Docs
Packagesdatadog.SecurityMonitoringRule
Explore with Pulumi AI
Provides a Datadog Security Monitoring Rule API resource. This can be used to create and manage Datadog security monitoring rules. To change settings for a default rule use datadog_security_default_rule instead.
Example Usage
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Datadog = Pulumi.Datadog;
return await Deployment.RunAsync(() =>
{
var myrule = new Datadog.SecurityMonitoringRule("myrule", new()
{
Cases = new[]
{
new Datadog.Inputs.SecurityMonitoringRuleCaseArgs
{
Condition = "errors > 3 && warnings > 10",
Notifications = new[]
{
"@user",
},
Status = "high",
},
},
Enabled = true,
Message = "The rule has triggered.",
Name = "My rule",
Options = new Datadog.Inputs.SecurityMonitoringRuleOptionsArgs
{
EvaluationWindow = 300,
KeepAlive = 600,
MaxSignalDuration = 900,
},
Queries = new[]
{
new Datadog.Inputs.SecurityMonitoringRuleQueryArgs
{
Aggregation = "count",
GroupByFields = new[]
{
"host",
},
Name = "errors",
Query = "status:error",
},
new Datadog.Inputs.SecurityMonitoringRuleQueryArgs
{
Aggregation = "count",
GroupByFields = new[]
{
"host",
},
Name = "warnings",
Query = "status:warning",
},
},
Tags = new[]
{
"type:dos",
},
});
});
package main
import (
"github.com/pulumi/pulumi-datadog/sdk/v4/go/datadog"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := datadog.NewSecurityMonitoringRule(ctx, "myrule", &datadog.SecurityMonitoringRuleArgs{
Cases: datadog.SecurityMonitoringRuleCaseArray{
&datadog.SecurityMonitoringRuleCaseArgs{
Condition: pulumi.String("errors > 3 && warnings > 10"),
Notifications: pulumi.StringArray{
pulumi.String("@user"),
},
Status: pulumi.String("high"),
},
},
Enabled: pulumi.Bool(true),
Message: pulumi.String("The rule has triggered."),
Name: pulumi.String("My rule"),
Options: &datadog.SecurityMonitoringRuleOptionsArgs{
EvaluationWindow: pulumi.Int(300),
KeepAlive: pulumi.Int(600),
MaxSignalDuration: pulumi.Int(900),
},
Queries: datadog.SecurityMonitoringRuleQueryArray{
&datadog.SecurityMonitoringRuleQueryArgs{
Aggregation: pulumi.String("count"),
GroupByFields: pulumi.StringArray{
pulumi.String("host"),
},
Name: pulumi.String("errors"),
Query: pulumi.String("status:error"),
},
&datadog.SecurityMonitoringRuleQueryArgs{
Aggregation: pulumi.String("count"),
GroupByFields: pulumi.StringArray{
pulumi.String("host"),
},
Name: pulumi.String("warnings"),
Query: pulumi.String("status:warning"),
},
},
Tags: pulumi.StringArray{
pulumi.String("type:dos"),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.datadog.SecurityMonitoringRule;
import com.pulumi.datadog.SecurityMonitoringRuleArgs;
import com.pulumi.datadog.inputs.SecurityMonitoringRuleCaseArgs;
import com.pulumi.datadog.inputs.SecurityMonitoringRuleOptionsArgs;
import com.pulumi.datadog.inputs.SecurityMonitoringRuleQueryArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myrule = new SecurityMonitoringRule("myrule", SecurityMonitoringRuleArgs.builder()
.cases(SecurityMonitoringRuleCaseArgs.builder()
.condition("errors > 3 && warnings > 10")
.notifications("@user")
.status("high")
.build())
.enabled(true)
.message("The rule has triggered.")
