We recommend using Azure Native.
azure.sentinel.AlertRuleMsSecurityIncident
Explore with Pulumi AI
Manages a Sentinel MS Security Incident Alert Rule.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "West Europe",
});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", {
name: "example-workspace",
location: example.location,
resourceGroupName: example.name,
sku: "PerGB2018",
});
const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", {workspaceId: exampleAnalyticsWorkspace.id});
const exampleAlertRuleMsSecurityIncident = new azure.sentinel.AlertRuleMsSecurityIncident("example", {
name: "example-ms-security-incident-alert-rule",
logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId,
productFilter: "Microsoft Cloud App Security",
displayName: "example rule",
severityFilters: ["High"],
});
import pulumi
import pulumi_azure as azure
example = azure.core.ResourceGroup("example",
name="example-resources",
location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("example",
name="example-workspace",
location=example.location,
resource_group_name=example.name,
sku="PerGB2018")
example_log_analytics_workspace_onboarding = azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", workspace_id=example_analytics_workspace.id)
example_alert_rule_ms_security_incident = azure.sentinel.AlertRuleMsSecurityIncident("example",
name="example-ms-security-incident-alert-rule",
log_analytics_workspace_id=example_log_analytics_workspace_onboarding.workspace_id,
product_filter="Microsoft Cloud App Security",
display_name="example rule",
severity_filters=["High"])
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/operationalinsights"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/sentinel"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-resources"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "example", &operationalinsights.AnalyticsWorkspaceArgs{
Name: pulumi.String("example-workspace"),
Location: example.Location,
ResourceGroupName: example.Name,
Sku: pulumi.String("PerGB2018"),
})
if err != nil {
return err
}
exampleLogAnalyticsWorkspaceOnboarding, err := sentinel.NewLogAnalyticsWorkspaceOnboarding(ctx, "example", &sentinel.LogAnalyticsWorkspaceOnboardingArgs{
WorkspaceId: exampleAnalyticsWorkspace.ID(),
})
if err != nil {
return err
}
_, err = sentinel.NewAlertRuleMsSecurityIncident(ctx, "example", &sentinel.AlertRuleMsSecurityIncidentArgs{
Name: pulumi.String("example-ms-security-incident-alert-rule"),
LogAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
ProductFilter: pulumi.String("Microsoft Cloud App Security"),
DisplayName: pulumi.String("example rule"),
SeverityFilters: pulumi.StringArray{
pulumi.String("High"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-resources",
Location = "West Europe",
});
var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("example", new()
{
Name = "example-workspace",
Location = example.Location,
ResourceGroupName = example.Name,
Sku = "PerGB2018",
});
var exampleLogAnalyticsWorkspaceOnboarding = new Azure.Sentinel.LogAnalyticsWorkspaceOnboarding("example", new()
{
WorkspaceId = exampleAnalyticsWorkspace.Id,
});
var exampleAlertRuleMsSecurityIncident = new Azure.Sentinel.AlertRuleMsSecurityIncident("example", new()
{
Name = "example-ms-security-incident-alert-rule",
LogAnalyticsWorkspaceId = exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
ProductFilter = "Microsoft Cloud App Security",
DisplayName = "example rule",
SeverityFilters = new[]
{
"High",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
import com.pulumi.azure.sentinel.AlertRuleMsSecurityIncident;
import com.pulumi.azure.sentinel.AlertRuleMsSecurityIncidentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-resources")
.location("West Europe")
.build());
var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()
.name("example-workspace")
.location(example.location())
.resourceGroupName(example.name())
.sku("PerGB2018")
.build());
var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()
.workspaceId(exampleAnalyticsWorkspace.id())
.build());
var exampleAlertRuleMsSecurityIncident = new AlertRuleMsSecurityIncident("exampleAlertRuleMsSecurityIncident", AlertRuleMsSecurityIncidentArgs.builder()
.name("example-ms-security-incident-alert-rule")
.logAnalyticsWorkspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
.productFilter("Microsoft Cloud App Security")
.displayName("example rule")
.severityFilters("High")
.build());
}
}
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-resources
location: West Europe
exampleAnalyticsWorkspace:
type: azure:operationalinsights:AnalyticsWorkspace
name: example
properties:
name: example-workspace
location: ${example.location}
resourceGroupName: ${example.name}
sku: PerGB2018
exampleLogAnalyticsWorkspaceOnboarding:
type: azure:sentinel:LogAnalyticsWorkspaceOnboarding
name: example
properties:
workspaceId: ${exampleAnalyticsWorkspace.id}
exampleAlertRuleMsSecurityIncident:
type: azure:sentinel:AlertRuleMsSecurityIncident
