sumologic.CseThresholdRule
Explore with Pulumi AI
Provides a Sumo Logic CSE Threshold Rule.
Example Usage
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using SumoLogic = Pulumi.SumoLogic;
return await Deployment.RunAsync(() =>
{
var thresholdRule = new SumoLogic.CseThresholdRule("thresholdRule", new()
{
CountDistinct = true,
CountField = "dstDevice_hostname",
Description = "Signal description",
Enabled = true,
EntitySelectors = new[]
{
new SumoLogic.Inputs.CseThresholdRuleEntitySelectorArgs
{
EntityType = "_ip",
Expression = "srcDevice_ip",
},
},
Expression = "objectType = \"Network\"",
GroupByFields = new[]
{
"dstDevice_hostname",
},
IsPrototype = false,
Limit = 1000,
Severity = 5,
SummaryExpression = "Signal summary",
Tags = new[]
{
"_mitreAttackTactic:TA0009",
},
WindowSize = "T30M",
});
});
package main
import (
"github.com/pulumi/pulumi-sumologic/sdk/go/sumologic"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := sumologic.NewCseThresholdRule(ctx, "thresholdRule", &sumologic.CseThresholdRuleArgs{
CountDistinct: pulumi.Bool(true),
CountField: pulumi.String("dstDevice_hostname"),
Description: pulumi.String("Signal description"),
Enabled: pulumi.Bool(true),
EntitySelectors: sumologic.CseThresholdRuleEntitySelectorArray{
&sumologic.CseThresholdRuleEntitySelectorArgs{
EntityType: pulumi.String("_ip"),
Expression: pulumi.String("srcDevice_ip"),
},
},
Expression: pulumi.String("objectType = \"Network\""),
GroupByFields: pulumi.StringArray{
pulumi.String("dstDevice_hostname"),
},
IsPrototype: pulumi.Bool(false),
Limit: pulumi.Int(1000),
Severity: pulumi.Int(5),
SummaryExpression: pulumi.String("Signal summary"),
Tags: pulumi.StringArray{
pulumi.String("_mitreAttackTactic:TA0009"),
},
WindowSize: pulumi.String("T30M"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.sumologic.CseThresholdRule;
import com.pulumi.sumologic.CseThresholdRuleArgs;
import com.pulumi.sumologic.inputs.CseThresholdRuleEntitySelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var thresholdRule = new CseThresholdRule("thresholdRule", CseThresholdRuleArgs.builder()
.countDistinct(true)
.countField("dstDevice_hostname")
.description("Signal description")
.enabled(true)
.entitySelectors(CseThresholdRuleEntitySelectorArgs.builder()
.entityType("_ip")
.expression("srcDevice_ip")
.build())
.expression("objectType = \"Network\"")
.groupByFields("dstDevice_hostname")
.isPrototype(false)
.limit(1000)
.severity(5)
.summaryExpression("Signal summary")
.tags("_mitreAttackTactic:TA0009")
.windowSize("T30M")
.build());
}
}
import pulumi
import pulumi_sumologic as sumologic
threshold_rule = sumologic.CseThresholdRule("thresholdRule",
count_distinct=True,
count_field="dstDevice_hostname",
description="Signal description",
enabled=True,
entity_selectors=[sumologic.CseThresholdRuleEntitySelectorArgs(
entity_type="_ip",
expression="srcDevice_ip",
)],
expression="objectType = \"Network\"",
group_by_fields=["dstDevice_hostname"],
is_prototype=False,
limit=1000,
severity=5,
summary_expression="Signal summary",
tags=["_mitreAttackTactic:TA0009"],
window_size="T30M")
import * as pulumi from "@pulumi/pulumi";
import * as sumologic from "@pulumi/sumologic";
const thresholdRule = new sumologic.CseThresholdRule("thresholdRule", {
countDistinct: true,
countField: "dstDevice_hostname",
description: "Signal description",
enabled: true,
entitySelectors: [{
entityType: "_ip",
expression: "srcDevice_ip",
}],
expression: "objectType = \"Network\"",
groupByFields: ["dstDevice_hostname"],
isPrototype: false,
limit: 1000,
severity: 5,
summaryExpression: "Signal summary",
tags: ["_mitreAttackTactic:TA0009"],
windowSize: "T30M",
});
resources:
thresholdRule:
type: sumologic:CseThresholdRule
properties:
countDistinct: true
countField: dstDevice_hostname
description: Signal description
enabled: true
entitySelectors:
- entityType: _ip
expression: srcDevice_ip
expression: objectType = "Network"
groupByFields:
- dstDevice_hostname
isPrototype: false
limit: 1000
severity: 5
summaryExpression: Signal summary
tags:
- _mitreAttackTactic:TA0009
windowSize: T30M
Create CseThresholdRule Resource
new CseThresholdRule(name: string, args: CseThresholdRuleArgs, opts?: CustomResourceOptions);
@overload
def CseThresholdRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
count_distinct: Optional[bool] = None,
count_field: Optional[str] = None,
description: Optional[str] = None,
enabled: Optional[bool] = None,
entity_selectors: Optional[Sequence[CseThresholdRuleEntitySelectorArgs]] = None,
expression: Optional[str] = None,
group_by_fields: Optional[Sequence[str]] = None,
is_prototype: Optional[bool] = None,
limit: Optional[int] = None,
name: Optional[str] = None,
severity: Optional[int] = None,
summary_expression: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
