Datadog v4.52.0, Jul 14 25

Datadog v4.52.0 published on Monday, Jul 14, 2025 by Pulumi

datadog.SecurityMonitoringDefaultRule

Explore with Pulumi AI

Datadog v4.52.0 published on Monday, Jul 14, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as datadog from "@pulumi/datadog";

const adefaultrule = new datadog.SecurityMonitoringDefaultRule("adefaultrule", {
    enabled: true,
    cases: [{
        status: "high",
        notifications: ["@me"],
    }],
});

import pulumi
import pulumi_datadog as datadog

adefaultrule = datadog.SecurityMonitoringDefaultRule("adefaultrule",
    enabled=True,
    cases=[{
        "status": "high",
        "notifications": ["@me"],
    }])

package main

import (
	"github.com/pulumi/pulumi-datadog/sdk/v4/go/datadog"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := datadog.NewSecurityMonitoringDefaultRule(ctx, "adefaultrule", &datadog.SecurityMonitoringDefaultRuleArgs{
			Enabled: pulumi.Bool(true),
			Cases: datadog.SecurityMonitoringDefaultRuleCaseArray{
				&datadog.SecurityMonitoringDefaultRuleCaseArgs{
					Status: pulumi.String("high"),
					Notifications: pulumi.StringArray{
						pulumi.String("@me"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Datadog = Pulumi.Datadog;

return await Deployment.RunAsync(() => 
{
    var adefaultrule = new Datadog.SecurityMonitoringDefaultRule("adefaultrule", new()
    {
        Enabled = true,
        Cases = new[]
        {
            new Datadog.Inputs.SecurityMonitoringDefaultRuleCaseArgs
            {
                Status = "high",
                Notifications = new[]
                {
                    "@me",
                },
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.datadog.SecurityMonitoringDefaultRule;
import com.pulumi.datadog.SecurityMonitoringDefaultRuleArgs;
import com.pulumi.datadog.inputs.SecurityMonitoringDefaultRuleCaseArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var adefaultrule = new SecurityMonitoringDefaultRule("adefaultrule", SecurityMonitoringDefaultRuleArgs.builder()
            .enabled(true)
            .cases(SecurityMonitoringDefaultRuleCaseArgs.builder()
                .status("high")
                .notifications("@me")
                .build())
            .build());

    }
}

resources:
  adefaultrule:
    type: datadog:SecurityMonitoringDefaultRule
    properties:
      enabled: true # Change the notifications for the high case
      cases:
        - status: high
          notifications:
            - '@me'

Create SecurityMonitoringDefaultRule Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecurityMonitoringDefaultRule(name: string, args?: SecurityMonitoringDefaultRuleArgs, opts?: CustomResourceOptions);

@overload
def SecurityMonitoringDefaultRule(resource_name: str,
                                  args: Optional[SecurityMonitoringDefaultRuleArgs] = None,
                                  opts: Optional[ResourceOptions] = None)

@overload
def SecurityMonitoringDefaultRule(resource_name: str,
                                  opts: Optional[ResourceOptions] = None,
                                  cases: Optional[Sequence[SecurityMonitoringDefaultRuleCaseArgs]] = None,
                                  custom_message: Optional[str] = None,
                                  custom_name: Optional[str] = None,
                                  custom_tags: Optional[Sequence[str]] = None,
                                  enabled: Optional[bool] = None,
                                  filters: Optional[Sequence[SecurityMonitoringDefaultRuleFilterArgs]] = None,
                                  options: Optional[SecurityMonitoringDefaultRuleOptionsArgs] = None,
                                  queries: Optional[Sequence[SecurityMonitoringDefaultRuleQueryArgs]] = None)

func NewSecurityMonitoringDefaultRule(ctx *Context, name string, args *SecurityMonitoringDefaultRuleArgs, opts ...ResourceOption) (*SecurityMonitoringDefaultRule, error)