name: example
properties:
name: example-ms-security-incident-alert-rule
logAnalyticsWorkspaceId: ${exampleLogAnalyticsWorkspaceOnboarding.workspaceId}
productFilter: Microsoft Cloud App Security
displayName: example rule
severityFilters:
- High
Create AlertRuleMsSecurityIncident Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AlertRuleMsSecurityIncident(name: string, args: AlertRuleMsSecurityIncidentArgs, opts?: CustomResourceOptions);
@overload
def AlertRuleMsSecurityIncident(resource_name: str,
args: AlertRuleMsSecurityIncidentArgs,
opts: Optional[ResourceOptions] = None)
@overload
def AlertRuleMsSecurityIncident(resource_name: str,
opts: Optional[ResourceOptions] = None,
display_name: Optional[str] = None,
log_analytics_workspace_id: Optional[str] = None,
product_filter: Optional[str] = None,
severity_filters: Optional[Sequence[str]] = None,
alert_rule_template_guid: Optional[str] = None,
description: Optional[str] = None,
display_name_exclude_filters: Optional[Sequence[str]] = None,
display_name_filters: Optional[Sequence[str]] = None,
enabled: Optional[bool] = None,
name: Optional[str] = None)
func NewAlertRuleMsSecurityIncident(ctx *Context, name string, args AlertRuleMsSecurityIncidentArgs, opts ...ResourceOption) (*AlertRuleMsSecurityIncident, error)
public AlertRuleMsSecurityIncident(string name, AlertRuleMsSecurityIncidentArgs args, CustomResourceOptions? opts = null)
public AlertRuleMsSecurityIncident(String name, AlertRuleMsSecurityIncidentArgs args)
public AlertRuleMsSecurityIncident(String name, AlertRuleMsSecurityIncidentArgs args, CustomResourceOptions options)
type: azure:sentinel:AlertRuleMsSecurityIncident
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AlertRuleMsSecurityIncidentArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AlertRuleMsSecurityIncidentArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AlertRuleMsSecurityIncidentArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AlertRuleMsSecurityIncidentArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AlertRuleMsSecurityIncidentArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var alertRuleMsSecurityIncidentResource = new Azure.Sentinel.AlertRuleMsSecurityIncident("alertRuleMsSecurityIncidentResource", new()
{
DisplayName = "string",
LogAnalyticsWorkspaceId = "string",
ProductFilter = "string",
SeverityFilters = new[]
{
"string",
},
AlertRuleTemplateGuid = "string",
Description = "string",
DisplayNameExcludeFilters = new[]
{
"string",
},
DisplayNameFilters = new[]
{
"string",
},
Enabled = false,
Name = "string",
});
example, err := sentinel.NewAlertRuleMsSecurityIncident(ctx, "alertRuleMsSecurityIncidentResource", &sentinel.AlertRuleMsSecurityIncidentArgs{
DisplayName: pulumi.String("string"),
LogAnalyticsWorkspaceId: pulumi.String("string"),
ProductFilter: pulumi.String("string"),
SeverityFilters: pulumi.StringArray{
pulumi.String("string"),
},
AlertRuleTemplateGuid: pulumi.String("string"),
Description: pulumi.String("string"),
DisplayNameExcludeFilters: pulumi.StringArray{
pulumi.String("string"),
},
DisplayNameFilters: pulumi.StringArray{
pulumi.String("string"),
},
Enabled: pulumi.Bool(false),
Name: pulumi.String("string"),
})
var alertRuleMsSecurityIncidentResource = new AlertRuleMsSecurityIncident("alertRuleMsSecurityIncidentResource", AlertRuleMsSecurityIncidentArgs.builder()
.displayName("string")
.logAnalyticsWorkspaceId("string")
.productFilter("string")
.severityFilters("string")
.alertRuleTemplateGuid("string")
.description("string")
.displayNameExcludeFilters("string")
.displayNameFilters("string")
.enabled(false)
.name("string")
.build());
alert_rule_ms_security_incident_resource = azure.sentinel.AlertRuleMsSecurityIncident("alertRuleMsSecurityIncidentResource",
display_name="string",
log_analytics_workspace_id="string",
product_filter="string",
severity_filters=["string"],
alert_rule_template_guid="string",
description="string",
display_name_exclude_filters=["string"],
display_name_filters=["string"],
enabled=False,
name="string")
const alertRuleMsSecurityIncidentResource = new azure.sentinel.AlertRuleMsSecurityIncident("alertRuleMsSecurityIncidentResource", {
displayName: "string",
logAnalyticsWorkspaceId: "string",
productFilter: "string",
severityFilters: ["string"],
alertRuleTemplateGuid: "string",
description: "string",
displayNameExcludeFilters: ["string"],
displayNameFilters: ["string"],
enabled: false,
name: "string",
});
type: azure:sentinel:AlertRuleMsSecurityIncident
properties:
alertRuleTemplateGuid: string
description: string
displayName: string
displayNameExcludeFilters:
- string
displayNameFilters:
- string
enabled: false
logAnalyticsWorkspaceId: string
name: string
productFilter: string
severityFilters:
- string
AlertRuleMsSecurityIncident Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AlertRuleMsSecurityIncident resource accepts the following input properties:
- Display
Name string - The friendly name of this Sentinel MS Security Incident Alert Rule.
- Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- Product
Filter string - The Microsoft Security Service from where the alert will be generated. Possible values are
Azure Active Directory Identity Protection
,Azure Advanced Threat Protection
,Azure Security Center
,Azure Security Center for IoT
,Microsoft Cloud App Security
,Microsoft Defender Advanced Threat Protection
andOffice 365 Advanced Threat Protection
. - Severity
Filters List<string> Only create incidents from alerts when alert severity level is contained in this list. Possible values are
High
,Medium
,Low
andInformational
.NOTE At least one of the severity filters need to be set.
- Alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- Description string
- The description of this Sentinel MS Security Incident Alert Rule.
- Display
Name List<string>Exclude Filters - Only create incidents when the alert display name doesn't contain text from this list.
- Display
Name List<string>Filters - Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.
- Enabled bool
- Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to
true
. - Name string
- The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- Display
Name string - The friendly name of this Sentinel MS Security Incident Alert Rule.
- Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- Product
Filter string - The Microsoft Security Service from where the alert will be generated. Possible values are
Azure Active Directory Identity Protection
,Azure Advanced Threat Protection
,Azure Security Center
,Azure Security Center for IoT
,Microsoft Cloud App Security
,Microsoft Defender Advanced Threat Protection
andOffice 365 Advanced Threat Protection
. - Severity
Filters []string Only create incidents from alerts when alert severity level is contained in this list. Possible values are
High
,Medium
,Low
andInformational
.NOTE At least one of the severity filters need to be set.
- Alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- Description string
- The description of this Sentinel MS Security Incident Alert Rule.
- Display
Name []stringExclude Filters - Only create incidents when the alert display name doesn't contain text from this list.
- Display
Name []stringFilters - Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.
- Enabled bool
- Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to
true
. - Name string
- The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- display
Name String - The friendly name of this Sentinel MS Security Incident Alert Rule.
- log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- product
Filter String - The Microsoft Security Service from where the alert will be generated. Possible values are
Azure Active Directory Identity Protection
,Azure Advanced Threat Protection
,Azure Security Center
,Azure Security Center for IoT
,Microsoft Cloud App Security
,Microsoft Defender Advanced Threat Protection
andOffice 365 Advanced Threat Protection
. - severity
Filters List<String> Only create incidents from alerts when alert severity level is contained in this list. Possible values are
High
,Medium
,Low
andInformational
.NOTE At least one of the severity filters need to be set.
- alert
Rule StringTemplate Guid - The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- description String
- The description of this Sentinel MS Security Incident Alert Rule.
- display
Name List<String>Exclude Filters - Only create incidents when the alert display name doesn't contain text from this list.
- display
Name List<String>Filters - Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.
- enabled Boolean
- Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to
true
. - name String
- The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- display
Name string - The friendly name of this Sentinel MS Security Incident Alert Rule.
- log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- product
Filter string - The Microsoft Security Service from where the alert will be generated. Possible values are
Azure Active Directory Identity Protection
,Azure Advanced Threat Protection
,Azure Security Center
,Azure Security Center for IoT
,Microsoft Cloud App Security
,Microsoft Defender Advanced Threat Protection
andOffice 365 Advanced Threat Protection
. - severity
Filters string[] Only create incidents from alerts when alert severity level is contained in this list. Possible values are
High
,Medium
,Low
andInformational
.NOTE At least one of the severity filters need to be set.
- alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- description string
- The description of this Sentinel MS Security Incident Alert Rule.
- display
Name string[]Exclude Filters - Only create incidents when the alert display name doesn't contain text from this list.
- display
Name string[]Filters - Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.
- enabled boolean
- Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to
true
. - name string
- The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- display_
name str - The friendly name of this Sentinel MS Security Incident Alert Rule.
