CseThresholdRule

Provides a Sumo Logic CSE Threshold Rule.

Example Usage

using System.Collections.Generic;
using Pulumi;
using SumoLogic = Pulumi.SumoLogic;

return await Deployment.RunAsync(() => 
{
    var thresholdRule = new SumoLogic.CseThresholdRule("thresholdRule", new()
    {
        CountDistinct = true,
        CountField = "dstDevice_hostname",
        Description = "Signal description",
        Enabled = true,
        EntitySelectors = new[]
        {
            new SumoLogic.Inputs.CseThresholdRuleEntitySelectorArgs
            {
                EntityType = "_ip",
                Expression = "srcDevice_ip",
            },
        },
        Expression = "objectType = \"Network\"",
        GroupByFields = new[]
        {
            "dstDevice_hostname",
        },
        IsPrototype = false,
        Limit = 1000,
        Severity = 5,
        SummaryExpression = "Signal summary",
        Tags = new[]
        {
            "_mitreAttackTactic:TA0009",
        },
        WindowSize = "T30M",
    });

});
package main

import (
	"github.com/pulumi/pulumi-sumologic/sdk/go/sumologic"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := sumologic.NewCseThresholdRule(ctx, "thresholdRule", &sumologic.CseThresholdRuleArgs{
			CountDistinct: pulumi.Bool(true),
			CountField:    pulumi.String("dstDevice_hostname"),
			Description:   pulumi.String("Signal description"),
			Enabled:       pulumi.Bool(true),
			EntitySelectors: CseThresholdRuleEntitySelectorArray{
				&CseThresholdRuleEntitySelectorArgs{
					EntityType: pulumi.String("_ip"),
					Expression: pulumi.String("srcDevice_ip"),
				},
			},
			Expression: pulumi.String("objectType = \"Network\""),
			GroupByFields: pulumi.StringArray{
				pulumi.String("dstDevice_hostname"),
			},
			IsPrototype:       pulumi.Bool(false),
			Limit:             pulumi.Int(1000),
			Severity:          pulumi.Int(5),
			SummaryExpression: pulumi.String("Signal summary"),
			Tags: pulumi.StringArray{
				pulumi.String("_mitreAttackTactic:TA0009"),
			},
			WindowSize: pulumi.String("T30M"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.sumologic.CseThresholdRule;
import com.pulumi.sumologic.CseThresholdRuleArgs;
import com.pulumi.sumologic.inputs.CseThresholdRuleEntitySelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var thresholdRule = new CseThresholdRule("thresholdRule", CseThresholdRuleArgs.builder()        
            .countDistinct(true)
            .countField("dstDevice_hostname")
            .description("Signal description")
            .enabled(true)
            .entitySelectors(CseThresholdRuleEntitySelectorArgs.builder()
                .entityType("_ip")
                .expression("srcDevice_ip")
                .build())
            .expression("objectType = \"Network\"")
            .groupByFields("dstDevice_hostname")
            .isPrototype(false)
            .limit(1000)
            .severity(5)
            .summaryExpression("Signal summary")
            .tags("_mitreAttackTactic:TA0009")
            .windowSize("T30M")
            .build());

    }
}
import pulumi
import pulumi_sumologic as sumologic

threshold_rule = sumologic.CseThresholdRule("thresholdRule",
    count_distinct=True,
    count_field="dstDevice_hostname",
    description="Signal description",
    enabled=True,
    entity_selectors=[sumologic.CseThresholdRuleEntitySelectorArgs(
        entity_type="_ip",
        expression="srcDevice_ip",
    )],
    expression="objectType = \"Network\"",
    group_by_fields=["dstDevice_hostname"],
    is_prototype=False,
    limit=1000,
    severity=5,
    summary_expression="Signal summary",
    tags=["_mitreAttackTactic:TA0009"],
    window_size="T30M")
import * as pulumi from "@pulumi/pulumi";
import * as sumologic from "@pulumi/sumologic";

const thresholdRule = new sumologic.CseThresholdRule("threshold_rule", {
    countDistinct: true,
    countField: "dstDevice_hostname",
    description: "Signal description",
    enabled: true,
    entitySelectors: [{
        entityType: "_ip",
        expression: "srcDevice_ip",
    }],
    expression: "objectType = \"Network\"",
    groupByFields: ["dstDevice_hostname"],
    isPrototype: false,
    limit: 1000,
    severity: 5,
    summaryExpression: "Signal summary",
    tags: ["_mitreAttackTactic:TA0009"],
    windowSize: "T30M",
});
resources:
  thresholdRule:
    type: sumologic:CseThresholdRule
    properties:
      countDistinct: true
      countField: dstDevice_hostname
      description: Signal description
      enabled: true
      entitySelectors:
        - entityType: _ip
          expression: srcDevice_ip
      expression: objectType = "Network"
      groupByFields:
        - dstDevice_hostname
      isPrototype: false
      limit: 1000
      severity: 5
      summaryExpression: Signal summary
      tags:
        - _mitreAttackTactic:TA0009
      windowSize: T30M