.name("My rule")
.options(SecurityMonitoringRuleOptionsArgs.builder()
.evaluationWindow(300)
.keepAlive(600)
.maxSignalDuration(900)
.build())
.queries(
SecurityMonitoringRuleQueryArgs.builder()
.aggregation("count")
.groupByFields("host")
.name("errors")
.query("status:error")
.build(),
SecurityMonitoringRuleQueryArgs.builder()
.aggregation("count")
.groupByFields("host")
.name("warnings")
.query("status:warning")
.build())
.tags("type:dos")
.build());
}
}
import pulumi
import pulumi_datadog as datadog
myrule = datadog.SecurityMonitoringRule("myrule",
cases=[datadog.SecurityMonitoringRuleCaseArgs(
condition="errors > 3 && warnings > 10",
notifications=["@user"],
status="high",
)],
enabled=True,
message="The rule has triggered.",
name="My rule",
options=datadog.SecurityMonitoringRuleOptionsArgs(
evaluation_window=300,
keep_alive=600,
max_signal_duration=900,
),
queries=[
datadog.SecurityMonitoringRuleQueryArgs(
aggregation="count",
group_by_fields=["host"],
name="errors",
query="status:error",
),
datadog.SecurityMonitoringRuleQueryArgs(
aggregation="count",
group_by_fields=["host"],
name="warnings",
query="status:warning",
),
],
tags=["type:dos"])
import * as pulumi from "@pulumi/pulumi";
import * as datadog from "@pulumi/datadog";
const myrule = new datadog.SecurityMonitoringRule("myrule", {
cases: [{
condition: "errors > 3 && warnings > 10",
notifications: ["@user"],
status: "high",
}],
enabled: true,
message: "The rule has triggered.",
name: "My rule",
options: {
evaluationWindow: 300,
keepAlive: 600,
maxSignalDuration: 900,
},
queries: [
{
aggregation: "count",
groupByFields: ["host"],
name: "errors",
query: "status:error",
},
{
aggregation: "count",
groupByFields: ["host"],
name: "warnings",
query: "status:warning",
},
],
tags: ["type:dos"],
});
resources:
myrule:
type: datadog:SecurityMonitoringRule
properties:
cases:
- condition: errors > 3 && warnings > 10
notifications:
- '@user'
status: high
enabled: true
message: The rule has triggered.
name: My rule
options:
evaluationWindow: 300
keepAlive: 600
maxSignalDuration: 900
queries:
- aggregation: count
groupByFields:
- host
name: errors
query: status:error
- aggregation: count
groupByFields:
- host
name: warnings
query: status:warning
tags:
- type:dos
Create SecurityMonitoringRule Resource
new SecurityMonitoringRule(name: string, args: SecurityMonitoringRuleArgs, opts?: CustomResourceOptions);@overload
def SecurityMonitoringRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
cases: Optional[Sequence[SecurityMonitoringRuleCaseArgs]] = None,
enabled: Optional[bool] = None,
filters: Optional[Sequence[SecurityMonitoringRuleFilterArgs]] = None,
has_extended_title: Optional[bool] = None,
message: Optional[str] = None,
name: Optional[str] = None,
options: Optional[SecurityMonitoringRuleOptionsArgs] = None,
queries: Optional[Sequence[SecurityMonitoringRuleQueryArgs]] = None,
signal_queries: Optional[Sequence[SecurityMonitoringRuleSignalQueryArgs]] = None,
tags: Optional[Sequence[str]] = None,
type: Optional[str] = None)
@overload
def SecurityMonitoringRule(resource_name: str,
args: SecurityMonitoringRuleArgs,
opts: Optional[ResourceOptions] = None)func NewSecurityMonitoringRule(ctx *Context, name string, args SecurityMonitoringRuleArgs, opts ...ResourceOption) (*SecurityMonitoringRule, error)public SecurityMonitoringRule(string name, SecurityMonitoringRuleArgs args, CustomResourceOptions? opts = null)
public SecurityMonitoringRule(String name, SecurityMonitoringRuleArgs args)
public SecurityMonitoringRule(String name, SecurityMonitoringRuleArgs args, CustomResourceOptions options)
type: datadog:SecurityMonitoringRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecurityMonitoringRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecurityMonitoringRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecurityMonitoringRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecurityMonitoringRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecurityMonitoringRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
SecurityMonitoringRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The SecurityMonitoringRule resource accepts the following input properties:
- Cases
List<Security
Monitoring Rule Case> Cases for generating signals.
- Message string
Message for generated signals.
- Name string
The name of the rule.
- Enabled bool
Whether the rule is enabled.
- Filters
List<Security
Monitoring Rule Filter> Additional queries to filter matched events before they are processed.