- log_
analytics_ strworkspace_ id - The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- product_
filter str - The Microsoft Security Service from where the alert will be generated. Possible values are
Azure Active Directory Identity Protection
,Azure Advanced Threat Protection
,Azure Security Center
,Azure Security Center for IoT
,Microsoft Cloud App Security
,Microsoft Defender Advanced Threat Protection
andOffice 365 Advanced Threat Protection
. - severity_
filters Sequence[str] Only create incidents from alerts when alert severity level is contained in this list. Possible values are
High
,Medium
,Low
andInformational
.NOTE At least one of the severity filters need to be set.
- alert_
rule_ strtemplate_ guid - The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- description str
- The description of this Sentinel MS Security Incident Alert Rule.
- display_
name_ Sequence[str]exclude_ filters - Only create incidents when the alert display name doesn't contain text from this list.
- display_
name_ Sequence[str]filters - Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.
- enabled bool
- Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to
true
. - name str
- The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- display
Name String - The friendly name of this Sentinel MS Security Incident Alert Rule.
- log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- product
Filter String - The Microsoft Security Service from where the alert will be generated. Possible values are
Azure Active Directory Identity Protection
,Azure Advanced Threat Protection
,Azure Security Center
,Azure Security Center for IoT
,Microsoft Cloud App Security
,Microsoft Defender Advanced Threat Protection
andOffice 365 Advanced Threat Protection
. - severity
Filters List<String> Only create incidents from alerts when alert severity level is contained in this list. Possible values are
High
,Medium
,Low
andInformational
.NOTE At least one of the severity filters need to be set.
- alert
Rule StringTemplate Guid - The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- description String
- The description of this Sentinel MS Security Incident Alert Rule.
- display
Name List<String>Exclude Filters - Only create incidents when the alert display name doesn't contain text from this list.
- display
Name List<String>Filters - Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.
- enabled Boolean
- Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to
true
. - name String
- The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
Outputs
All input properties are implicitly available as output properties. Additionally, the AlertRuleMsSecurityIncident resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing AlertRuleMsSecurityIncident Resource
Get an existing AlertRuleMsSecurityIncident resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AlertRuleMsSecurityIncidentState, opts?: CustomResourceOptions): AlertRuleMsSecurityIncident
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
alert_rule_template_guid: Optional[str] = None,
description: Optional[str] = None,
display_name: Optional[str] = None,
display_name_exclude_filters: Optional[Sequence[str]] = None,
display_name_filters: Optional[Sequence[str]] = None,
enabled: Optional[bool] = None,
log_analytics_workspace_id: Optional[str] = None,
name: Optional[str] = None,
product_filter: Optional[str] = None,
severity_filters: Optional[Sequence[str]] = None) -> AlertRuleMsSecurityIncident
func GetAlertRuleMsSecurityIncident(ctx *Context, name string, id IDInput, state *AlertRuleMsSecurityIncidentState, opts ...ResourceOption) (*AlertRuleMsSecurityIncident, error)
public static AlertRuleMsSecurityIncident Get(string name, Input<string> id, AlertRuleMsSecurityIncidentState? state, CustomResourceOptions? opts = null)
public static AlertRuleMsSecurityIncident get(String name, Output<String> id, AlertRuleMsSecurityIncidentState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- Description string
- The description of this Sentinel MS Security Incident Alert Rule.
- Display
Name string - The friendly name of this Sentinel MS Security Incident Alert Rule.
- Display
Name List<string>Exclude Filters - Only create incidents when the alert display name doesn't contain text from this list.
- Display
Name List<string>Filters - Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.
- Enabled bool
- Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to
true
. - Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- Name string
- The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- Product
Filter string - The Microsoft Security Service from where the alert will be generated. Possible values are
Azure Active Directory Identity Protection
,Azure Advanced Threat Protection
,Azure Security Center
,Azure Security Center for IoT
,Microsoft Cloud App Security
,Microsoft Defender Advanced Threat Protection
andOffice 365 Advanced Threat Protection
. - Severity
Filters List<string> Only create incidents from alerts when alert severity level is contained in this list. Possible values are
High
,Medium
,Low
andInformational
.NOTE At least one of the severity filters need to be set.
- Alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- Description string
- The description of this Sentinel MS Security Incident Alert Rule.
- Display
Name string - The friendly name of this Sentinel MS Security Incident Alert Rule.
- Display
Name []stringExclude Filters - Only create incidents when the alert display name doesn't contain text from this list.
- Display
Name []stringFilters - Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.