public SecurityMonitoringDefaultRule(string name, SecurityMonitoringDefaultRuleArgs? args = null, CustomResourceOptions? opts = null)

public SecurityMonitoringDefaultRule(String name, SecurityMonitoringDefaultRuleArgs args)
public SecurityMonitoringDefaultRule(String name, SecurityMonitoringDefaultRuleArgs args, CustomResourceOptions options)

type: datadog:SecurityMonitoringDefaultRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecurityMonitoringDefaultRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecurityMonitoringDefaultRuleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecurityMonitoringDefaultRuleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecurityMonitoringDefaultRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecurityMonitoringDefaultRuleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var securityMonitoringDefaultRuleResource = new Datadog.SecurityMonitoringDefaultRule("securityMonitoringDefaultRuleResource", new()
{
    Cases = new[]
    {
        new Datadog.Inputs.SecurityMonitoringDefaultRuleCaseArgs
        {
            Status = "string",
            CustomStatus = "string",
            Notifications = new[]
            {
                "string",
            },
        },
    },
    CustomMessage = "string",
    CustomName = "string",
    CustomTags = new[]
    {
        "string",
    },
    Enabled = false,
    Filters = new[]
    {
        new Datadog.Inputs.SecurityMonitoringDefaultRuleFilterArgs
        {
            Action = "string",
            Query = "string",
        },
    },
    Options = new Datadog.Inputs.SecurityMonitoringDefaultRuleOptionsArgs
    {
        DecreaseCriticalityBasedOnEnv = false,
    },
    Queries = new[]
    {
        new Datadog.Inputs.SecurityMonitoringDefaultRuleQueryArgs
        {
            Query = "string",
            Aggregation = "string",
            CustomQueryExtension = "string",
            DataSource = "string",
            DistinctFields = new[]
            {
                "string",
            },
            GroupByFields = new[]
            {
                "string",
            },
            Metrics = new[]
            {
                "string",
            },
            Name = "string",
        },
    },
});

example, err := datadog.NewSecurityMonitoringDefaultRule(ctx, "securityMonitoringDefaultRuleResource", &datadog.SecurityMonitoringDefaultRuleArgs{
	Cases: datadog.SecurityMonitoringDefaultRuleCaseArray{
		&datadog.SecurityMonitoringDefaultRuleCaseArgs{
			Status:       pulumi.String("string"),
			CustomStatus: pulumi.String("string"),
			Notifications: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	CustomMessage: pulumi.String("string"),
	CustomName:    pulumi.String("string"),
	CustomTags: pulumi.StringArray{
		pulumi.String("string"),
	},
	Enabled: pulumi.Bool(false),
	Filters: datadog.SecurityMonitoringDefaultRuleFilterArray{
		&datadog.SecurityMonitoringDefaultRuleFilterArgs{
			Action: pulumi.String("string"),
			Query:  pulumi.String("string"),
		},
	},
	Options: &datadog.SecurityMonitoringDefaultRuleOptionsArgs{
		DecreaseCriticalityBasedOnEnv: pulumi.Bool(false),
	},
	Queries: datadog.SecurityMonitoringDefaultRuleQueryArray{
		&datadog.SecurityMonitoringDefaultRuleQueryArgs{
			Query:                pulumi.String("string"),
			Aggregation:          pulumi.String("string"),
			CustomQueryExtension: pulumi.String("string"),
			DataSource:           pulumi.String("string"),
			DistinctFields: pulumi.StringArray{
				pulumi.String("string"),
			},
			GroupByFields: pulumi.StringArray{
				pulumi.String("string"),
			},
			Metrics: pulumi.StringArray{
				pulumi.String("string"),
			},
			Name: pulumi.String("string"),
		},
	},
})

