1. Packages
  2. Sumo Logic
  3. API Docs
  4. CseThresholdRule
Sumo Logic v0.19.0 published on Thursday, Sep 28, 2023 by Pulumi

sumologic.CseThresholdRule

Explore with Pulumi AI

sumologic logo
Sumo Logic v0.19.0 published on Thursday, Sep 28, 2023 by Pulumi

    Provides a Sumo Logic CSE Threshold Rule.

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using SumoLogic = Pulumi.SumoLogic;
    
    return await Deployment.RunAsync(() => 
    {
        var thresholdRule = new SumoLogic.CseThresholdRule("thresholdRule", new()
        {
            CountDistinct = true,
            CountField = "dstDevice_hostname",
            Description = "Signal description",
            Enabled = true,
            EntitySelectors = new[]
            {
                new SumoLogic.Inputs.CseThresholdRuleEntitySelectorArgs
                {
                    EntityType = "_ip",
                    Expression = "srcDevice_ip",
                },
            },
            Expression = "objectType = \"Network\"",
            GroupByFields = new[]
            {
                "dstDevice_hostname",
            },
            IsPrototype = false,
            Limit = 1000,
            Severity = 5,
            SummaryExpression = "Signal summary",
            Tags = new[]
            {
                "_mitreAttackTactic:TA0009",
            },
            WindowSize = "T30M",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-sumologic/sdk/go/sumologic"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := sumologic.NewCseThresholdRule(ctx, "thresholdRule", &sumologic.CseThresholdRuleArgs{
    			CountDistinct: pulumi.Bool(true),
    			CountField:    pulumi.String("dstDevice_hostname"),
    			Description:   pulumi.String("Signal description"),
    			Enabled:       pulumi.Bool(true),
    			EntitySelectors: sumologic.CseThresholdRuleEntitySelectorArray{
    				&sumologic.CseThresholdRuleEntitySelectorArgs{
    					EntityType: pulumi.String("_ip"),
    					Expression: pulumi.String("srcDevice_ip"),
    				},
    			},
    			Expression: pulumi.String("objectType = \"Network\""),
    			GroupByFields: pulumi.StringArray{
    				pulumi.String("dstDevice_hostname"),
    			},
    			IsPrototype:       pulumi.Bool(false),
    			Limit:             pulumi.Int(1000),
    			Severity:          pulumi.Int(5),
    			SummaryExpression: pulumi.String("Signal summary"),
    			Tags: pulumi.StringArray{
    				pulumi.String("_mitreAttackTactic:TA0009"),
    			},
    			WindowSize: pulumi.String("T30M"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.sumologic.CseThresholdRule;
    import com.pulumi.sumologic.CseThresholdRuleArgs;
    import com.pulumi.sumologic.inputs.CseThresholdRuleEntitySelectorArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var thresholdRule = new CseThresholdRule("thresholdRule", CseThresholdRuleArgs.builder()        
                .countDistinct(true)
                .countField("dstDevice_hostname")
                .description("Signal description")
                .enabled(true)
                .entitySelectors(CseThresholdRuleEntitySelectorArgs.builder()
                    .entityType("_ip")
                    .expression("srcDevice_ip")
                    .build())
                .expression("objectType = \"Network\"")
                .groupByFields("dstDevice_hostname")
                .isPrototype(false)
                .limit(1000)
                .severity(5)
                .summaryExpression("Signal summary")
                .tags("_mitreAttackTactic:TA0009")
                .windowSize("T30M")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_sumologic as sumologic
    
    threshold_rule = sumologic.CseThresholdRule("thresholdRule",
        count_distinct=True,
        count_field="dstDevice_hostname",
        description="Signal description",
        enabled=True,
        entity_selectors=[sumologic.CseThresholdRuleEntitySelectorArgs(
            entity_type="_ip",
            expression="srcDevice_ip",
        )],
        expression="objectType = \"Network\"",
        group_by_fields=["dstDevice_hostname"],
        is_prototype=False,
        limit=1000,
        severity=5,
        summary_expression="Signal summary",
        tags=["_mitreAttackTactic:TA0009"],
        window_size="T30M")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as sumologic from "@pulumi/sumologic";
    
