1. Packages
  2. Sumo Logic
  3. API Docs
  4. CseThresholdRule
Sumo Logic v0.20.3 published on Wednesday, Mar 6, 2024 by Pulumi

sumologic.CseThresholdRule

Explore with Pulumi AI

sumologic logo
Sumo Logic v0.20.3 published on Wednesday, Mar 6, 2024 by Pulumi

    Provides a Sumo Logic CSE Threshold Rule.

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using SumoLogic = Pulumi.SumoLogic;
    
    return await Deployment.RunAsync(() => 
    {
        var thresholdRule = new SumoLogic.CseThresholdRule("thresholdRule", new()
        {
            CountDistinct = true,
            CountField = "dstDevice_hostname",
            Description = "Signal description",
            Enabled = true,
            EntitySelectors = new[]
            {
                new SumoLogic.Inputs.CseThresholdRuleEntitySelectorArgs
                {
                    EntityType = "_ip",
                    Expression = "srcDevice_ip",
                },
            },
            Expression = "objectType = \"Network\"",
            GroupByFields = new[]
            {
                "dstDevice_hostname",
            },
            IsPrototype = false,
            Limit = 1000,
            Severity = 5,
            SummaryExpression = "Signal summary",
            Tags = new[]
            {
                "_mitreAttackTactic:TA0009",
            },
            WindowSize = "T30M",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-sumologic/sdk/go/sumologic"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := sumologic.NewCseThresholdRule(ctx, "thresholdRule", &sumologic.CseThresholdRuleArgs{
    			CountDistinct: pulumi.Bool(true),
    			CountField:    pulumi.String("dstDevice_hostname"),
    			Description:   pulumi.String("Signal description"),
    			Enabled:       pulumi.Bool(true),
    			EntitySelectors: sumologic.CseThresholdRuleEntitySelectorArray{
    				&sumologic.CseThresholdRuleEntitySelectorArgs{
    					EntityType: pulumi.String("_ip"),
    					Expression: pulumi.String("srcDevice_ip"),
    				},
    			},
    			Expression: pulumi.String("objectType = \"Network\""),
    			GroupByFields: pulumi.StringArray{
    				pulumi.String("dstDevice_hostname"),
    			},
    			IsPrototype:       pulumi.Bool(false),
    			Limit:             pulumi.Int(1000),
    			Severity:          pulumi.Int(5),
    			SummaryExpression: pulumi.String("Signal summary"),
    			Tags: pulumi.StringArray{
    				pulumi.String("_mitreAttackTactic:TA0009"),
    			},
    			WindowSize: pulumi.String("T30M"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.sumologic.CseThresholdRule;
    import com.pulumi.sumologic.CseThresholdRuleArgs;
    import com.pulumi.sumologic.inputs.CseThresholdRuleEntitySelectorArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var thresholdRule = new CseThresholdRule("thresholdRule", CseThresholdRuleArgs.builder()        
                .countDistinct(true)
                .countField("dstDevice_hostname")
                .description("Signal description")
                .enabled(true)
                .entitySelectors(CseThresholdRuleEntitySelectorArgs.builder()
                    .entityType("_ip")
                    .expression("srcDevice_ip")
                    .build())
                .expression("objectType = \"Network\"")
                .groupByFields("dstDevice_hostname")
                .isPrototype(false)
                .limit(1000)
                .severity(5)
                .summaryExpression("Signal summary")
                .tags("_mitreAttackTactic:TA0009")
                .windowSize("T30M")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_sumologic as sumologic
    
    threshold_rule = sumologic.CseThresholdRule("thresholdRule",
        count_distinct=True,
        count_field="dstDevice_hostname",
        description="Signal description",
        enabled=True,
        entity_selectors=[sumologic.CseThresholdRuleEntitySelectorArgs(
            entity_type="_ip",
            expression="srcDevice_ip",
        )],
        expression="objectType = \"Network\"",
        group_by_fields=["dstDevice_hostname"],
        is_prototype=False,
        limit=1000,
        severity=5,
        summary_expression="Signal summary",
        tags=["_mitreAttackTactic:TA0009"],
        window_size="T30M")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as sumologic from "@pulumi/sumologic";
    
    const thresholdRule = new sumologic.CseThresholdRule("thresholdRule", {
        countDistinct: true,
        countField: "dstDevice_hostname",
        description: "Signal description",
        enabled: true,
        entitySelectors: [{
            entityType: "_ip",
            expression: "srcDevice_ip",
        }],
        expression: "objectType = \"Network\"",
        groupByFields: ["dstDevice_hostname"],
        isPrototype: false,
        limit: 1000,
        severity: 5,
        summaryExpression: "Signal summary",
        tags: ["_mitreAttackTactic:TA0009"],
        windowSize: "T30M",
    });
    
    resources:
      thresholdRule:
        type: sumologic:CseThresholdRule
        properties:
          countDistinct: true
          countField: dstDevice_hostname
          description: Signal description
          enabled: true
          entitySelectors:
            - entityType: _ip
              expression: srcDevice_ip
          expression: objectType = "Network"
          groupByFields:
            - dstDevice_hostname
          isPrototype: false
          limit: 1000
          severity: 5
          summaryExpression: Signal summary
          tags:
            - _mitreAttackTactic:TA0009
          windowSize: T30M
    