Create CseThresholdRule Resource

new CseThresholdRule(name: string, args: CseThresholdRuleArgs, opts?: CustomResourceOptions);
@overload
def CseThresholdRule(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     count_distinct: Optional[bool] = None,
                     count_field: Optional[str] = None,
                     description: Optional[str] = None,
                     enabled: Optional[bool] = None,
                     entity_selectors: Optional[Sequence[CseThresholdRuleEntitySelectorArgs]] = None,
                     expression: Optional[str] = None,
                     group_by_fields: Optional[Sequence[str]] = None,
                     is_prototype: Optional[bool] = None,
                     limit: Optional[int] = None,
                     name: Optional[str] = None,
                     severity: Optional[int] = None,
                     summary_expression: Optional[str] = None,
                     tags: Optional[Sequence[str]] = None,
                     window_size: Optional[str] = None)
@overload
def CseThresholdRule(resource_name: str,
                     args: CseThresholdRuleArgs,
                     opts: Optional[ResourceOptions] = None)
func NewCseThresholdRule(ctx *Context, name string, args CseThresholdRuleArgs, opts ...ResourceOption) (*CseThresholdRule, error)
public CseThresholdRule(string name, CseThresholdRuleArgs args, CustomResourceOptions? opts = null)
public CseThresholdRule(String name, CseThresholdRuleArgs args)
public CseThresholdRule(String name, CseThresholdRuleArgs args, CustomResourceOptions options)
type: sumologic:CseThresholdRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args CseThresholdRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args CseThresholdRuleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args CseThresholdRuleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args CseThresholdRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args CseThresholdRuleArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

CseThresholdRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The CseThresholdRule resource accepts the following input properties:

Description string

The description of the generated Signals

Enabled bool

Whether the rule should generate Signals

EntitySelectors List<Pulumi.SumoLogic.Inputs.CseThresholdRuleEntitySelectorArgs>

The entities to generate Signals on

Expression string

The expression for which records to match on

Limit int

A Signal will be fired when this many records/distinct field values are matched

Severity int

The severity of the generated Signals

WindowSize string

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

CountDistinct bool

Whether to count distinct values of a field, as opposed to just counting the number of records

CountField string

The field to count if count_distinct is set to true

GroupByFields List<string>

A list of fields to group records by

IsPrototype bool

Whether the generated Signals should be prototype Signals

Name string

The name of the Rule and the generated Signals

SummaryExpression string

The summary of the generated Signals

Tags List<string>

The tags of the generated Signals

Description string

The description of the generated Signals

Enabled bool

Whether the rule should generate Signals

EntitySelectors []CseThresholdRuleEntitySelectorArgs

The entities to generate Signals on

Expression string

The expression for which records to match on

Limit int

A Signal will be fired when this many records/distinct field values are matched

Severity int

The severity of the generated Signals

WindowSize string

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

CountDistinct bool

Whether to count distinct values of a field, as opposed to just counting the number of records

CountField string

The field to count if count_distinct is set to true

GroupByFields []string

A list of fields to group records by

IsPrototype bool

Whether the generated Signals should be prototype Signals

Name string

The name of the Rule and the generated Signals

SummaryExpression string

The summary of the generated Signals

Tags []string

The tags of the generated Signals

description String

The description of the generated Signals

enabled Boolean

Whether the rule should generate Signals

entitySelectors List<CseThresholdRuleEntitySelectorArgs>

The entities to generate Signals on

expression String

The expression for which records to match on

limit Integer

A Signal will be fired when this many records/distinct field values are matched

severity Integer

The severity of the generated Signals

windowSize String

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

countDistinct Boolean

Whether to count distinct values of a field, as opposed to just counting the number of records

countField String

The field to count if count_distinct is set to true

groupByFields List<String>

A list of fields to group records by

isPrototype Boolean

Whether the generated Signals should be prototype Signals

name String

The name of the Rule and the generated Signals

summaryExpression String

The summary of the generated Signals

tags List<String>

The tags of the generated Signals

description string

The description of the generated Signals

enabled boolean

Whether the rule should generate Signals

entitySelectors CseThresholdRuleEntitySelectorArgs[]