window_size: Optional[str] = None)
@overload
def CseThresholdRule(resource_name: str,
args: CseThresholdRuleArgs,
opts: Optional[ResourceOptions] = None)
func NewCseThresholdRule(ctx *Context, name string, args CseThresholdRuleArgs, opts ...ResourceOption) (*CseThresholdRule, error)
public CseThresholdRule(string name, CseThresholdRuleArgs args, CustomResourceOptions? opts = null)
public CseThresholdRule(String name, CseThresholdRuleArgs args)
public CseThresholdRule(String name, CseThresholdRuleArgs args, CustomResourceOptions options)
type: sumologic:CseThresholdRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CseThresholdRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CseThresholdRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CseThresholdRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CseThresholdRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CseThresholdRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
CseThresholdRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The CseThresholdRule resource accepts the following input properties:
- Description string
The description of the generated Signals
- Enabled bool
Whether the rule should generate Signals
- Entity
Selectors List<Pulumi.Sumo Logic. Inputs. Cse Threshold Rule Entity Selector Args> The entities to generate Signals on
- Expression string
The expression for which records to match on
- Limit int
A Signal will be fired when this many records/distinct field values are matched
- Severity int
The severity of the generated Signals
- Window
Size string How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.
The following attributes are exported:
- Count
Distinct bool Whether to count distinct values of a field, as opposed to just counting the number of records
- Count
Field string The field to count if
count_distinct
is set to true- Group
By List<string>Fields A list of fields to group records by
- Is
Prototype bool Whether the generated Signals should be prototype Signals
- Name string
The name of the Rule and the generated Signals
- Summary
Expression string The summary of the generated Signals
- List<string>
The tags of the generated Signals
- Description string
The description of the generated Signals
- Enabled bool
Whether the rule should generate Signals
- Entity
Selectors []CseThreshold Rule Entity Selector Args The entities to generate Signals on
- Expression string
The expression for which records to match on
- Limit int
A Signal will be fired when this many records/distinct field values are matched
- Severity int
The severity of the generated Signals
- Window
Size string How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.
The following attributes are exported:
- Count
Distinct bool Whether to count distinct values of a field, as opposed to just counting the number of records
- Count
Field string The field to count if
count_distinct
is set to true- Group
By []stringFields A list of fields to group records by
- Is
Prototype bool Whether the generated Signals should be prototype Signals
- Name string
The name of the Rule and the generated Signals
- Summary
Expression string The summary of the generated Signals
- []string
The tags of the generated Signals
- description String
The description of the generated Signals
- enabled Boolean
Whether the rule should generate Signals
- entity
Selectors List<CseThreshold Rule Entity Selector Args> The entities to generate Signals on
- expression String
The expression for which records to match on
- limit Integer
A Signal will be fired when this many records/distinct field values are matched
- severity Integer
The severity of the generated Signals
- window
Size String How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.
The following attributes are exported:
- count
Distinct Boolean Whether to count distinct values of a field, as opposed to just counting the number of records
- count
Field String The field to count if
count_distinct
is set to true- group
By List<String>Fields A list of fields to group records by
- is
Prototype Boolean Whether the generated Signals should be prototype Signals
- name String
The name of the Rule and the generated Signals
- summary
Expression String The summary of the generated Signals
- List<String>
The tags of the generated Signals
- description string
The description of the generated Signals
- enabled boolean
Whether the rule should generate Signals
- entity
Selectors CseThreshold Rule Entity Selector Args[] The entities to generate Signals on
- expression string
The expression for which records to match on
- limit number
A Signal will be fired when this many records/distinct field values are matched
- severity number
The severity of the generated Signals
- window
Size string How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.