var securityMonitoringDefaultRuleResource = new SecurityMonitoringDefaultRule("securityMonitoringDefaultRuleResource", SecurityMonitoringDefaultRuleArgs.builder()
    .cases(SecurityMonitoringDefaultRuleCaseArgs.builder()
        .status("string")
        .customStatus("string")
        .notifications("string")
        .build())
    .customMessage("string")
    .customName("string")
    .customTags("string")
    .enabled(false)
    .filters(SecurityMonitoringDefaultRuleFilterArgs.builder()
        .action("string")
        .query("string")
        .build())
    .options(SecurityMonitoringDefaultRuleOptionsArgs.builder()
        .decreaseCriticalityBasedOnEnv(false)
        .build())
    .queries(SecurityMonitoringDefaultRuleQueryArgs.builder()
        .query("string")
        .aggregation("string")
        .customQueryExtension("string")
        .dataSource("string")
        .distinctFields("string")
        .groupByFields("string")
        .metrics("string")
        .name("string")
        .build())
    .build());

security_monitoring_default_rule_resource = datadog.SecurityMonitoringDefaultRule("securityMonitoringDefaultRuleResource",
    cases=[{
        "status": "string",
        "custom_status": "string",
        "notifications": ["string"],
    }],
    custom_message="string",
    custom_name="string",
    custom_tags=["string"],
    enabled=False,
    filters=[{
        "action": "string",
        "query": "string",
    }],
    options={
        "decrease_criticality_based_on_env": False,
    },
    queries=[{
        "query": "string",
        "aggregation": "string",
        "custom_query_extension": "string",
        "data_source": "string",
        "distinct_fields": ["string"],
        "group_by_fields": ["string"],
        "metrics": ["string"],
        "name": "string",
    }])

const securityMonitoringDefaultRuleResource = new datadog.SecurityMonitoringDefaultRule("securityMonitoringDefaultRuleResource", {
    cases: [{
        status: "string",
        customStatus: "string",
        notifications: ["string"],
    }],
    customMessage: "string",
    customName: "string",
    customTags: ["string"],
    enabled: false,
    filters: [{
        action: "string",
        query: "string",
    }],
    options: {
        decreaseCriticalityBasedOnEnv: false,
    },
    queries: [{
        query: "string",
        aggregation: "string",
        customQueryExtension: "string",
        dataSource: "string",
        distinctFields: ["string"],
        groupByFields: ["string"],
        metrics: ["string"],
        name: "string",
    }],
});

type: datadog:SecurityMonitoringDefaultRule
properties:
    cases:
        - customStatus: string
          notifications:
            - string
          status: string
    customMessage: string
    customName: string
    customTags:
        - string
    enabled: false
    filters:
        - action: string
          query: string
    options:
        decreaseCriticalityBasedOnEnv: false
    queries:
        - aggregation: string
          customQueryExtension: string
          dataSource: string
          distinctFields:
            - string
          groupByFields:
            - string
          metrics:
            - string
          name: string
          query: string

SecurityMonitoringDefaultRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecurityMonitoringDefaultRule resource accepts the following input properties:

Cases List<SecurityMonitoringDefaultRuleCase>: Cases of the rule, this is used to update notifications.
CustomMessage string: Custom Message (will override default message) for generated signals.
CustomName string: The name (will override default name) of the rule.
CustomTags List<string>: Custom tags for generated signals.
Enabled bool: Enable the rule. Defaults to true.
Filters List<SecurityMonitoringDefaultRuleFilter>: Additional queries to filter matched events before they are processed.
Options SecurityMonitoringDefaultRuleOptions: Options on default rules. Note that only a subset of fields can be updated on default rule options.
Queries List<SecurityMonitoringDefaultRuleQuery>: Queries for selecting logs which are part of the rule.