The entities to generate Signals on

expression string

The expression for which records to match on

limit number

A Signal will be fired when this many records/distinct field values are matched

severity number

The severity of the generated Signals

windowSize string

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

countDistinct boolean

Whether to count distinct values of a field, as opposed to just counting the number of records

countField string

The field to count if count_distinct is set to true

groupByFields string[]

A list of fields to group records by

isPrototype boolean

Whether the generated Signals should be prototype Signals

name string

The name of the Rule and the generated Signals

summaryExpression string

The summary of the generated Signals

tags string[]

The tags of the generated Signals

description str

The description of the generated Signals

enabled bool

Whether the rule should generate Signals

entity_selectors Sequence[CseThresholdRuleEntitySelectorArgs]

The entities to generate Signals on

expression str

The expression for which records to match on

limit int

A Signal will be fired when this many records/distinct field values are matched

severity int

The severity of the generated Signals

window_size str

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

count_distinct bool

Whether to count distinct values of a field, as opposed to just counting the number of records

count_field str

The field to count if count_distinct is set to true

group_by_fields Sequence[str]

A list of fields to group records by

is_prototype bool

Whether the generated Signals should be prototype Signals

name str

The name of the Rule and the generated Signals

summary_expression str

The summary of the generated Signals

tags Sequence[str]

The tags of the generated Signals

description String

The description of the generated Signals

enabled Boolean

Whether the rule should generate Signals

entitySelectors List<Property Map>

The entities to generate Signals on

expression String

The expression for which records to match on

limit Number

A Signal will be fired when this many records/distinct field values are matched

severity Number

The severity of the generated Signals

windowSize String

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

countDistinct Boolean

Whether to count distinct values of a field, as opposed to just counting the number of records

countField String

The field to count if count_distinct is set to true

groupByFields List<String>

A list of fields to group records by

isPrototype Boolean

Whether the generated Signals should be prototype Signals

name String

The name of the Rule and the generated Signals

summaryExpression String

The summary of the generated Signals

tags List<String>

The tags of the generated Signals

Outputs

All input properties are implicitly available as output properties. Additionally, the CseThresholdRule resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up Existing CseThresholdRule Resource

Get an existing CseThresholdRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CseThresholdRuleState, opts?: CustomResourceOptions): CseThresholdRule
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        count_distinct: Optional[bool] = None,
        count_field: Optional[str] = None,
        description: Optional[str] = None,
        enabled: Optional[bool] = None,
        entity_selectors: Optional[Sequence[CseThresholdRuleEntitySelectorArgs]] = None,
        expression: Optional[str] = None,
        group_by_fields: Optional[Sequence[str]] = None,
        is_prototype: Optional[bool] = None,
        limit: Optional[int] = None,
        name: Optional[str] = None,
        severity: Optional[int] = None,
        summary_expression: Optional[str] = None,
        tags: Optional[Sequence[str]] = None,
        window_size: Optional[str] = None) -> CseThresholdRule
func GetCseThresholdRule(ctx *Context, name string, id IDInput, state *CseThresholdRuleState, opts ...ResourceOption) (*CseThresholdRule, error)
public static CseThresholdRule Get(string name, Input<string> id, CseThresholdRuleState? state, CustomResourceOptions? opts = null)
public static CseThresholdRule get(String name, Output<String> id, CseThresholdRuleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
CountDistinct bool

Whether to count distinct values of a field, as opposed to just counting the number of records

CountField string

The field to count if count_distinct is set to true

Description string

The description of the generated Signals

Enabled bool

Whether the rule should generate Signals

EntitySelectors List<Pulumi.SumoLogic.Inputs.CseThresholdRuleEntitySelectorArgs>

The entities to generate Signals on

Expression string

The expression for which records to match on

GroupByFields List<string>

A list of fields to group records by

IsPrototype bool

Whether the generated Signals should be prototype Signals

Limit int

A Signal will be fired when this many records/distinct field values are matched

Name string

The name of the Rule and the generated Signals

Severity int

The severity of the generated Signals

SummaryExpression string

The summary of the generated Signals

Tags List<string>

The tags of the generated Signals

WindowSize string

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

CountDistinct bool

Whether to count distinct values of a field, as opposed to just counting the number of records