    const thresholdRule = new sumologic.CseThresholdRule("thresholdRule", {
        countDistinct: true,
        countField: "dstDevice_hostname",
        description: "Signal description",
        enabled: true,
        entitySelectors: [{
            entityType: "_ip",
            expression: "srcDevice_ip",
        }],
        expression: "objectType = \"Network\"",
        groupByFields: ["dstDevice_hostname"],
        isPrototype: false,
        limit: 1000,
        severity: 5,
        summaryExpression: "Signal summary",
        tags: ["_mitreAttackTactic:TA0009"],
        windowSize: "T30M",
    });
    
    resources:
      thresholdRule:
        type: sumologic:CseThresholdRule
        properties:
          countDistinct: true
          countField: dstDevice_hostname
          description: Signal description
          enabled: true
          entitySelectors:
            - entityType: _ip
              expression: srcDevice_ip
          expression: objectType = "Network"
          groupByFields:
            - dstDevice_hostname
          isPrototype: false
          limit: 1000
          severity: 5
          summaryExpression: Signal summary
          tags:
            - _mitreAttackTactic:TA0009
          windowSize: T30M
    

    Create CseThresholdRule Resource

    new CseThresholdRule(name: string, args: CseThresholdRuleArgs, opts?: CustomResourceOptions);
    @overload
    def CseThresholdRule(resource_name: str,
                         opts: Optional[ResourceOptions] = None,
                         count_distinct: Optional[bool] = None,
                         count_field: Optional[str] = None,
                         description: Optional[str] = None,
                         enabled: Optional[bool] = None,
                         entity_selectors: Optional[Sequence[CseThresholdRuleEntitySelectorArgs]] = None,
                         expression: Optional[str] = None,
                         group_by_fields: Optional[Sequence[str]] = None,
                         is_prototype: Optional[bool] = None,
                         limit: Optional[int] = None,
                         name: Optional[str] = None,
                         severity: Optional[int] = None,
                         summary_expression: Optional[str] = None,
                         tags: Optional[Sequence[str]] = None,
                         window_size: Optional[str] = None)
    @overload
    def CseThresholdRule(resource_name: str,
                         args: CseThresholdRuleArgs,
                         opts: Optional[ResourceOptions] = None)
    func NewCseThresholdRule(ctx *Context, name string, args CseThresholdRuleArgs, opts ...ResourceOption) (*CseThresholdRule, error)
    public CseThresholdRule(string name, CseThresholdRuleArgs args, CustomResourceOptions? opts = null)
    public CseThresholdRule(String name, CseThresholdRuleArgs args)
    public CseThresholdRule(String name, CseThresholdRuleArgs args, CustomResourceOptions options)
    
    type: sumologic:CseThresholdRule
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args CseThresholdRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args CseThresholdRuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args CseThresholdRuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args CseThresholdRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args CseThresholdRuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    CseThresholdRule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The CseThresholdRule resource accepts the following input properties:

    Description string

    The description of the generated Signals

    Enabled bool

    Whether the rule should generate Signals

    EntitySelectors List<Pulumi.SumoLogic.Inputs.CseThresholdRuleEntitySelector>

    The entities to generate Signals on

    Expression string

    The expression for which records to match on

    Limit int

    A Signal will be fired when this many records/distinct field values are matched

    Severity int

    The severity of the generated Signals

    WindowSize string

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    CountDistinct bool

    Whether to count distinct values of a field, as opposed to just counting the number of records