    Create CseThresholdRule Resource

    new CseThresholdRule(name: string, args: CseThresholdRuleArgs, opts?: CustomResourceOptions);
    @overload
    def CseThresholdRule(resource_name: str,
                         opts: Optional[ResourceOptions] = None,
                         count_distinct: Optional[bool] = None,
                         count_field: Optional[str] = None,
                         description: Optional[str] = None,
                         enabled: Optional[bool] = None,
                         entity_selectors: Optional[Sequence[CseThresholdRuleEntitySelectorArgs]] = None,
                         expression: Optional[str] = None,
                         group_by_fields: Optional[Sequence[str]] = None,
                         is_prototype: Optional[bool] = None,
                         limit: Optional[int] = None,
                         name: Optional[str] = None,
                         severity: Optional[int] = None,
                         summary_expression: Optional[str] = None,
                         tags: Optional[Sequence[str]] = None,
                         window_size: Optional[str] = None)
    @overload
    def CseThresholdRule(resource_name: str,
                         args: CseThresholdRuleArgs,
                         opts: Optional[ResourceOptions] = None)
    func NewCseThresholdRule(ctx *Context, name string, args CseThresholdRuleArgs, opts ...ResourceOption) (*CseThresholdRule, error)
    public CseThresholdRule(string name, CseThresholdRuleArgs args, CustomResourceOptions? opts = null)
    public CseThresholdRule(String name, CseThresholdRuleArgs args)
    public CseThresholdRule(String name, CseThresholdRuleArgs args, CustomResourceOptions options)
    
    type: sumologic:CseThresholdRule
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args CseThresholdRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args CseThresholdRuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args CseThresholdRuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args CseThresholdRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args CseThresholdRuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    CseThresholdRule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The CseThresholdRule resource accepts the following input properties:

    Description string
    The description of the generated Signals
    Enabled bool
    Whether the rule should generate Signals
    EntitySelectors List<Pulumi.SumoLogic.Inputs.CseThresholdRuleEntitySelector>
    The entities to generate Signals on
    Expression string
    The expression for which records to match on
    Limit int
    A Signal will be fired when this many records/distinct field values are matched
    Severity int
    The severity of the generated Signals
    WindowSize string

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    CountDistinct bool
    Whether to count distinct values of a field, as opposed to just counting the number of records
    CountField string
    The field to count if count_distinct is set to true
    GroupByFields List<string>
    A list of fields to group records by
    IsPrototype bool
    Whether the generated Signals should be prototype Signals
    Name string
    The name of the Rule and the generated Signals
    SummaryExpression string
    The summary of the generated Signals
    Tags List<string>
    The tags of the generated Signals
    Description string
    The description of the generated Signals
    Enabled bool
    Whether the rule should generate Signals
    EntitySelectors []CseThresholdRuleEntitySelectorArgs
    The entities to generate Signals on
    Expression string
    The expression for which records to match on
    Limit int
    A Signal will be fired when this many records/distinct field values are matched
    Severity int
    The severity of the generated Signals
    WindowSize string

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    CountDistinct bool
    Whether to count distinct values of a field, as opposed to just counting the number of records
    CountField string
    The field to count if count_distinct is set to true
    GroupByFields []string
    A list of fields to group records by
    IsPrototype bool
    Whether the generated Signals should be prototype Signals
    Name string
    The name of the Rule and the generated Signals
    SummaryExpression string
    The summary of the generated Signals
    Tags []string
    The tags of the generated Signals
    description String
    The description of the generated Signals
    enabled Boolean
    Whether the rule should generate Signals
    entitySelectors List<CseThresholdRuleEntitySelector>
    The entities to generate Signals on
    expression String
    The expression for which records to match on
    limit Integer
    A Signal will be fired when this many records/distinct field values are matched
    severity Integer
    The severity of the generated Signals
    windowSize String