The following attributes are exported:
- count
Distinct boolean Whether to count distinct values of a field, as opposed to just counting the number of records
- count
Field string The field to count if
count_distinct
is set to true- group
By string[]Fields A list of fields to group records by
- is
Prototype boolean Whether the generated Signals should be prototype Signals
- name string
The name of the Rule and the generated Signals
- summary
Expression string The summary of the generated Signals
- string[]
The tags of the generated Signals
- description str
The description of the generated Signals
- enabled bool
Whether the rule should generate Signals
- entity_
selectors Sequence[CseThreshold Rule Entity Selector Args] The entities to generate Signals on
- expression str
The expression for which records to match on
- limit int
A Signal will be fired when this many records/distinct field values are matched
- severity int
The severity of the generated Signals
- window_
size str How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.
The following attributes are exported:
- count_
distinct bool Whether to count distinct values of a field, as opposed to just counting the number of records
- count_
field str The field to count if
count_distinct
is set to true- group_
by_ Sequence[str]fields A list of fields to group records by
- is_
prototype bool Whether the generated Signals should be prototype Signals
- name str
The name of the Rule and the generated Signals
- summary_
expression str The summary of the generated Signals
- Sequence[str]
The tags of the generated Signals
- description String
The description of the generated Signals
- enabled Boolean
Whether the rule should generate Signals
- entity
Selectors List<Property Map> The entities to generate Signals on
- expression String
The expression for which records to match on
- limit Number
A Signal will be fired when this many records/distinct field values are matched
- severity Number
The severity of the generated Signals
- window
Size String How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.
The following attributes are exported:
- count
Distinct Boolean Whether to count distinct values of a field, as opposed to just counting the number of records
- count
Field String The field to count if
count_distinct
is set to true- group
By List<String>Fields A list of fields to group records by
- is
Prototype Boolean Whether the generated Signals should be prototype Signals
- name String
The name of the Rule and the generated Signals
- summary
Expression String The summary of the generated Signals
- List<String>
The tags of the generated Signals
Outputs
All input properties are implicitly available as output properties. Additionally, the CseThresholdRule resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Id string
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
- id string
The provider-assigned unique ID for this managed resource.
- id str
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
Look up Existing CseThresholdRule Resource
Get an existing CseThresholdRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CseThresholdRuleState, opts?: CustomResourceOptions): CseThresholdRule
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
count_distinct: Optional[bool] = None,
count_field: Optional[str] = None,
description: Optional[str] = None,
enabled: Optional[bool] = None,
entity_selectors: Optional[Sequence[CseThresholdRuleEntitySelectorArgs]] = None,
expression: Optional[str] = None,
group_by_fields: Optional[Sequence[str]] = None,
is_prototype: Optional[bool] = None,
limit: Optional[int] = None,
name: Optional[str] = None,
severity: Optional[int] = None,
summary_expression: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
window_size: Optional[str] = None) -> CseThresholdRule
func GetCseThresholdRule(ctx *Context, name string, id IDInput, state *CseThresholdRuleState, opts ...ResourceOption) (*CseThresholdRule, error)
public static CseThresholdRule Get(string name, Input<string> id, CseThresholdRuleState? state, CustomResourceOptions? opts = null)
public static CseThresholdRule get(String name, Output<String> id, CseThresholdRuleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Count
Distinct bool Whether to count distinct values of a field, as opposed to just counting the number of records
- Count
Field string The field to count if
count_distinct
is set to true- Description string
The description of the generated Signals
- Enabled bool
Whether the rule should generate Signals
- Entity
Selectors List<Pulumi.Sumo Logic. Inputs. Cse Threshold Rule Entity Selector Args> The entities to generate Signals on
- Expression string
The expression for which records to match on
- Group
By List<string>Fields A list of fields to group records by
- Is
Prototype bool Whether the generated Signals should be prototype Signals
- Limit int
A Signal will be fired when this many records/distinct field values are matched
- Name string
The name of the Rule and the generated Signals
- Severity int
The severity of the generated Signals
- Summary
Expression string The summary of the generated Signals
- List<string>
The tags of the generated Signals
- Window
Size string How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.