    CountField string

    The field to count if count_distinct is set to true

    GroupByFields List<string>

    A list of fields to group records by

    IsPrototype bool

    Whether the generated Signals should be prototype Signals

    Name string

    The name of the Rule and the generated Signals

    SummaryExpression string

    The summary of the generated Signals

    Tags List<string>

    The tags of the generated Signals

    Description string

    The description of the generated Signals

    Enabled bool

    Whether the rule should generate Signals

    EntitySelectors []CseThresholdRuleEntitySelectorArgs

    The entities to generate Signals on

    Expression string

    The expression for which records to match on

    Limit int

    A Signal will be fired when this many records/distinct field values are matched

    Severity int

    The severity of the generated Signals

    WindowSize string

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    CountDistinct bool

    Whether to count distinct values of a field, as opposed to just counting the number of records

    CountField string

    The field to count if count_distinct is set to true

    GroupByFields []string

    A list of fields to group records by

    IsPrototype bool

    Whether the generated Signals should be prototype Signals

    Name string

    The name of the Rule and the generated Signals

    SummaryExpression string

    The summary of the generated Signals

    Tags []string

    The tags of the generated Signals

    description String

    The description of the generated Signals

    enabled Boolean

    Whether the rule should generate Signals

    entitySelectors List<CseThresholdRuleEntitySelector>

    The entities to generate Signals on

    expression String

    The expression for which records to match on

    limit Integer

    A Signal will be fired when this many records/distinct field values are matched

    severity Integer

    The severity of the generated Signals

    windowSize String

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    countDistinct Boolean

    Whether to count distinct values of a field, as opposed to just counting the number of records

    countField String

    The field to count if count_distinct is set to true

    groupByFields List<String>

    A list of fields to group records by

    isPrototype Boolean

    Whether the generated Signals should be prototype Signals

    name String

    The name of the Rule and the generated Signals

    summaryExpression String

    The summary of the generated Signals

    tags List<String>

    The tags of the generated Signals

    description string

    The description of the generated Signals

    enabled boolean

    Whether the rule should generate Signals

    entitySelectors CseThresholdRuleEntitySelector[]

    The entities to generate Signals on

    expression string

    The expression for which records to match on

    limit number

    A Signal will be fired when this many records/distinct field values are matched

    severity number

    The severity of the generated Signals

    windowSize string

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    countDistinct boolean

    Whether to count distinct values of a field, as opposed to just counting the number of records

    countField string

    The field to count if count_distinct is set to true

    groupByFields string[]

    A list of fields to group records by

    isPrototype boolean

    Whether the generated Signals should be prototype Signals

    name string

    The name of the Rule and the generated Signals

    summaryExpression string

    The summary of the generated Signals

    tags string[]

    The tags of the generated Signals

    description str

    The description of the generated Signals

    enabled bool

    Whether the rule should generate Signals

    entity_selectors Sequence[CseThresholdRuleEntitySelectorArgs]

    The entities to generate Signals on

    expression str

    The expression for which records to match on

    limit int

    A Signal will be fired when this many records/distinct field values are matched

    severity int

    The severity of the generated Signals

    window_size str

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    count_distinct bool

    Whether to count distinct values of a field, as opposed to just counting the number of records

    count_field str

    The field to count if count_distinct is set to true

    group_by_fields Sequence[str]

    A list of fields to group records by

    is_prototype bool

    Whether the generated Signals should be prototype Signals

    name str

    The name of the Rule and the generated Signals

    summary_expression str

    The summary of the generated Signals

    tags Sequence[str]

    The tags of the generated Signals

    description String

    The description of the generated Signals

    enabled Boolean

    Whether the rule should generate Signals

    entitySelectors List<Property Map>

    The entities to generate Signals on

    expression String

    The expression for which records to match on

    limit Number

    A Signal will be fired when this many records/distinct field values are matched

    severity Number

    The severity of the generated Signals

    windowSize String

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    countDistinct Boolean

    Whether to count distinct values of a field, as opposed to just counting the number of records

    countField String

    The field to count if count_distinct is set to true

    groupByFields List<String>

    A list of fields to group records by

    isPrototype Boolean

    Whether the generated Signals should be prototype Signals

    name String

    The name of the Rule and the generated Signals

    summaryExpression String

    The summary of the generated Signals

    tags List<String>

    The tags of the generated Signals

    Outputs

    All input properties are implicitly available as output properties. Additionally, the CseThresholdRule resource produces the following output properties:

    Id string

    The provider-assigned unique ID for this managed resource.