- Has
Extended boolTitle Whether the notifications include the triggering group-by values in their title.
- Options
Security
Monitoring Rule Options Options on rules.
- Queries
List<Security
Monitoring Rule Query> Queries for selecting logs which are part of the rule.
- Signal
Queries List<SecurityMonitoring Rule Signal Query> Queries for selecting logs which are part of the rule.
- List<string>
Tags for generated signals.
- Type string
The rule type. Valid values are
log_detection,workload_security,signal_correlation.
- Cases
[]Security
Monitoring Rule Case Args Cases for generating signals.
- Message string
Message for generated signals.
- Name string
The name of the rule.
- Enabled bool
Whether the rule is enabled.
- Filters
[]Security
Monitoring Rule Filter Args Additional queries to filter matched events before they are processed.
- Has
Extended boolTitle Whether the notifications include the triggering group-by values in their title.
- Options
Security
Monitoring Rule Options Args Options on rules.
- Queries
[]Security
Monitoring Rule Query Args Queries for selecting logs which are part of the rule.
- Signal
Queries []SecurityMonitoring Rule Signal Query Args Queries for selecting logs which are part of the rule.
- []string
Tags for generated signals.
- Type string
The rule type. Valid values are
log_detection,workload_security,signal_correlation.
- cases
List<Security
Monitoring Rule Case> Cases for generating signals.
- message String
Message for generated signals.
- name String
The name of the rule.
- enabled Boolean
Whether the rule is enabled.
- filters
List<Security
Monitoring Rule Filter> Additional queries to filter matched events before they are processed.
- has
Extended BooleanTitle Whether the notifications include the triggering group-by values in their title.
- options
Security
Monitoring Rule Options Options on rules.
- queries
List<Security
Monitoring Rule Query> Queries for selecting logs which are part of the rule.
- signal
Queries List<SecurityMonitoring Rule Signal Query> Queries for selecting logs which are part of the rule.
- List<String>
Tags for generated signals.
- type String
The rule type. Valid values are
log_detection,workload_security,signal_correlation.
- cases
Security
Monitoring Rule Case[] Cases for generating signals.
- message string
Message for generated signals.
- name string
The name of the rule.
- enabled boolean
Whether the rule is enabled.
- filters
Security
Monitoring Rule Filter[] Additional queries to filter matched events before they are processed.
- has
Extended booleanTitle Whether the notifications include the triggering group-by values in their title.
- options
Security
Monitoring Rule Options Options on rules.
- queries
Security
Monitoring Rule Query[] Queries for selecting logs which are part of the rule.
- signal
Queries SecurityMonitoring Rule Signal Query[] Queries for selecting logs which are part of the rule.
- string[]
Tags for generated signals.
- type string
The rule type. Valid values are
log_detection,workload_security,signal_correlation.
- cases
Sequence[Security
Monitoring Rule Case Args] Cases for generating signals.
- message str
Message for generated signals.
- name str
The name of the rule.
- enabled bool
Whether the rule is enabled.
- filters
Sequence[Security
Monitoring Rule Filter Args] Additional queries to filter matched events before they are processed.
- has_
extended_ booltitle Whether the notifications include the triggering group-by values in their title.
- options
Security
Monitoring Rule Options Args Options on rules.
- queries
Sequence[Security
Monitoring Rule Query Args] Queries for selecting logs which are part of the rule.
- signal_
queries Sequence[SecurityMonitoring Rule Signal Query Args] Queries for selecting logs which are part of the rule.
- Sequence[str]
Tags for generated signals.
- type str
The rule type. Valid values are
log_detection,workload_security,signal_correlation.
- cases List<Property Map>
Cases for generating signals.
- message String
Message for generated signals.
- name String
The name of the rule.
- enabled Boolean
Whether the rule is enabled.
- filters List<Property Map>
Additional queries to filter matched events before they are processed.
- has
Extended BooleanTitle Whether the notifications include the triggering group-by values in their title.
- options Property Map
Options on rules.
- queries List<Property Map>
Queries for selecting logs which are part of the rule.
- signal
Queries List<Property Map> Queries for selecting logs which are part of the rule.
- List<String>
Tags for generated signals.
