We recommend using Azure Native.
azure.sentinel.AlertRuleNrt
Explore with Pulumi AI
Manages a Sentinel NRT Alert Rule.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "West Europe",
});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", {
name: "example-workspace",
location: example.location,
resourceGroupName: example.name,
sku: "pergb2018",
});
const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", {workspaceId: exampleAnalyticsWorkspace.id});
const exampleAlertRuleNrt = new azure.sentinel.AlertRuleNrt("example", {
name: "example",
logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId,
displayName: "example",
severity: "High",
query: `AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
`,
});
import pulumi
import pulumi_azure as azure
example = azure.core.ResourceGroup("example",
name="example-resources",
location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("example",
name="example-workspace",
location=example.location,
resource_group_name=example.name,
sku="pergb2018")
example_log_analytics_workspace_onboarding = azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", workspace_id=example_analytics_workspace.id)
example_alert_rule_nrt = azure.sentinel.AlertRuleNrt("example",
name="example",
log_analytics_workspace_id=example_log_analytics_workspace_onboarding.workspace_id,
display_name="example",
severity="High",
query="""AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/operationalinsights"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/sentinel"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-resources"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "example", &operationalinsights.AnalyticsWorkspaceArgs{
Name: pulumi.String("example-workspace"),
Location: example.Location,
ResourceGroupName: example.Name,
Sku: pulumi.String("pergb2018"),
})
if err != nil {
return err
}
exampleLogAnalyticsWorkspaceOnboarding, err := sentinel.NewLogAnalyticsWorkspaceOnboarding(ctx, "example", &sentinel.LogAnalyticsWorkspaceOnboardingArgs{
WorkspaceId: exampleAnalyticsWorkspace.ID(),
})
if err != nil {
return err
}
_, err = sentinel.NewAlertRuleNrt(ctx, "example", &sentinel.AlertRuleNrtArgs{
Name: pulumi.String("example"),
LogAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
DisplayName: pulumi.String("example"),
Severity: pulumi.String("High"),
Query: pulumi.String("AzureActivity |\n where OperationName == \"Create or Update Virtual Machine\" or OperationName ==\"Create Deployment\" |\n where ActivityStatus == \"Succeeded\" |\n make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-resources",
Location = "West Europe",
});
var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("example", new()
{
Name = "example-workspace",
Location = example.Location,
ResourceGroupName = example.Name,
Sku = "pergb2018",
});
var exampleLogAnalyticsWorkspaceOnboarding = new Azure.Sentinel.LogAnalyticsWorkspaceOnboarding("example", new()
{
WorkspaceId = exampleAnalyticsWorkspace.Id,
});
var exampleAlertRuleNrt = new Azure.Sentinel.AlertRuleNrt("example", new()
{
Name = "example",
LogAnalyticsWorkspaceId = exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
DisplayName = "example",
Severity = "High",
Query = @"AzureActivity |
where OperationName == ""Create or Update Virtual Machine"" or OperationName ==""Create Deployment"" |
where ActivityStatus == ""Succeeded"" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
import com.pulumi.azure.sentinel.AlertRuleNrt;
import com.pulumi.azure.sentinel.AlertRuleNrtArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-resources")
.location("West Europe")
.build());
var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()
.name("example-workspace")
.location(example.location())
.resourceGroupName(example.name())
.sku("pergb2018")
.build());
var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()
.workspaceId(exampleAnalyticsWorkspace.id())
.build());
var exampleAlertRuleNrt = new AlertRuleNrt("exampleAlertRuleNrt", AlertRuleNrtArgs.builder()