    Id string

    The provider-assigned unique ID for this managed resource.

    id String

    The provider-assigned unique ID for this managed resource.

    id string

    The provider-assigned unique ID for this managed resource.

    id str

    The provider-assigned unique ID for this managed resource.

    id String

    The provider-assigned unique ID for this managed resource.

    Look up Existing CseThresholdRule Resource

    Get an existing CseThresholdRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: CseThresholdRuleState, opts?: CustomResourceOptions): CseThresholdRule
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            count_distinct: Optional[bool] = None,
            count_field: Optional[str] = None,
            description: Optional[str] = None,
            enabled: Optional[bool] = None,
            entity_selectors: Optional[Sequence[CseThresholdRuleEntitySelectorArgs]] = None,
            expression: Optional[str] = None,
            group_by_fields: Optional[Sequence[str]] = None,
            is_prototype: Optional[bool] = None,
            limit: Optional[int] = None,
            name: Optional[str] = None,
            severity: Optional[int] = None,
            summary_expression: Optional[str] = None,
            tags: Optional[Sequence[str]] = None,
            window_size: Optional[str] = None) -> CseThresholdRule
    func GetCseThresholdRule(ctx *Context, name string, id IDInput, state *CseThresholdRuleState, opts ...ResourceOption) (*CseThresholdRule, error)
    public static CseThresholdRule Get(string name, Input<string> id, CseThresholdRuleState? state, CustomResourceOptions? opts = null)
    public static CseThresholdRule get(String name, Output<String> id, CseThresholdRuleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    CountDistinct bool

    Whether to count distinct values of a field, as opposed to just counting the number of records

    CountField string

    The field to count if count_distinct is set to true

    Description string

    The description of the generated Signals

    Enabled bool

    Whether the rule should generate Signals

    EntitySelectors List<Pulumi.SumoLogic.Inputs.CseThresholdRuleEntitySelector>

    The entities to generate Signals on

    Expression string

    The expression for which records to match on

    GroupByFields List<string>

    A list of fields to group records by

    IsPrototype bool

    Whether the generated Signals should be prototype Signals

    Limit int

    A Signal will be fired when this many records/distinct field values are matched

    Name string

    The name of the Rule and the generated Signals

    Severity int

    The severity of the generated Signals

    SummaryExpression string

    The summary of the generated Signals

    Tags List<string>

    The tags of the generated Signals

    WindowSize string

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    CountDistinct bool

    Whether to count distinct values of a field, as opposed to just counting the number of records

    CountField string

    The field to count if count_distinct is set to true

    Description string

    The description of the generated Signals

    Enabled bool

    Whether the rule should generate Signals

    EntitySelectors []CseThresholdRuleEntitySelectorArgs

    The entities to generate Signals on

    Expression string

    The expression for which records to match on

    GroupByFields []string

    A list of fields to group records by

    IsPrototype bool

    Whether the generated Signals should be prototype Signals

    Limit int

    A Signal will be fired when this many records/distinct field values are matched

    Name string

    The name of the Rule and the generated Signals

    Severity int

    The severity of the generated Signals

    SummaryExpression string

    The summary of the generated Signals

    Tags []string

    The tags of the generated Signals

    WindowSize string

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    countDistinct Boolean

    Whether to count distinct values of a field, as opposed to just counting the number of records