Cases []SecurityMonitoringDefaultRuleCaseArgs: Cases of the rule, this is used to update notifications.
CustomMessage string: Custom Message (will override default message) for generated signals.
CustomName string: The name (will override default name) of the rule.
CustomTags []string: Custom tags for generated signals.
Enabled bool: Enable the rule. Defaults to true.
Filters []SecurityMonitoringDefaultRuleFilterArgs: Additional queries to filter matched events before they are processed.
Options SecurityMonitoringDefaultRuleOptionsArgs: Options on default rules. Note that only a subset of fields can be updated on default rule options.
Queries []SecurityMonitoringDefaultRuleQueryArgs: Queries for selecting logs which are part of the rule.

cases List<SecurityMonitoringDefaultRuleCase>: Cases of the rule, this is used to update notifications.
customMessage String: Custom Message (will override default message) for generated signals.
customName String: The name (will override default name) of the rule.
customTags List<String>: Custom tags for generated signals.
enabled Boolean: Enable the rule. Defaults to true.
filters List<SecurityMonitoringDefaultRuleFilter>: Additional queries to filter matched events before they are processed.
options SecurityMonitoringDefaultRuleOptions: Options on default rules. Note that only a subset of fields can be updated on default rule options.
queries List<SecurityMonitoringDefaultRuleQuery>: Queries for selecting logs which are part of the rule.

cases SecurityMonitoringDefaultRuleCase[]: Cases of the rule, this is used to update notifications.
customMessage string: Custom Message (will override default message) for generated signals.
customName string: The name (will override default name) of the rule.
customTags string[]: Custom tags for generated signals.
enabled boolean: Enable the rule. Defaults to true.
filters SecurityMonitoringDefaultRuleFilter[]: Additional queries to filter matched events before they are processed.
options SecurityMonitoringDefaultRuleOptions: Options on default rules. Note that only a subset of fields can be updated on default rule options.
queries SecurityMonitoringDefaultRuleQuery[]: Queries for selecting logs which are part of the rule.

cases Sequence[SecurityMonitoringDefaultRuleCaseArgs]: Cases of the rule, this is used to update notifications.
custom_message str: Custom Message (will override default message) for generated signals.
custom_name str: The name (will override default name) of the rule.
custom_tags Sequence[str]: Custom tags for generated signals.
enabled bool: Enable the rule. Defaults to true.
filters Sequence[SecurityMonitoringDefaultRuleFilterArgs]: Additional queries to filter matched events before they are processed.
options SecurityMonitoringDefaultRuleOptionsArgs: Options on default rules. Note that only a subset of fields can be updated on default rule options.
queries Sequence[SecurityMonitoringDefaultRuleQueryArgs]: Queries for selecting logs which are part of the rule.

cases List<Property Map>: Cases of the rule, this is used to update notifications.
customMessage String: Custom Message (will override default message) for generated signals.
customName String: The name (will override default name) of the rule.
customTags List<String>: Custom tags for generated signals.
enabled Boolean: Enable the rule. Defaults to true.
filters List<Property Map>: Additional queries to filter matched events before they are processed.
options Property Map: Options on default rules. Note that only a subset of fields can be updated on default rule options.
queries List<Property Map>: Queries for selecting logs which are part of the rule.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecurityMonitoringDefaultRule resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
Type string: The rule type.

Id string: The provider-assigned unique ID for this managed resource.
Type string: The rule type.

id String: The provider-assigned unique ID for this managed resource.
type String: The rule type.

id string: The provider-assigned unique ID for this managed resource.
type string: The rule type.

id str: The provider-assigned unique ID for this managed resource.
type str: The rule type.

id String: The provider-assigned unique ID for this managed resource.
type String: The rule type.