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    countDistinct Boolean
    Whether to count distinct values of a field, as opposed to just counting the number of records
    countField String
    The field to count if count_distinct is set to true
    groupByFields List<String>
    A list of fields to group records by
    isPrototype Boolean
    Whether the generated Signals should be prototype Signals
    name String
    The name of the Rule and the generated Signals
    summaryExpression String
    The summary of the generated Signals
    tags List<String>
    The tags of the generated Signals
    description string
    The description of the generated Signals
    enabled boolean
    Whether the rule should generate Signals
    entitySelectors CseThresholdRuleEntitySelector[]
    The entities to generate Signals on
    expression string
    The expression for which records to match on
    limit number
    A Signal will be fired when this many records/distinct field values are matched
    severity number
    The severity of the generated Signals
    windowSize string

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    countDistinct boolean
    Whether to count distinct values of a field, as opposed to just counting the number of records
    countField string
    The field to count if count_distinct is set to true
    groupByFields string[]
    A list of fields to group records by
    isPrototype boolean
    Whether the generated Signals should be prototype Signals
    name string
    The name of the Rule and the generated Signals
    summaryExpression string
    The summary of the generated Signals
    tags string[]
    The tags of the generated Signals
    description str
    The description of the generated Signals
    enabled bool
    Whether the rule should generate Signals
    entity_selectors Sequence[CseThresholdRuleEntitySelectorArgs]
    The entities to generate Signals on
    expression str
    The expression for which records to match on
    limit int
    A Signal will be fired when this many records/distinct field values are matched
    severity int
    The severity of the generated Signals
    window_size str

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    count_distinct bool
    Whether to count distinct values of a field, as opposed to just counting the number of records
    count_field str
    The field to count if count_distinct is set to true
    group_by_fields Sequence[str]
    A list of fields to group records by
    is_prototype bool
    Whether the generated Signals should be prototype Signals
    name str
    The name of the Rule and the generated Signals
    summary_expression str
    The summary of the generated Signals
    tags Sequence[str]
    The tags of the generated Signals
    description String
    The description of the generated Signals
    enabled Boolean
    Whether the rule should generate Signals
    entitySelectors List<Property Map>
    The entities to generate Signals on
    expression String
    The expression for which records to match on
    limit Number
    A Signal will be fired when this many records/distinct field values are matched
    severity Number
    The severity of the generated Signals
    windowSize String

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    countDistinct Boolean
    Whether to count distinct values of a field, as opposed to just counting the number of records
    countField String
    The field to count if count_distinct is set to true
    groupByFields List<String>
    A list of fields to group records by
    isPrototype Boolean
    Whether the generated Signals should be prototype Signals
    name String
    The name of the Rule and the generated Signals
    summaryExpression String
    The summary of the generated Signals
    tags List<String>
    The tags of the generated Signals

    Outputs

    All input properties are implicitly available as output properties. Additionally, the CseThresholdRule resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing CseThresholdRule Resource

    Get an existing CseThresholdRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: CseThresholdRuleState, opts?: CustomResourceOptions): CseThresholdRule
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            count_distinct: Optional[bool] = None,
            count_field: Optional[str] = None,
            description: Optional[str] = None,
            enabled: Optional[bool] = None,
            entity_selectors: Optional[Sequence[CseThresholdRuleEntitySelectorArgs]] = None,
            expression: Optional[str] = None,
            group_by_fields: Optional[Sequence[str]] = None,
            is_prototype: Optional[bool] = None,
            limit: Optional[int] = None,
            name: Optional[str] = None,
            severity: Optional[int] = None,
            summary_expression: Optional[str] = None,
            tags: Optional[Sequence[str]] = None,
            window_size: Optional[str] = None) -> CseThresholdRule
    func GetCseThresholdRule(ctx *Context, name string, id IDInput, state *CseThresholdRuleState, opts ...ResourceOption) (*CseThresholdRule, error)
    public static CseThresholdRule Get(string name, Input<string> id, CseThresholdRuleState? state, CustomResourceOptions? opts = null)
    public static CseThresholdRule get(String name, Output<String> id, CseThresholdRuleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    CountDistinct bool
    Whether to count distinct values of a field, as opposed to just counting the number of records
    CountField string
    The field to count if count_distinct is set to true
    Description string
    The description of the generated Signals
    Enabled bool
    Whether the rule should generate Signals
    EntitySelectors List<Pulumi.SumoLogic.Inputs.CseThresholdRuleEntitySelector>
    The entities to generate Signals on
    Expression string
    The expression for which records to match on
    GroupByFields List<string>
    A list of fields to group records by
    IsPrototype bool
    Whether the generated Signals should be prototype Signals
    Limit int
    A Signal will be fired when this many records/distinct field values are matched
    Name string
    The name of the Rule and the generated Signals
    Severity int
    The severity of the generated Signals
    SummaryExpression string
    The summary of the generated Signals
    Tags List<string>
    The tags of the generated Signals
    WindowSize string