- Enabled bool
- Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to
true
. - Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- Name string
- The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- Product
Filter string - The Microsoft Security Service from where the alert will be generated. Possible values are
Azure Active Directory Identity Protection
,Azure Advanced Threat Protection
,Azure Security Center
,Azure Security Center for IoT
,Microsoft Cloud App Security
,Microsoft Defender Advanced Threat Protection
andOffice 365 Advanced Threat Protection
. - Severity
Filters []string Only create incidents from alerts when alert severity level is contained in this list. Possible values are
High
,Medium
,Low
andInformational
.NOTE At least one of the severity filters need to be set.
- alert
Rule StringTemplate Guid - The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- description String
- The description of this Sentinel MS Security Incident Alert Rule.
- display
Name String - The friendly name of this Sentinel MS Security Incident Alert Rule.
- display
Name List<String>Exclude Filters - Only create incidents when the alert display name doesn't contain text from this list.
- display
Name List<String>Filters - Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.
- enabled Boolean
- Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to
true
. - log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- name String
- The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- product
Filter String - The Microsoft Security Service from where the alert will be generated. Possible values are
Azure Active Directory Identity Protection
,Azure Advanced Threat Protection
,Azure Security Center
,Azure Security Center for IoT
,Microsoft Cloud App Security
,Microsoft Defender Advanced Threat Protection
andOffice 365 Advanced Threat Protection
. - severity
Filters List<String> Only create incidents from alerts when alert severity level is contained in this list. Possible values are
High
,Medium
,Low
andInformational
.NOTE At least one of the severity filters need to be set.
- alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- description string
- The description of this Sentinel MS Security Incident Alert Rule.
- display
Name string - The friendly name of this Sentinel MS Security Incident Alert Rule.
- display
Name string[]Exclude Filters - Only create incidents when the alert display name doesn't contain text from this list.
- display
Name string[]Filters - Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.
- enabled boolean
- Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to
true
. - log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- name string
- The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- product
Filter string - The Microsoft Security Service from where the alert will be generated. Possible values are
Azure Active Directory Identity Protection
,Azure Advanced Threat Protection
,Azure Security Center
,Azure Security Center for IoT
,Microsoft Cloud App Security
,Microsoft Defender Advanced Threat Protection
andOffice 365 Advanced Threat Protection
. - severity
Filters string[] Only create incidents from alerts when alert severity level is contained in this list. Possible values are
High
,Medium
,Low
andInformational
.NOTE At least one of the severity filters need to be set.
- alert_
rule_ strtemplate_ guid - The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- description str
- The description of this Sentinel MS Security Incident Alert Rule.
- display_
name str - The friendly name of this Sentinel MS Security Incident Alert Rule.
- display_
name_ Sequence[str]exclude_ filters - Only create incidents when the alert display name doesn't contain text from this list.
- display_
name_ Sequence[str]filters - Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.
- enabled bool
- Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to
true
. - log_
analytics_ strworkspace_ id - The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- name str
- The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- product_
filter str - The Microsoft Security Service from where the alert will be generated. Possible values are
Azure Active Directory Identity Protection
,Azure Advanced Threat Protection
,Azure Security Center
,Azure Security Center for IoT
,Microsoft Cloud App Security
,Microsoft Defender Advanced Threat Protection
andOffice 365 Advanced Threat Protection
. - severity_
filters Sequence[str] Only create incidents from alerts when alert severity level is contained in this list. Possible values are
High
,Medium
,Low
andInformational
.NOTE At least one of the severity filters need to be set.
- alert
Rule StringTemplate Guid - The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- description String
- The description of this Sentinel MS Security Incident Alert Rule.
- display
Name String - The friendly name of this Sentinel MS Security Incident Alert Rule.
- display
Name List<String>Exclude Filters - Only create incidents when the alert display name doesn't contain text from this list.
- display
Name List<String>Filters - Only create incidents when the alert display name contain text from this list, leave empty to apply no filter.
- enabled Boolean
- Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to
true
. - log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- name String
- The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.
- product
Filter String - The Microsoft Security Service from where the alert will be generated. Possible values are
Azure Active Directory Identity Protection
,Azure Advanced Threat Protection
,Azure Security Center
,Azure Security Center for IoT
,Microsoft Cloud App Security
,Microsoft Defender Advanced Threat Protection
andOffice 365 Advanced Threat Protection
. - severity
Filters List<String> Only create incidents from alerts when alert severity level is contained in this list. Possible values are
High
,Medium
,Low
andInformational
.NOTE At least one of the severity filters need to be set.
Import
Sentinel MS Security Incident Alert Rules can be imported using the resource id
, e.g.
$ pulumi import azure:sentinel/alertRuleMsSecurityIncident:AlertRuleMsSecurityIncident example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azurerm
Terraform Provider.