Look up Existing SecurityMonitoringDefaultRule Resource

Get an existing SecurityMonitoringDefaultRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecurityMonitoringDefaultRuleState, opts?: CustomResourceOptions): SecurityMonitoringDefaultRule

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        cases: Optional[Sequence[SecurityMonitoringDefaultRuleCaseArgs]] = None,
        custom_message: Optional[str] = None,
        custom_name: Optional[str] = None,
        custom_tags: Optional[Sequence[str]] = None,
        enabled: Optional[bool] = None,
        filters: Optional[Sequence[SecurityMonitoringDefaultRuleFilterArgs]] = None,
        options: Optional[SecurityMonitoringDefaultRuleOptionsArgs] = None,
        queries: Optional[Sequence[SecurityMonitoringDefaultRuleQueryArgs]] = None,
        type: Optional[str] = None) -> SecurityMonitoringDefaultRule

func GetSecurityMonitoringDefaultRule(ctx *Context, name string, id IDInput, state *SecurityMonitoringDefaultRuleState, opts ...ResourceOption) (*SecurityMonitoringDefaultRule, error)

public static SecurityMonitoringDefaultRule Get(string name, Input<string> id, SecurityMonitoringDefaultRuleState? state, CustomResourceOptions? opts = null)

public static SecurityMonitoringDefaultRule get(String name, Output<String> id, SecurityMonitoringDefaultRuleState state, CustomResourceOptions options)

resources:  _:    type: datadog:SecurityMonitoringDefaultRule    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Cases List<SecurityMonitoringDefaultRuleCase>: Cases of the rule, this is used to update notifications.
CustomMessage string: Custom Message (will override default message) for generated signals.
CustomName string: The name (will override default name) of the rule.
CustomTags List<string>: Custom tags for generated signals.
Enabled bool: Enable the rule. Defaults to true.
Filters List<SecurityMonitoringDefaultRuleFilter>: Additional queries to filter matched events before they are processed.
Options SecurityMonitoringDefaultRuleOptions: Options on default rules. Note that only a subset of fields can be updated on default rule options.
Queries List<SecurityMonitoringDefaultRuleQuery>: Queries for selecting logs which are part of the rule.
Type string: The rule type.

Cases []SecurityMonitoringDefaultRuleCaseArgs: Cases of the rule, this is used to update notifications.
CustomMessage string: Custom Message (will override default message) for generated signals.
CustomName string: The name (will override default name) of the rule.
CustomTags []string: Custom tags for generated signals.
Enabled bool: Enable the rule. Defaults to true.
Filters []SecurityMonitoringDefaultRuleFilterArgs: Additional queries to filter matched events before they are processed.
Options SecurityMonitoringDefaultRuleOptionsArgs: Options on default rules. Note that only a subset of fields can be updated on default rule options.
Queries []SecurityMonitoringDefaultRuleQueryArgs: Queries for selecting logs which are part of the rule.
Type string: The rule type.

cases List<SecurityMonitoringDefaultRuleCase>: Cases of the rule, this is used to update notifications.
customMessage String: Custom Message (will override default message) for generated signals.
customName String: The name (will override default name) of the rule.
customTags List<String>: Custom tags for generated signals.
enabled Boolean: Enable the rule. Defaults to true.
filters List<SecurityMonitoringDefaultRuleFilter>: Additional queries to filter matched events before they are processed.
options SecurityMonitoringDefaultRuleOptions: Options on default rules. Note that only a subset of fields can be updated on default rule options.
queries List<SecurityMonitoringDefaultRuleQuery>: Queries for selecting logs which are part of the rule.
type String: The rule type.

cases SecurityMonitoringDefaultRuleCase[]: Cases of the rule, this is used to update notifications.
customMessage string: Custom Message (will override default message) for generated signals.
customName string: The name (will override default name) of the rule.
customTags string[]: Custom tags for generated signals.
enabled boolean: Enable the rule. Defaults to true.
filters SecurityMonitoringDefaultRuleFilter[]: Additional queries to filter matched events before they are processed.
options SecurityMonitoringDefaultRuleOptions: Options on default rules. Note that only a subset of fields can be updated on default rule options.
queries SecurityMonitoringDefaultRuleQuery[]: Queries for selecting logs which are part of the rule.
type string: The rule type.