.name("example")
.logAnalyticsWorkspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
.displayName("example")
.severity("High")
.query("""
AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")
.build());
}
}
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-resources
location: West Europe
exampleAnalyticsWorkspace:
type: azure:operationalinsights:AnalyticsWorkspace
name: example
properties:
name: example-workspace
location: ${example.location}
resourceGroupName: ${example.name}
sku: pergb2018
exampleLogAnalyticsWorkspaceOnboarding:
type: azure:sentinel:LogAnalyticsWorkspaceOnboarding
name: example
properties:
workspaceId: ${exampleAnalyticsWorkspace.id}
exampleAlertRuleNrt:
type: azure:sentinel:AlertRuleNrt
name: example
properties:
name: example
logAnalyticsWorkspaceId: ${exampleLogAnalyticsWorkspaceOnboarding.workspaceId}
displayName: example
severity: High
query: |
AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
Create AlertRuleNrt Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AlertRuleNrt(name: string, args: AlertRuleNrtArgs, opts?: CustomResourceOptions);
@overload
def AlertRuleNrt(resource_name: str,
args: AlertRuleNrtArgs,
opts: Optional[ResourceOptions] = None)
@overload
def AlertRuleNrt(resource_name: str,
opts: Optional[ResourceOptions] = None,
query: Optional[str] = None,
display_name: Optional[str] = None,
event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
severity: Optional[str] = None,
log_analytics_workspace_id: Optional[str] = None,
techniques: Optional[Sequence[str]] = None,
alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
alert_rule_template_version: Optional[str] = None,
alert_rule_template_guid: Optional[str] = None,
name: Optional[str] = None,
description: Optional[str] = None,
enabled: Optional[bool] = None,
sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
custom_details: Optional[Mapping[str, str]] = None,
suppression_duration: Optional[str] = None,
suppression_enabled: Optional[bool] = None,
tactics: Optional[Sequence[str]] = None,
incident: Optional[AlertRuleNrtIncidentArgs] = None)
func NewAlertRuleNrt(ctx *Context, name string, args AlertRuleNrtArgs, opts ...ResourceOption) (*AlertRuleNrt, error)
public AlertRuleNrt(string name, AlertRuleNrtArgs args, CustomResourceOptions? opts = null)
public AlertRuleNrt(String name, AlertRuleNrtArgs args)
public AlertRuleNrt(String name, AlertRuleNrtArgs args, CustomResourceOptions options)
type: azure:sentinel:AlertRuleNrt
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AlertRuleNrtArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AlertRuleNrtArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AlertRuleNrtArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AlertRuleNrtArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AlertRuleNrtArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var alertRuleNrtResource = new Azure.Sentinel.AlertRuleNrt("alertRuleNrtResource", new()
{
Query = "string",
DisplayName = "string",
EventGrouping = new Azure.Sentinel.Inputs.AlertRuleNrtEventGroupingArgs
{
AggregationMethod = "string",
},
Severity = "string",
LogAnalyticsWorkspaceId = "string",
Techniques = new[]
{
"string",
},
AlertDetailsOverrides = new[]
{
new Azure.Sentinel.Inputs.AlertRuleNrtAlertDetailsOverrideArgs
{
DescriptionFormat = "string",
DisplayNameFormat = "string",
DynamicProperties = new[]
{
new Azure.Sentinel.Inputs.AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs
{
Name = "string",
Value = "string",
},
},
SeverityColumnName = "string",
TacticsColumnName = "string",
},
},
EntityMappings = new[]
{
new Azure.Sentinel.Inputs.AlertRuleNrtEntityMappingArgs
{
EntityType = "string",
FieldMappings = new[]
{
new Azure.Sentinel.Inputs.AlertRuleNrtEntityMappingFieldMappingArgs
{
ColumnName = "string",
Identifier = "string",
},
},
},
},
AlertRuleTemplateVersion = "string",
AlertRuleTemplateGuid = "string",
Name = "string",
Description = "string",
Enabled = false,