The following attributes are exported:
- Count
Distinct bool Whether to count distinct values of a field, as opposed to just counting the number of records
- Count
Field string The field to count if
count_distinct
is set to true- Description string
The description of the generated Signals
- Enabled bool
Whether the rule should generate Signals
- Entity
Selectors []CseThreshold Rule Entity Selector Args The entities to generate Signals on
- Expression string
The expression for which records to match on
- Group
By []stringFields A list of fields to group records by
- Is
Prototype bool Whether the generated Signals should be prototype Signals
- Limit int
A Signal will be fired when this many records/distinct field values are matched
- Name string
The name of the Rule and the generated Signals
- Severity int
The severity of the generated Signals
- Summary
Expression string The summary of the generated Signals
- []string
The tags of the generated Signals
- Window
Size string How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.
The following attributes are exported:
- count
Distinct Boolean Whether to count distinct values of a field, as opposed to just counting the number of records
- count
Field String The field to count if
count_distinct
is set to true- description String
The description of the generated Signals
- enabled Boolean
Whether the rule should generate Signals
- entity
Selectors List<CseThreshold Rule Entity Selector Args> The entities to generate Signals on
- expression String
The expression for which records to match on
- group
By List<String>Fields A list of fields to group records by
- is
Prototype Boolean Whether the generated Signals should be prototype Signals
- limit Integer
A Signal will be fired when this many records/distinct field values are matched
- name String
The name of the Rule and the generated Signals
- severity Integer
The severity of the generated Signals
- summary
Expression String The summary of the generated Signals
- List<String>
The tags of the generated Signals
- window
Size String How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.
The following attributes are exported:
- count
Distinct boolean Whether to count distinct values of a field, as opposed to just counting the number of records
- count
Field string The field to count if
count_distinct
is set to true- description string
The description of the generated Signals
- enabled boolean
Whether the rule should generate Signals
- entity
Selectors CseThreshold Rule Entity Selector Args[] The entities to generate Signals on
- expression string
The expression for which records to match on
- group
By string[]Fields A list of fields to group records by
- is
Prototype boolean Whether the generated Signals should be prototype Signals
- limit number
A Signal will be fired when this many records/distinct field values are matched
- name string
The name of the Rule and the generated Signals
- severity number
The severity of the generated Signals
- summary
Expression string The summary of the generated Signals
- string[]
The tags of the generated Signals
- window
Size string How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.
The following attributes are exported:
- count_
distinct bool Whether to count distinct values of a field, as opposed to just counting the number of records
- count_
field str The field to count if
count_distinct
is set to true- description str
The description of the generated Signals
- enabled bool
Whether the rule should generate Signals
- entity_
selectors Sequence[CseThreshold Rule Entity Selector Args] The entities to generate Signals on
- expression str
The expression for which records to match on
- group_
by_ Sequence[str]fields A list of fields to group records by
- is_
prototype bool Whether the generated Signals should be prototype Signals
- limit int
A Signal will be fired when this many records/distinct field values are matched
- name str
The name of the Rule and the generated Signals
- severity int
The severity of the generated Signals
- summary_
expression str The summary of the generated Signals
- Sequence[str]
The tags of the generated Signals
- window_
size str How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.
The following attributes are exported:
- count
Distinct Boolean Whether to count distinct values of a field, as opposed to just counting the number of records
- count
Field String The field to count if
count_distinct
is set to true- description String
The description of the generated Signals
- enabled Boolean
Whether the rule should generate Signals
- entity
Selectors List<Property Map> The entities to generate Signals on
- expression String
The expression for which records to match on
- group
By List<String>Fields A list of fields to group records by
- is
Prototype Boolean Whether the generated Signals should be prototype Signals
- limit Number
A Signal will be fired when this many records/distinct field values are matched
- name String
The name of the Rule and the generated Signals
- severity Number
The severity of the generated Signals
- summary
Expression String The summary of the generated Signals
- List<String>
The tags of the generated Signals
- window
Size String How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.
The following attributes are exported:
Supporting Types
CseThresholdRuleEntitySelector
- Entity
Type string - Expression string
The expression for which records to match on
- Entity
Type string - Expression string
The expression for which records to match on
- entity
Type String - expression String
The expression for which records to match on
- entity
Type string - expression string
The expression for which records to match on
- entity_
type str - expression str
The expression for which records to match on
- entity
Type String - expression String
The expression for which records to match on
Import
Threshold Rules can be imported using the field id, e.g.hcl
$ pulumi import sumologic:index/cseThresholdRule:CseThresholdRule threshold_rule id
Package Details
- Repository
- Sumo Logic pulumi/pulumi-sumologic
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
sumologic
Terraform Provider.