CountField string

The field to count if count_distinct is set to true

Description string

The description of the generated Signals

Enabled bool

Whether the rule should generate Signals

EntitySelectors []CseThresholdRuleEntitySelectorArgs

The entities to generate Signals on

Expression string

The expression for which records to match on

GroupByFields []string

A list of fields to group records by

IsPrototype bool

Whether the generated Signals should be prototype Signals

Limit int

A Signal will be fired when this many records/distinct field values are matched

Name string

The name of the Rule and the generated Signals

Severity int

The severity of the generated Signals

SummaryExpression string

The summary of the generated Signals

Tags []string

The tags of the generated Signals

WindowSize string

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

countDistinct Boolean

Whether to count distinct values of a field, as opposed to just counting the number of records

countField String

The field to count if count_distinct is set to true

description String

The description of the generated Signals

enabled Boolean

Whether the rule should generate Signals

entitySelectors List<CseThresholdRuleEntitySelectorArgs>

The entities to generate Signals on

expression String

The expression for which records to match on

groupByFields List<String>

A list of fields to group records by

isPrototype Boolean

Whether the generated Signals should be prototype Signals

limit Integer

A Signal will be fired when this many records/distinct field values are matched

name String

The name of the Rule and the generated Signals

severity Integer

The severity of the generated Signals

summaryExpression String

The summary of the generated Signals

tags List<String>

The tags of the generated Signals

windowSize String

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

countDistinct boolean

Whether to count distinct values of a field, as opposed to just counting the number of records

countField string

The field to count if count_distinct is set to true

description string

The description of the generated Signals

enabled boolean

Whether the rule should generate Signals

entitySelectors CseThresholdRuleEntitySelectorArgs[]

The entities to generate Signals on

expression string

The expression for which records to match on

groupByFields string[]

A list of fields to group records by

isPrototype boolean

Whether the generated Signals should be prototype Signals

limit number

A Signal will be fired when this many records/distinct field values are matched

name string

The name of the Rule and the generated Signals

severity number

The severity of the generated Signals

summaryExpression string

The summary of the generated Signals

tags string[]

The tags of the generated Signals

windowSize string

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

count_distinct bool

Whether to count distinct values of a field, as opposed to just counting the number of records

count_field str

The field to count if count_distinct is set to true

description str

The description of the generated Signals

enabled bool

Whether the rule should generate Signals

entity_selectors Sequence[CseThresholdRuleEntitySelectorArgs]

The entities to generate Signals on

expression str

The expression for which records to match on

group_by_fields Sequence[str]

A list of fields to group records by

is_prototype bool

Whether the generated Signals should be prototype Signals

limit int

A Signal will be fired when this many records/distinct field values are matched

name str

The name of the Rule and the generated Signals

severity int

The severity of the generated Signals

summary_expression str

The summary of the generated Signals

tags Sequence[str]

The tags of the generated Signals

window_size str

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

countDistinct Boolean

Whether to count distinct values of a field, as opposed to just counting the number of records

countField String

The field to count if count_distinct is set to true

description String

The description of the generated Signals

enabled Boolean

Whether the rule should generate Signals

entitySelectors List<Property Map>

The entities to generate Signals on

expression String

The expression for which records to match on

groupByFields List<String>

A list of fields to group records by

isPrototype Boolean

Whether the generated Signals should be prototype Signals

limit Number

A Signal will be fired when this many records/distinct field values are matched

name String

The name of the Rule and the generated Signals

severity Number

The severity of the generated Signals

summaryExpression String

The summary of the generated Signals

tags List<String>

The tags of the generated Signals

windowSize String

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

Supporting Types

CseThresholdRuleEntitySelector

EntityType string
Expression string

The expression for which records to match on

EntityType string
Expression string

The expression for which records to match on

entityType String
expression String

The expression for which records to match on

entityType string
expression string

The expression for which records to match on

entity_type str
expression str

The expression for which records to match on

entityType String
expression String

The expression for which records to match on

Import

Threshold Rules can be imported using the field id, e.g.hcl

 $ pulumi import sumologic:index/cseThresholdRule:CseThresholdRule threshold_rule id

Package Details

Repository
https://github.com/pulumi/pulumi-sumologic
License
Apache-2.0
Notes

This Pulumi package is based on the sumologic Terraform Provider.