cases Sequence[SecurityMonitoringDefaultRuleCaseArgs]: Cases of the rule, this is used to update notifications.
custom_message str: Custom Message (will override default message) for generated signals.
custom_name str: The name (will override default name) of the rule.
custom_tags Sequence[str]: Custom tags for generated signals.
enabled bool: Enable the rule. Defaults to true.
filters Sequence[SecurityMonitoringDefaultRuleFilterArgs]: Additional queries to filter matched events before they are processed.
options SecurityMonitoringDefaultRuleOptionsArgs: Options on default rules. Note that only a subset of fields can be updated on default rule options.
queries Sequence[SecurityMonitoringDefaultRuleQueryArgs]: Queries for selecting logs which are part of the rule.
type str: The rule type.

cases List<Property Map>: Cases of the rule, this is used to update notifications.
customMessage String: Custom Message (will override default message) for generated signals.
customName String: The name (will override default name) of the rule.
customTags List<String>: Custom tags for generated signals.
enabled Boolean: Enable the rule. Defaults to true.
filters List<Property Map>: Additional queries to filter matched events before they are processed.
options Property Map: Options on default rules. Note that only a subset of fields can be updated on default rule options.
queries List<Property Map>: Queries for selecting logs which are part of the rule.
type String: The rule type.

Supporting Types

SecurityMonitoringDefaultRuleCase, SecurityMonitoringDefaultRuleCaseArgs

Status string: Status of the rule case to match. Valid values are info, low, medium, high, critical.
CustomStatus string: Status of the rule case to override. Valid values are info, low, medium, high, critical.
Notifications List<string>: Notification targets for each rule case.

Status string: Status of the rule case to match. Valid values are info, low, medium, high, critical.
CustomStatus string: Status of the rule case to override. Valid values are info, low, medium, high, critical.
Notifications []string: Notification targets for each rule case.

status String: Status of the rule case to match. Valid values are info, low, medium, high, critical.
customStatus String: Status of the rule case to override. Valid values are info, low, medium, high, critical.
notifications List<String>: Notification targets for each rule case.

status string: Status of the rule case to match. Valid values are info, low, medium, high, critical.
customStatus string: Status of the rule case to override. Valid values are info, low, medium, high, critical.
notifications string[]: Notification targets for each rule case.

status str: Status of the rule case to match. Valid values are info, low, medium, high, critical.
custom_status str: Status of the rule case to override. Valid values are info, low, medium, high, critical.
notifications Sequence[str]: Notification targets for each rule case.

status String: Status of the rule case to match. Valid values are info, low, medium, high, critical.
customStatus String: Status of the rule case to override. Valid values are info, low, medium, high, critical.
notifications List<String>: Notification targets for each rule case.

SecurityMonitoringDefaultRuleFilter, SecurityMonitoringDefaultRuleFilterArgs

Action string: The type of filtering action. Allowed enum values: require, suppress Valid values are require, suppress.
Query string: Query for selecting logs to apply the filtering action.

Action string: The type of filtering action. Allowed enum values: require, suppress Valid values are require, suppress.
Query string: Query for selecting logs to apply the filtering action.

action String: The type of filtering action. Allowed enum values: require, suppress Valid values are require, suppress.
query String: Query for selecting logs to apply the filtering action.

action string: The type of filtering action. Allowed enum values: require, suppress Valid values are require, suppress.
query string: Query for selecting logs to apply the filtering action.

action str: The type of filtering action. Allowed enum values: require, suppress Valid values are require, suppress.
query str: Query for selecting logs to apply the filtering action.

action String: The type of filtering action. Allowed enum values: require, suppress Valid values are require, suppress.
query String: Query for selecting logs to apply the filtering action.

SecurityMonitoringDefaultRuleOptions, SecurityMonitoringDefaultRuleOptionsArgs

DecreaseCriticalityBasedOnEnv bool: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection. Defaults to false.