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    CountDistinct bool
    Whether to count distinct values of a field, as opposed to just counting the number of records
    CountField string
    The field to count if count_distinct is set to true
    Description string
    The description of the generated Signals
    Enabled bool
    Whether the rule should generate Signals
    EntitySelectors []CseThresholdRuleEntitySelectorArgs
    The entities to generate Signals on
    Expression string
    The expression for which records to match on
    GroupByFields []string
    A list of fields to group records by
    IsPrototype bool
    Whether the generated Signals should be prototype Signals
    Limit int
    A Signal will be fired when this many records/distinct field values are matched
    Name string
    The name of the Rule and the generated Signals
    Severity int
    The severity of the generated Signals
    SummaryExpression string
    The summary of the generated Signals
    Tags []string
    The tags of the generated Signals
    WindowSize string

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    countDistinct Boolean
    Whether to count distinct values of a field, as opposed to just counting the number of records
    countField String
    The field to count if count_distinct is set to true
    description String
    The description of the generated Signals
    enabled Boolean
    Whether the rule should generate Signals
    entitySelectors List<CseThresholdRuleEntitySelector>
    The entities to generate Signals on
    expression String
    The expression for which records to match on
    groupByFields List<String>
    A list of fields to group records by
    isPrototype Boolean
    Whether the generated Signals should be prototype Signals
    limit Integer
    A Signal will be fired when this many records/distinct field values are matched
    name String
    The name of the Rule and the generated Signals
    severity Integer
    The severity of the generated Signals
    summaryExpression String
    The summary of the generated Signals
    tags List<String>
    The tags of the generated Signals
    windowSize String

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    countDistinct boolean
    Whether to count distinct values of a field, as opposed to just counting the number of records
    countField string
    The field to count if count_distinct is set to true
    description string
    The description of the generated Signals
    enabled boolean
    Whether the rule should generate Signals
    entitySelectors CseThresholdRuleEntitySelector[]
    The entities to generate Signals on
    expression string
    The expression for which records to match on
    groupByFields string[]
    A list of fields to group records by
    isPrototype boolean
    Whether the generated Signals should be prototype Signals
    limit number
    A Signal will be fired when this many records/distinct field values are matched
    name string
    The name of the Rule and the generated Signals
    severity number
    The severity of the generated Signals
    summaryExpression string
    The summary of the generated Signals
    tags string[]
    The tags of the generated Signals
    windowSize string

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    count_distinct bool
    Whether to count distinct values of a field, as opposed to just counting the number of records
    count_field str
    The field to count if count_distinct is set to true
    description str
    The description of the generated Signals
    enabled bool
    Whether the rule should generate Signals
    entity_selectors Sequence[CseThresholdRuleEntitySelectorArgs]
    The entities to generate Signals on
    expression str
    The expression for which records to match on
    group_by_fields Sequence[str]
    A list of fields to group records by
    is_prototype bool
    Whether the generated Signals should be prototype Signals
    limit int
    A Signal will be fired when this many records/distinct field values are matched
    name str
    The name of the Rule and the generated Signals
    severity int
    The severity of the generated Signals
    summary_expression str
    The summary of the generated Signals
    tags Sequence[str]
    The tags of the generated Signals
    window_size str

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    countDistinct Boolean
    Whether to count distinct values of a field, as opposed to just counting the number of records
    countField String
    The field to count if count_distinct is set to true
    description String
    The description of the generated Signals
    enabled Boolean
    Whether the rule should generate Signals
    entitySelectors List<Property Map>
    The entities to generate Signals on
    expression String
    The expression for which records to match on
    groupByFields List<String>
    A list of fields to group records by
    isPrototype Boolean
    Whether the generated Signals should be prototype Signals
    limit Number
    A Signal will be fired when this many records/distinct field values are matched
    name String
    The name of the Rule and the generated Signals
    severity Number
    The severity of the generated Signals
    summaryExpression String
    The summary of the generated Signals
    tags List<String>
    The tags of the generated Signals
    windowSize String

    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

    The following attributes are exported:

    Supporting Types

    CseThresholdRuleEntitySelector, CseThresholdRuleEntitySelectorArgs

    EntityType string
    Expression string
    The expression for which records to match on
    EntityType string
    Expression string
    The expression for which records to match on
    entityType String
    expression String
    The expression for which records to match on
    entityType string
    expression string
    The expression for which records to match on
    entity_type str
    expression str
    The expression for which records to match on
    entityType String
    expression String
    The expression for which records to match on

    Import

    Threshold Rules can be imported using the field id, e.g.:

    hcl

    $ pulumi import sumologic:index/cseThresholdRule:CseThresholdRule threshold_rule id
    

    Package Details

    Repository
    Sumo Logic pulumi/pulumi-sumologic
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the sumologic Terraform Provider.
    sumologic logo
    Sumo Logic v0.20.3 published on Wednesday, Mar 6, 2024 by Pulumi