SentinelEntityMappings = new[]
{
new Azure.Sentinel.Inputs.AlertRuleNrtSentinelEntityMappingArgs
{
ColumnName = "string",
},
},
CustomDetails =
{
{ "string", "string" },
},
SuppressionDuration = "string",
SuppressionEnabled = false,
Tactics = new[]
{
"string",
},
Incident = new Azure.Sentinel.Inputs.AlertRuleNrtIncidentArgs
{
CreateIncidentEnabled = false,
Grouping = new Azure.Sentinel.Inputs.AlertRuleNrtIncidentGroupingArgs
{
ByAlertDetails = new[]
{
"string",
},
ByCustomDetails = new[]
{
"string",
},
ByEntities = new[]
{
"string",
},
Enabled = false,
EntityMatchingMethod = "string",
LookbackDuration = "string",
ReopenClosedIncidents = false,
},
},
});
example, err := sentinel.NewAlertRuleNrt(ctx, "alertRuleNrtResource", &sentinel.AlertRuleNrtArgs{
Query: pulumi.String("string"),
DisplayName: pulumi.String("string"),
EventGrouping: &sentinel.AlertRuleNrtEventGroupingArgs{
AggregationMethod: pulumi.String("string"),
},
Severity: pulumi.String("string"),
LogAnalyticsWorkspaceId: pulumi.String("string"),
Techniques: pulumi.StringArray{
pulumi.String("string"),
},
AlertDetailsOverrides: sentinel.AlertRuleNrtAlertDetailsOverrideArray{
&sentinel.AlertRuleNrtAlertDetailsOverrideArgs{
DescriptionFormat: pulumi.String("string"),
DisplayNameFormat: pulumi.String("string"),
DynamicProperties: sentinel.AlertRuleNrtAlertDetailsOverrideDynamicPropertyArray{
&sentinel.AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs{
Name: pulumi.String("string"),
Value: pulumi.String("string"),
},
},
SeverityColumnName: pulumi.String("string"),
TacticsColumnName: pulumi.String("string"),
},
},
EntityMappings: sentinel.AlertRuleNrtEntityMappingArray{
&sentinel.AlertRuleNrtEntityMappingArgs{
EntityType: pulumi.String("string"),
FieldMappings: sentinel.AlertRuleNrtEntityMappingFieldMappingArray{
&sentinel.AlertRuleNrtEntityMappingFieldMappingArgs{
ColumnName: pulumi.String("string"),
Identifier: pulumi.String("string"),
},
},
},
},
AlertRuleTemplateVersion: pulumi.String("string"),
AlertRuleTemplateGuid: pulumi.String("string"),
Name: pulumi.String("string"),
Description: pulumi.String("string"),
Enabled: pulumi.Bool(false),
SentinelEntityMappings: sentinel.AlertRuleNrtSentinelEntityMappingArray{
&sentinel.AlertRuleNrtSentinelEntityMappingArgs{
ColumnName: pulumi.String("string"),
},
},
CustomDetails: pulumi.StringMap{
"string": pulumi.String("string"),
},
SuppressionDuration: pulumi.String("string"),
SuppressionEnabled: pulumi.Bool(false),
Tactics: pulumi.StringArray{
pulumi.String("string"),
},
Incident: &sentinel.AlertRuleNrtIncidentArgs{
CreateIncidentEnabled: pulumi.Bool(false),
Grouping: &sentinel.AlertRuleNrtIncidentGroupingArgs{
ByAlertDetails: pulumi.StringArray{
pulumi.String("string"),
},
ByCustomDetails: pulumi.StringArray{
pulumi.String("string"),
},
ByEntities: pulumi.StringArray{
pulumi.String("string"),
},
Enabled: pulumi.Bool(false),
EntityMatchingMethod: pulumi.String("string"),
LookbackDuration: pulumi.String("string"),
ReopenClosedIncidents: pulumi.Bool(false),
},
},
})
var alertRuleNrtResource = new AlertRuleNrt("alertRuleNrtResource", AlertRuleNrtArgs.builder()
.query("string")
.displayName("string")
.eventGrouping(AlertRuleNrtEventGroupingArgs.builder()
.aggregationMethod("string")
.build())
.severity("string")
.logAnalyticsWorkspaceId("string")
.techniques("string")
.alertDetailsOverrides(AlertRuleNrtAlertDetailsOverrideArgs.builder()
.descriptionFormat("string")
.displayNameFormat("string")
.dynamicProperties(AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs.builder()
.name("string")
.value("string")
.build())
.severityColumnName("string")
.tacticsColumnName("string")
.build())
.entityMappings(AlertRuleNrtEntityMappingArgs.builder()
.entityType("string")
.fieldMappings(AlertRuleNrtEntityMappingFieldMappingArgs.builder()
.columnName("string")
.identifier("string")
.build())
.build())
.alertRuleTemplateVersion("string")
.alertRuleTemplateGuid("string")
.name("string")
.description("string")
.enabled(false)