DecreaseCriticalityBasedOnEnv bool: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection. Defaults to false.

decreaseCriticalityBasedOnEnv Boolean: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection. Defaults to false.

decreaseCriticalityBasedOnEnv boolean: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection. Defaults to false.

decrease_criticality_based_on_env bool: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection. Defaults to false.

decreaseCriticalityBasedOnEnv Boolean: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection. Defaults to false.

SecurityMonitoringDefaultRuleQuery, SecurityMonitoringDefaultRuleQueryArgs

Query string: Query to run on logs.
AgentRules List<SecurityMonitoringDefaultRuleQueryAgentRule>: Deprecated. It won't be applied anymore. Deprecated. agent_rule has been deprecated in favor of new Agent Rule resource.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
Aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "count".
CustomQueryExtension string: Query extension to append to the logs query.
DataSource string: Source of events. Valid values are logs, audit, app_sec_spans, spans, security_runtime, network, events. Defaults to "logs".
DistinctFields List<string>: Field for which the cardinality is measured. Sent as an array.
GroupByFields List<string>: Fields to group by.
Metric string: The target field to aggregate over when using the sum, max, or geo_data aggregations. Deprecated. Configure metrics instead. This attribute will be removed in the next major version of the provider.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
Metrics List<string>: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
Name string: Name of the query. Not compatible with new_value aggregations.

Query string: Query to run on logs.
AgentRules []SecurityMonitoringDefaultRuleQueryAgentRule: Deprecated. It won't be applied anymore. Deprecated. agent_rule has been deprecated in favor of new Agent Rule resource.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
Aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "count".
CustomQueryExtension string: Query extension to append to the logs query.
DataSource string: Source of events. Valid values are logs, audit, app_sec_spans, spans, security_runtime, network, events. Defaults to "logs".
DistinctFields []string: Field for which the cardinality is measured. Sent as an array.
GroupByFields []string: Fields to group by.
Metric string: The target field to aggregate over when using the sum, max, or geo_data aggregations. Deprecated. Configure metrics instead. This attribute will be removed in the next major version of the provider.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
Metrics []string: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
Name string: Name of the query. Not compatible with new_value aggregations.

query String: Query to run on logs.
agentRules List<SecurityMonitoringDefaultRuleQueryAgentRule>: Deprecated. It won't be applied anymore. Deprecated. agent_rule has been deprecated in favor of new Agent Rule resource.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
aggregation String: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "count".
customQueryExtension String: Query extension to append to the logs query.
dataSource String: Source of events. Valid values are logs, audit, app_sec_spans, spans, security_runtime, network, events. Defaults to "logs".
distinctFields List<String>: Field for which the cardinality is measured. Sent as an array.
groupByFields List<String>: Fields to group by.
metric String: The target field to aggregate over when using the sum, max, or geo_data aggregations. Deprecated. Configure metrics instead. This attribute will be removed in the next major version of the provider.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
metrics List<String>: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
name String: Name of the query. Not compatible with new_value aggregations.

query string: Query to run on logs.
agentRules SecurityMonitoringDefaultRuleQueryAgentRule[]: Deprecated. It won't be applied anymore. Deprecated. agent_rule has been deprecated in favor of new Agent Rule resource.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "count".
customQueryExtension string: Query extension to append to the logs query.
dataSource string: Source of events. Valid values are logs, audit, app_sec_spans, spans, security_runtime, network, events. Defaults to "logs".
distinctFields string[]: Field for which the cardinality is measured. Sent as an array.
groupByFields string[]: Fields to group by.
metric string: The target field to aggregate over when using the sum, max, or geo_data aggregations. Deprecated. Configure metrics instead. This attribute will be removed in the next major version of the provider.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
metrics string[]: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
name string: Name of the query. Not compatible with new_value aggregations.