- type String
The rule type. Valid values are
log_detection,workload_security,signal_correlation.
Outputs
All input properties are implicitly available as output properties. Additionally, the SecurityMonitoringRule resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Id string
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
- id string
The provider-assigned unique ID for this managed resource.
- id str
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
Look up Existing SecurityMonitoringRule Resource
Get an existing SecurityMonitoringRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecurityMonitoringRuleState, opts?: CustomResourceOptions): SecurityMonitoringRule@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
cases: Optional[Sequence[SecurityMonitoringRuleCaseArgs]] = None,
enabled: Optional[bool] = None,
filters: Optional[Sequence[SecurityMonitoringRuleFilterArgs]] = None,
has_extended_title: Optional[bool] = None,
message: Optional[str] = None,
name: Optional[str] = None,
options: Optional[SecurityMonitoringRuleOptionsArgs] = None,
queries: Optional[Sequence[SecurityMonitoringRuleQueryArgs]] = None,
signal_queries: Optional[Sequence[SecurityMonitoringRuleSignalQueryArgs]] = None,
tags: Optional[Sequence[str]] = None,
type: Optional[str] = None) -> SecurityMonitoringRulefunc GetSecurityMonitoringRule(ctx *Context, name string, id IDInput, state *SecurityMonitoringRuleState, opts ...ResourceOption) (*SecurityMonitoringRule, error)public static SecurityMonitoringRule Get(string name, Input<string> id, SecurityMonitoringRuleState? state, CustomResourceOptions? opts = null)public static SecurityMonitoringRule get(String name, Output<String> id, SecurityMonitoringRuleState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Cases
List<Security
Monitoring Rule Case> Cases for generating signals.
- Enabled bool
Whether the rule is enabled.
- Filters
List<Security
Monitoring Rule Filter> Additional queries to filter matched events before they are processed.
- Has
Extended boolTitle Whether the notifications include the triggering group-by values in their title.
- Message string
Message for generated signals.
- Name string
The name of the rule.
- Options
Security
Monitoring Rule Options Options on rules.
- Queries
List<Security
Monitoring Rule Query> Queries for selecting logs which are part of the rule.
- Signal
Queries List<SecurityMonitoring Rule Signal Query> Queries for selecting logs which are part of the rule.
- List<string>
Tags for generated signals.
- Type string
The rule type. Valid values are
log_detection,workload_security,signal_correlation.
- Cases
[]Security
Monitoring Rule Case Args Cases for generating signals.
- Enabled bool
Whether the rule is enabled.
- Filters
[]Security
Monitoring Rule Filter Args Additional queries to filter matched events before they are processed.
- Has
Extended boolTitle Whether the notifications include the triggering group-by values in their title.
- Message string
Message for generated signals.
- Name string
The name of the rule.
- Options
Security
Monitoring Rule Options Args Options on rules.
- Queries
[]Security
Monitoring Rule Query Args Queries for selecting logs which are part of the rule.
- Signal
Queries []SecurityMonitoring Rule Signal Query Args Queries for selecting logs which are part of the rule.
- []string
Tags for generated signals.
- Type string
The rule type. Valid values are
log_detection,workload_security,signal_correlation.
- cases
List<Security
Monitoring Rule Case> Cases for generating signals.
- enabled Boolean
Whether the rule is enabled.
- filters
List<Security
Monitoring Rule Filter> Additional queries to filter matched events before they are processed.
- has
Extended BooleanTitle Whether the notifications include the triggering group-by values in their title.
- message String
Message for generated signals.
- name String
The name of the rule.
- options
Security
Monitoring Rule Options Options on rules.
- queries
List<Security
Monitoring Rule Query> Queries for selecting logs which are part of the rule.
- signal
Queries List<SecurityMonitoring Rule Signal Query> Queries for selecting logs which are part of the rule.
- List<String>
Tags for generated signals.
- type String
The rule type. Valid values are
log_detection,workload_security,signal_correlation.
- cases
Security
Monitoring Rule Case[] Cases for generating signals.
- enabled boolean
Whether the rule is enabled.
- filters
Security
Monitoring Rule Filter[] Additional queries to filter matched events before they are processed.
- has
Extended booleanTitle Whether the notifications include the triggering group-by values in their title.