.sentinelEntityMappings(AlertRuleNrtSentinelEntityMappingArgs.builder()
.columnName("string")
.build())
.customDetails(Map.of("string", "string"))
.suppressionDuration("string")
.suppressionEnabled(false)
.tactics("string")
.incident(AlertRuleNrtIncidentArgs.builder()
.createIncidentEnabled(false)
.grouping(AlertRuleNrtIncidentGroupingArgs.builder()
.byAlertDetails("string")
.byCustomDetails("string")
.byEntities("string")
.enabled(false)
.entityMatchingMethod("string")
.lookbackDuration("string")
.reopenClosedIncidents(false)
.build())
.build())
.build());
alert_rule_nrt_resource = azure.sentinel.AlertRuleNrt("alertRuleNrtResource",
query="string",
display_name="string",
event_grouping={
"aggregation_method": "string",
},
severity="string",
log_analytics_workspace_id="string",
techniques=["string"],
alert_details_overrides=[{
"description_format": "string",
"display_name_format": "string",
"dynamic_properties": [{
"name": "string",
"value": "string",
}],
"severity_column_name": "string",
"tactics_column_name": "string",
}],
entity_mappings=[{
"entity_type": "string",
"field_mappings": [{
"column_name": "string",
"identifier": "string",
}],
}],
alert_rule_template_version="string",
alert_rule_template_guid="string",
name="string",
description="string",
enabled=False,
sentinel_entity_mappings=[{
"column_name": "string",
}],
custom_details={
"string": "string",
},
suppression_duration="string",
suppression_enabled=False,
tactics=["string"],
incident={
"create_incident_enabled": False,
"grouping": {
"by_alert_details": ["string"],
"by_custom_details": ["string"],
"by_entities": ["string"],
"enabled": False,
"entity_matching_method": "string",
"lookback_duration": "string",
"reopen_closed_incidents": False,
},
})
const alertRuleNrtResource = new azure.sentinel.AlertRuleNrt("alertRuleNrtResource", {
query: "string",
displayName: "string",
eventGrouping: {
aggregationMethod: "string",
},
severity: "string",
logAnalyticsWorkspaceId: "string",
techniques: ["string"],
alertDetailsOverrides: [{
descriptionFormat: "string",
displayNameFormat: "string",
dynamicProperties: [{
name: "string",
value: "string",
}],
severityColumnName: "string",
tacticsColumnName: "string",
}],
entityMappings: [{
entityType: "string",
fieldMappings: [{
columnName: "string",
identifier: "string",
}],
}],
alertRuleTemplateVersion: "string",
alertRuleTemplateGuid: "string",
name: "string",
description: "string",
enabled: false,
sentinelEntityMappings: [{
columnName: "string",
}],
customDetails: {
string: "string",
},
suppressionDuration: "string",
suppressionEnabled: false,
tactics: ["string"],
incident: {
createIncidentEnabled: false,
grouping: {
byAlertDetails: ["string"],
byCustomDetails: ["string"],
byEntities: ["string"],
enabled: false,
entityMatchingMethod: "string",
lookbackDuration: "string",
reopenClosedIncidents: false,
},
},
});
type: azure:sentinel:AlertRuleNrt
properties:
alertDetailsOverrides:
- descriptionFormat: string
displayNameFormat: string
dynamicProperties:
- name: string
value: string
severityColumnName: string
tacticsColumnName: string
alertRuleTemplateGuid: string
alertRuleTemplateVersion: string
customDetails:
string: string
description: string
displayName: string
enabled: false
entityMappings:
- entityType: string
fieldMappings:
- columnName: string
identifier: string
eventGrouping:
aggregationMethod: string
incident:
createIncidentEnabled: false
grouping:
byAlertDetails:
- string
byCustomDetails:
- string
byEntities:
- string
enabled: false
entityMatchingMethod: string
lookbackDuration: string
reopenClosedIncidents: false
logAnalyticsWorkspaceId: string
name: string
query: string
sentinelEntityMappings:
- columnName: string
severity: string
suppressionDuration: string
suppressionEnabled: false
tactics:
- string
techniques:
- string
AlertRuleNrt Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AlertRuleNrt resource accepts the following input properties:
- Display
Name string - The friendly name of this Sentinel NRT Alert Rule.