query str: Query to run on logs.
agent_rules Sequence[SecurityMonitoringDefaultRuleQueryAgentRule]: Deprecated. It won't be applied anymore. Deprecated. agent_rule has been deprecated in favor of new Agent Rule resource.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
aggregation str: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "count".
custom_query_extension str: Query extension to append to the logs query.
data_source str: Source of events. Valid values are logs, audit, app_sec_spans, spans, security_runtime, network, events. Defaults to "logs".
distinct_fields Sequence[str]: Field for which the cardinality is measured. Sent as an array.
group_by_fields Sequence[str]: Fields to group by.
metric str: The target field to aggregate over when using the sum, max, or geo_data aggregations. Deprecated. Configure metrics instead. This attribute will be removed in the next major version of the provider.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
metrics Sequence[str]: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
name str: Name of the query. Not compatible with new_value aggregations.

query String: Query to run on logs.
agentRules List<Property Map>: Deprecated. It won't be applied anymore. Deprecated. agent_rule has been deprecated in favor of new Agent Rule resource.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
aggregation String: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "count".
customQueryExtension String: Query extension to append to the logs query.
dataSource String: Source of events. Valid values are logs, audit, app_sec_spans, spans, security_runtime, network, events. Defaults to "logs".
distinctFields List<String>: Field for which the cardinality is measured. Sent as an array.
groupByFields List<String>: Fields to group by.
metric String: The target field to aggregate over when using the sum, max, or geo_data aggregations. Deprecated. Configure metrics instead. This attribute will be removed in the next major version of the provider.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
metrics List<String>: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
name String: Name of the query. Not compatible with new_value aggregations.

SecurityMonitoringDefaultRuleQueryAgentRule, SecurityMonitoringDefaultRuleQueryAgentRuleArgs

AgentRuleId string: Deprecated. It won't be applied anymore.
Expression string: Deprecated. It won't be applied anymore.

AgentRuleId string: Deprecated. It won't be applied anymore.
Expression string: Deprecated. It won't be applied anymore.

agentRuleId String: Deprecated. It won't be applied anymore.
expression String: Deprecated. It won't be applied anymore.

agentRuleId string: Deprecated. It won't be applied anymore.
expression string: Deprecated. It won't be applied anymore.

agent_rule_id str: Deprecated. It won't be applied anymore.
expression str: Deprecated. It won't be applied anymore.

agentRuleId String: Deprecated. It won't be applied anymore.
expression String: Deprecated. It won't be applied anymore.

Import

The pulumi import command can be used, for example:

Default rules need to be imported using their ID before applying.

resource “datadog_security_monitoring_default_rule” “adefaultrule” {

}

$ pulumi import datadog:index/securityMonitoringDefaultRule:SecurityMonitoringDefaultRule adefaultrule m0o-hto-lkb

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Datadog pulumi/pulumi-datadog
License: Apache-2.0
Notes: This Pulumi package is based on the datadog Terraform Provider.

Datadog v4.52.0 published on Monday, Jul 14, 2025 by Pulumi

pulumi/pulumi-datadog

datadog.SecurityMonitoringDefaultRule

On this page

On this page

Example Usage

Create SecurityMonitoringDefaultRule Resource

Constructor syntax

Parameters

Constructor example

SecurityMonitoringDefaultRule Resource Properties

Inputs

Outputs

Look up Existing SecurityMonitoringDefaultRule Resource

Supporting Types

SecurityMonitoringDefaultRuleCase, SecurityMonitoringDefaultRuleCaseArgs

SecurityMonitoringDefaultRuleFilter, SecurityMonitoringDefaultRuleFilterArgs

SecurityMonitoringDefaultRuleOptions, SecurityMonitoringDefaultRuleOptionsArgs

SecurityMonitoringDefaultRuleQuery, SecurityMonitoringDefaultRuleQueryArgs

SecurityMonitoringDefaultRuleQueryAgentRule, SecurityMonitoringDefaultRuleQueryAgentRuleArgs

Import

Package Details

On this page

On this page