- message string
Message for generated signals.
- name string
The name of the rule.
- options
Security
Monitoring Rule Options Options on rules.
- queries
Security
Monitoring Rule Query[] Queries for selecting logs which are part of the rule.
- signal
Queries SecurityMonitoring Rule Signal Query[] Queries for selecting logs which are part of the rule.
- string[]
Tags for generated signals.
- type string
The rule type. Valid values are
log_detection,workload_security,signal_correlation.
- cases
Sequence[Security
Monitoring Rule Case Args] Cases for generating signals.
- enabled bool
Whether the rule is enabled.
- filters
Sequence[Security
Monitoring Rule Filter Args] Additional queries to filter matched events before they are processed.
- has_
extended_ booltitle Whether the notifications include the triggering group-by values in their title.
- message str
Message for generated signals.
- name str
The name of the rule.
- options
Security
Monitoring Rule Options Args Options on rules.
- queries
Sequence[Security
Monitoring Rule Query Args] Queries for selecting logs which are part of the rule.
- signal_
queries Sequence[SecurityMonitoring Rule Signal Query Args] Queries for selecting logs which are part of the rule.
- Sequence[str]
Tags for generated signals.
- type str
The rule type. Valid values are
log_detection,workload_security,signal_correlation.
- cases List<Property Map>
Cases for generating signals.
- enabled Boolean
Whether the rule is enabled.
- filters List<Property Map>
Additional queries to filter matched events before they are processed.
- has
Extended BooleanTitle Whether the notifications include the triggering group-by values in their title.
- message String
Message for generated signals.
- name String
The name of the rule.
- options Property Map
Options on rules.
- queries List<Property Map>
Queries for selecting logs which are part of the rule.
- signal
Queries List<Property Map> Queries for selecting logs which are part of the rule.
- List<String>
Tags for generated signals.
- type String
The rule type. Valid values are
log_detection,workload_security,signal_correlation.
Supporting Types
SecurityMonitoringRuleCase, SecurityMonitoringRuleCaseArgs
- Status string
Severity of the Security Signal. Valid values are
info,low,medium,high,critical.- Condition string
A rule case contains logical operations (
>,>=,&&,||) to determine if a signal should be generated based on the event counts in the previously defined queries.- Name string
Name of the case.
- Notifications List<string>
Notification targets for each rule case.
- Status string
Severity of the Security Signal. Valid values are
info,low,medium,high,critical.- Condition string
A rule case contains logical operations (
>,>=,&&,||) to determine if a signal should be generated based on the event counts in the previously defined queries.- Name string
Name of the case.
- Notifications []string
Notification targets for each rule case.
- status String
Severity of the Security Signal. Valid values are
info,low,medium,high,critical.- condition String
A rule case contains logical operations (
>,>=,&&,||) to determine if a signal should be generated based on the event counts in the previously defined queries.- name String
Name of the case.
- notifications List<String>
Notification targets for each rule case.
- status string
Severity of the Security Signal. Valid values are
info,low,medium,high,critical.- condition string
A rule case contains logical operations (
>,>=,&&,||) to determine if a signal should be generated based on the event counts in the previously defined queries.- name string
Name of the case.
- notifications string[]
Notification targets for each rule case.
- status str
Severity of the Security Signal. Valid values are
info,low,medium,high,critical.- condition str
A rule case contains logical operations (
>,>=,&&,||) to determine if a signal should be generated based on the event counts in the previously defined queries.- name str
Name of the case.
- notifications Sequence[str]
Notification targets for each rule case.
- status String
Severity of the Security Signal. Valid values are
info,low,medium,high,critical.- condition String
A rule case contains logical operations (
>,>=,&&,||) to determine if a signal should be generated based on the event counts in the previously defined queries.- name String
Name of the case.
- notifications List<String>
Notification targets for each rule case.
SecurityMonitoringRuleFilter, SecurityMonitoringRuleFilterArgs
SecurityMonitoringRuleOptions, SecurityMonitoringRuleOptionsArgs
- Keep
Alive int Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600.- Max
Signal intDuration A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400.- Decrease
Criticality boolBased On Env If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging,test, ordev. Only available when the rule type islog_detection.- Detection
Method string The detection method. Valid values are
threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party.- Evaluation
Window int A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are
0,60,300,600,900,1800,3600,7200.- Impossible
Travel SecurityOptions Monitoring Rule Options Impossible Travel Options Options for rules using the impossible travel detection method.