    countField String

    The field to count if count_distinct is set to true

    description String

    The description of the generated Signals

    enabled Boolean

    Whether the rule should generate Signals

    entitySelectors List<CseThresholdRuleEntitySelector>

    The entities to generate Signals on

    expression String

    The expression for which records to match on

    groupByFields List<String>

    A list of fields to group records by

    isPrototype Boolean

    Whether the generated Signals should be prototype Signals

    limit Integer

    A Signal will be fired when this many records/distinct field values are matched

    name String

    The name of the Rule and the generated Signals

    severity Integer

    The severity of the generated Signals

    summaryExpression String

    The summary of the generated Signals

    tags List<String>

    The tags of the generated Signals

    windowSize String

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    countDistinct boolean

    Whether to count distinct values of a field, as opposed to just counting the number of records

    countField string

    The field to count if count_distinct is set to true

    description string

    The description of the generated Signals

    enabled boolean

    Whether the rule should generate Signals

    entitySelectors CseThresholdRuleEntitySelector[]

    The entities to generate Signals on

    expression string

    The expression for which records to match on

    groupByFields string[]

    A list of fields to group records by

    isPrototype boolean

    Whether the generated Signals should be prototype Signals

    limit number

    A Signal will be fired when this many records/distinct field values are matched

    name string

    The name of the Rule and the generated Signals

    severity number

    The severity of the generated Signals

    summaryExpression string

    The summary of the generated Signals

    tags string[]

    The tags of the generated Signals

    windowSize string

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    count_distinct bool

    Whether to count distinct values of a field, as opposed to just counting the number of records

    count_field str

    The field to count if count_distinct is set to true

    description str

    The description of the generated Signals

    enabled bool

    Whether the rule should generate Signals

    entity_selectors Sequence[CseThresholdRuleEntitySelectorArgs]

    The entities to generate Signals on

    expression str

    The expression for which records to match on

    group_by_fields Sequence[str]

    A list of fields to group records by

    is_prototype bool

    Whether the generated Signals should be prototype Signals

    limit int

    A Signal will be fired when this many records/distinct field values are matched

    name str

    The name of the Rule and the generated Signals

    severity int

    The severity of the generated Signals

    summary_expression str

    The summary of the generated Signals

    tags Sequence[str]

    The tags of the generated Signals

    window_size str

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    countDistinct Boolean

    Whether to count distinct values of a field, as opposed to just counting the number of records

    countField String

    The field to count if count_distinct is set to true

    description String

    The description of the generated Signals

    enabled Boolean

    Whether the rule should generate Signals

    entitySelectors List<Property Map>

    The entities to generate Signals on

    expression String

    The expression for which records to match on

    groupByFields List<String>

    A list of fields to group records by

    isPrototype Boolean

    Whether the generated Signals should be prototype Signals

    limit Number

    A Signal will be fired when this many records/distinct field values are matched

    name String

    The name of the Rule and the generated Signals

    severity Number

    The severity of the generated Signals

    summaryExpression String

    The summary of the generated Signals

    tags List<String>

    The tags of the generated Signals

    windowSize String

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    Supporting Types

    CseThresholdRuleEntitySelector, CseThresholdRuleEntitySelectorArgs

    EntityType string
    Expression string

    The expression for which records to match on

    EntityType string
    Expression string

    The expression for which records to match on

    entityType String
    expression String

    The expression for which records to match on

    entityType string
    expression string

    The expression for which records to match on

    entity_type str
    expression str

    The expression for which records to match on

    entityType String
    expression String

    The expression for which records to match on

    Import

    Threshold Rules can be imported using the field id, e.g.hcl

     $ pulumi import sumologic:index/cseThresholdRule:CseThresholdRule threshold_rule id
    

    Package Details

    Repository
    Sumo Logic pulumi/pulumi-sumologic
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the sumologic Terraform Provider.

    sumologic logo
    Sumo Logic v0.19.0 published on Thursday, Sep 28, 2023 by Pulumi