMethod string: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
GroupBies []string: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
LookbackDuration string: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
ReopenClosedIncidents bool: Whether to re-open closed matching incidents? Defaults to false.

enabled Boolean: Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults to true.
entityMatchingMethod String: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
groupBies List<String>: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
lookbackDuration String: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
reopenClosedIncidents Boolean: Whether to re-open closed matching incidents? Defaults to false.

enabled boolean: Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults to true.
entityMatchingMethod string: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
groupBies string[]: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
lookbackDuration string: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
reopenClosedIncidents boolean: Whether to re-open closed matching incidents? Defaults to false.

enabled bool: Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults to true.
entity_matching_method str: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
group_bies Sequence[str]: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
lookback_duration str: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
reopen_closed_incidents bool: Whether to re-open closed matching incidents? Defaults to false.

enabled Boolean: Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults to true.
entityMatchingMethod String: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
groupBies List<String>: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
lookbackDuration String: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
reopenClosedIncidents Boolean: Whether to re-open closed matching incidents? Defaults to false.

Import

Sentinel Scheduled Alert Rules can be imported using the resource id, e.g.

 $ pulumi import azure:sentinel/alertRuleScheduled:AlertRuleScheduled example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Azure Classic pulumi/pulumi-azure
License: Apache-2.0
Notes: This Pulumi package is based on the azurerm Terraform Provider.

We recommend using Azure Native.

Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi

Go to latest version

Schema (JSON)

pulumi/pulumi-azure

azure.sentinel.AlertRuleScheduled

On this page

On this page

Example Usage

Create AlertRuleScheduled Resource

Constructor syntax

Parameters

Constructor example

AlertRuleScheduled Resource Properties

Inputs

Outputs

Look up Existing AlertRuleScheduled Resource

Supporting Types

AlertRuleScheduledEventGrouping, AlertRuleScheduledEventGroupingArgs

AlertRuleScheduledIncidentConfiguration, AlertRuleScheduledIncidentConfigurationArgs

AlertRuleScheduledIncidentConfigurationGrouping, AlertRuleScheduledIncidentConfigurationGroupingArgs

Import

Package Details

On this page

On this page