- New
Value SecurityOptions Monitoring Rule Options New Value Options New value rules specific options.
- Keep
Alive int Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600.- Max
Signal intDuration A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400.- Decrease
Criticality boolBased On Env If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging,test, ordev. Only available when the rule type islog_detection.- Detection
Method string The detection method. Valid values are
threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party.- Evaluation
Window int A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are
0,60,300,600,900,1800,3600,7200.- Impossible
Travel SecurityOptions Monitoring Rule Options Impossible Travel Options Options for rules using the impossible travel detection method.
- New
Value SecurityOptions Monitoring Rule Options New Value Options New value rules specific options.
- keep
Alive Integer Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600.- max
Signal IntegerDuration A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400.- decrease
Criticality BooleanBased On Env If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging,test, ordev. Only available when the rule type islog_detection.- detection
Method String The detection method. Valid values are
threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party.- evaluation
Window Integer A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are
0,60,300,600,900,1800,3600,7200.- impossible
Travel SecurityOptions Monitoring Rule Options Impossible Travel Options Options for rules using the impossible travel detection method.
- new
Value SecurityOptions Monitoring Rule Options New Value Options New value rules specific options.
- keep
Alive number Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600.- max
Signal numberDuration A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400.- decrease
Criticality booleanBased On Env If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging,test, ordev. Only available when the rule type islog_detection.- detection
Method string The detection method. Valid values are
threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party.- evaluation
Window number A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are
0,60,300,600,900,1800,3600,7200.- impossible
Travel SecurityOptions Monitoring Rule Options Impossible Travel Options Options for rules using the impossible travel detection method.
- new
Value SecurityOptions Monitoring Rule Options New Value Options New value rules specific options.
- keep_
alive int Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600.- max_
signal_ intduration A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400.- decrease_
criticality_ boolbased_ on_ env If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging,test, ordev. Only available when the rule type islog_detection.- detection_
method str The detection method. Valid values are
threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party.- evaluation_
window int A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are
0,60,300,600,900,1800,3600,7200.- impossible_
travel_ Securityoptions Monitoring Rule Options Impossible Travel Options Options for rules using the impossible travel detection method.
- new_
value_ Securityoptions Monitoring Rule Options New Value Options New value rules specific options.
- keep
Alive Number Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600.- max
Signal NumberDuration A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are
0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400.- decrease
Criticality BooleanBased On Env If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging,test, ordev. Only available when the rule type islog_detection.- detection
Method String The detection method. Valid values are
threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party.- evaluation
Window Number A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are
0,60,300,600,900,1800,3600,7200.- impossible
Travel Property MapOptions Options for rules using the impossible travel detection method.
- new
Value Property MapOptions New value rules specific options.
SecurityMonitoringRuleOptionsImpossibleTravelOptions, SecurityMonitoringRuleOptionsImpossibleTravelOptionsArgs
- baseline
User BooleanLocations
- baseline
User booleanLocations
- baseline
User BooleanLocations
SecurityMonitoringRuleOptionsNewValueOptions, SecurityMonitoringRuleOptionsNewValueOptionsArgs
- Forget
After int - Learning
Duration int - Learning
Method string - Learning
Threshold int
- Forget
After int - Learning
Duration int - Learning
Method string - Learning
Threshold int
- forget
After Integer - learning
Duration Integer - learning
Method String - learning
Threshold Integer
- forget
After number - learning
Duration number - learning
Method string - learning
Threshold number
- forget_
after int - learning_
duration int - learning_
method str - learning_
threshold int
- forget
After Number - learning
Duration Number - learning
Method String - learning
Threshold Number
SecurityMonitoringRuleQuery, SecurityMonitoringRuleQueryArgs
- Query string
Query to run on logs.
- Agent
Rules List<SecurityMonitoring Rule Query Agent Rule> Deprecated. It won't be applied anymore. Deprecated.
agent_rulehas been deprecated in favor of new Agent Rule resource.agent_rulehas been deprecated in favor of new Agent Rule resource.- Aggregation string
The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none.- Distinct
Fields List<string> Field for which the cardinality is measured. Sent as an array.
- Group
By List<string>Fields Fields to group by.
- Metric string
The target field to aggregate over when using the
sum,max, orgeo_dataaggregations. Deprecated. Configuremetricsinstead. This attribute will be removed in the next major version of the provider.Configure
metricsinstead. This attribute will be removed in the next major version of the provider.- Metrics List<string>
Group of target fields to aggregate over when using the
sum,max,geo_data, ornew_valueaggregations. Thesum,max, andgeo_dataaggregations only accept one value in this list, whereas thenew_valueaggregation accepts up to five values.- Name string
Name of the query. Not compatible with
new_valueaggregations.
- Query string
Query to run on logs.
- Agent
Rules []SecurityMonitoring Rule Query Agent Rule Deprecated. It won't be applied anymore. Deprecated.
agent_rulehas been deprecated in favor of new Agent Rule resource.agent_rulehas been deprecated in favor of new Agent Rule resource.- Aggregation string
The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none.- Distinct
Fields []string Field for which the cardinality is measured. Sent as an array.
- Group
By []stringFields Fields to group by.
- Metric string
The target field to aggregate over when using the
sum,max, orgeo_dataaggregations. Deprecated. Configuremetricsinstead. This attribute will be removed in the next major version of the provider.Configure
metricsinstead. This attribute will be removed in the next major version of the provider.- Metrics []string
Group of target fields to aggregate over when using the
sum,max,geo_data, ornew_valueaggregations. Thesum,max, andgeo_dataaggregations only accept one value in this list, whereas thenew_valueaggregation accepts up to five values.- Name string
Name of the query. Not compatible with
new_valueaggregations.
- query String
Query to run on logs.
- agent
Rules List<SecurityMonitoring Rule Query Agent Rule> Deprecated. It won't be applied anymore. Deprecated.
agent_rulehas been deprecated in favor of new Agent Rule resource.agent_rulehas been deprecated in favor of new Agent Rule resource.- aggregation String
The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none.- distinct
Fields List<String> Field for which the cardinality is measured. Sent as an array.
- group
By List<String>Fields Fields to group by.
- metric String
The target field to aggregate over when using the
sum,max, orgeo_dataaggregations. Deprecated. Configuremetricsinstead. This attribute will be removed in the next major version of the provider.Configure
metricsinstead. This attribute will be removed in the next major version of the provider.- metrics List<String>
Group of target fields to aggregate over when using the
sum,max,geo_data, ornew_valueaggregations. Thesum,max, andgeo_dataaggregations only accept one value in this list, whereas thenew_valueaggregation accepts up to five values.- name String
Name of the query. Not compatible with
new_valueaggregations.
- query string
Query to run on logs.
- agent
Rules SecurityMonitoring Rule Query Agent Rule[] Deprecated. It won't be applied anymore. Deprecated.
agent_rulehas been deprecated in favor of new Agent Rule resource.agent_rulehas been deprecated in favor of new Agent Rule resource.- aggregation string
The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none.- distinct
Fields string[] Field for which the cardinality is measured. Sent as an array.
- group
By string[]Fields Fields to group by.
- metric string
The target field to aggregate over when using the
sum,max, orgeo_dataaggregations. Deprecated. Configuremetricsinstead. This attribute will be removed in the next major version of the provider.Configure
metricsinstead. This attribute will be removed in the next major version of the provider.- metrics string[]
Group of target fields to aggregate over when using the
sum,max,geo_data, ornew_valueaggregations. Thesum,max, andgeo_dataaggregations only accept one value in this list, whereas thenew_valueaggregation accepts up to five values.- name string
Name of the query. Not compatible with
new_valueaggregations.
- query str
Query to run on logs.
- agent_
rules Sequence[SecurityMonitoring Rule Query Agent Rule] Deprecated. It won't be applied anymore. Deprecated.
agent_rulehas been deprecated in favor of new Agent Rule resource.agent_rulehas been deprecated in favor of new Agent Rule resource.- aggregation str
The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none.- distinct_
fields Sequence[str] Field for which the cardinality is measured. Sent as an array.
- group_
by_ Sequence[str]fields Fields to group by.
- metric str
The target field to aggregate over when using the
sum,max, orgeo_dataaggregations. Deprecated. Configuremetricsinstead. This attribute will be removed in the next major version of the provider.Configure
metricsinstead. This attribute will be removed in the next major version of the provider.- metrics Sequence[str]
Group of target fields to aggregate over when using the
sum,max,geo_data, ornew_valueaggregations. Thesum,max, andgeo_dataaggregations only accept one value in this list, whereas thenew_valueaggregation accepts up to five values.- name str
Name of the query. Not compatible with
new_valueaggregations.
- query String
Query to run on logs.
- agent
Rules List<Property Map> Deprecated. It won't be applied anymore. Deprecated.
agent_rulehas been deprecated in favor of new Agent Rule resource.agent_rulehas been deprecated in favor of new Agent Rule resource.- aggregation String
The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none.- distinct
Fields List<String> Field for which the cardinality is measured. Sent as an array.
- group
By List<String>Fields Fields to group by.
- metric String
The target field to aggregate over when using the
sum,max, orgeo_dataaggregations. Deprecated. Configuremetricsinstead. This attribute will be removed in the next major version of the provider.Configure
metricsinstead. This attribute will be removed in the next major version of the provider.- metrics List<String>
Group of target fields to aggregate over when using the
sum,max,geo_data, ornew_valueaggregations. Thesum,max, andgeo_dataaggregations only accept one value in this list, whereas thenew_valueaggregation accepts up to five values.- name String
Name of the query. Not compatible with
new_valueaggregations.
SecurityMonitoringRuleQueryAgentRule, SecurityMonitoringRuleQueryAgentRuleArgs
- Agent
Rule stringId - Expression string
- Agent
Rule stringId - Expression string
- agent
Rule StringId - expression String
- agent
Rule stringId - expression string
- agent_
rule_ strid - expression str
- agent
Rule StringId - expression String
SecurityMonitoringRuleSignalQuery, SecurityMonitoringRuleSignalQueryArgs
- Rule
Id string Rule ID of the signal to correlate.
- Aggregation string
The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none.- List<string>
Fields to correlate by.
- string
Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
- Default
Rule stringId Default Rule ID of the signal to correlate. This value is READ-ONLY.
- Name string
Name of the query. Not compatible with
new_valueaggregations.
- Rule
Id string Rule ID of the signal to correlate.
- Aggregation string
The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none.- []string
Fields to correlate by.
- string
Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
- Default
Rule stringId Default Rule ID of the signal to correlate. This value is READ-ONLY.
- Name string
Name of the query. Not compatible with
new_valueaggregations.
- rule
Id String Rule ID of the signal to correlate.
- aggregation String
The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none.- List<String>
Fields to correlate by.
- String
Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
- default
Rule StringId Default Rule ID of the signal to correlate. This value is READ-ONLY.
- name String
Name of the query. Not compatible with
new_valueaggregations.
- rule
Id string Rule ID of the signal to correlate.
- aggregation string
The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none.- string[]
Fields to correlate by.
- string
Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
- default
Rule stringId Default Rule ID of the signal to correlate. This value is READ-ONLY.
- name string
Name of the query. Not compatible with
new_valueaggregations.
- rule_
id str Rule ID of the signal to correlate.
- aggregation str
The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none.- Sequence[str]
Fields to correlate by.
- str
Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
- default_
rule_ strid Default Rule ID of the signal to correlate. This value is READ-ONLY.
- name str
Name of the query. Not compatible with
new_valueaggregations.
- rule
Id String Rule ID of the signal to correlate.
- aggregation String
The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are
count,cardinality,sum,max,new_value,geo_data,event_count,none.- List<String>
Fields to correlate by.
- String
Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
- default
Rule StringId Default Rule ID of the signal to correlate. This value is READ-ONLY.
- name String
Name of the query. Not compatible with
new_valueaggregations.
Import
Security monitoring rules can be imported using ID, e.g.
$ pulumi import datadog:index/securityMonitoringRule:SecurityMonitoringRule my_rule m0o-hto-lkb
Package Details
- Repository
- Datadog pulumi/pulumi-datadog
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
datadogTerraform Provider.