- Event
Grouping AlertRule Nrt Event Grouping - A
event_grouping
block as defined below. - Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Query string
- The query of this Sentinel NRT Alert Rule.
- Severity string
- The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
. - Alert
Details List<AlertOverrides Rule Nrt Alert Details Override> - An
alert_details_override
block as defined below. - Alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Alert
Rule stringTemplate Version - The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Custom
Details Dictionary<string, string> - A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- Description string
- The description of this Sentinel NRT Alert Rule.
- Enabled bool
- Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
. - Entity
Mappings List<AlertRule Nrt Entity Mapping> - A list of
entity_mapping
blocks as defined below. - Incident
Alert
Rule Nrt Incident - A
incident
block as defined below. - Name string
- The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Sentinel
Entity List<AlertMappings Rule Nrt Sentinel Entity Mapping> A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- Suppression
Duration string - If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
. - Suppression
Enabled bool - Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
. - Tactics List<string>
- A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,ImpairProcessControl
,InhibitResponseFunction
,InitialAccess
,LateralMovement
,Persistence
,PreAttack
,PrivilegeEscalation
,Reconnaissance
andResourceDevelopment
. - Techniques List<string>
- A list of techniques of attacks by which to classify the rule.
- Display
Name string - The friendly name of this Sentinel NRT Alert Rule.
- Event
Grouping AlertRule Nrt Event Grouping Args - A
event_grouping
block as defined below. - Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Query string
- The query of this Sentinel NRT Alert Rule.
- Severity string
- The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
. - Alert
Details []AlertOverrides Rule Nrt Alert Details Override Args - An
alert_details_override
block as defined below. - Alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Alert
Rule stringTemplate Version - The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Custom
Details map[string]string - A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- Description string
- The description of this Sentinel NRT Alert Rule.
- Enabled bool
- Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
. - Entity
Mappings []AlertRule Nrt Entity Mapping Args - A list of
entity_mapping
blocks as defined below. - Incident
Alert
Rule Nrt Incident Args - A
incident
block as defined below. - Name string
- The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Sentinel
Entity []AlertMappings Rule Nrt Sentinel Entity Mapping Args A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- Suppression
Duration string - If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
. - Suppression
Enabled bool - Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
. - Tactics []string
- A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,ImpairProcessControl
,InhibitResponseFunction
,InitialAccess
,LateralMovement
,Persistence
,PreAttack
,PrivilegeEscalation
,Reconnaissance
andResourceDevelopment
. - Techniques []string
- A list of techniques of attacks by which to classify the rule.
- display
Name String - The friendly name of this Sentinel NRT Alert Rule.
- event
Grouping AlertRule Nrt Event Grouping - A
event_grouping
block as defined below. - log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query String
- The query of this Sentinel NRT Alert Rule.
- severity String
- The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
. - alert
Details List<AlertOverrides Rule Nrt Alert Details Override> - An
alert_details_override
block as defined below. - alert
Rule StringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert
Rule StringTemplate Version - The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom
Details Map<String,String> - A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description String
- The description of this Sentinel NRT Alert Rule.
- enabled Boolean
- Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
. - entity
Mappings List<AlertRule Nrt Entity Mapping> - A list of
entity_mapping
blocks as defined below. - incident
Alert
Rule Nrt Incident - A
incident
block as defined below. - name String
- The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- sentinel
Entity List<AlertMappings Rule Nrt Sentinel Entity Mapping> A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- suppression
Duration String - If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
. - suppression
Enabled Boolean - Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
. - tactics List<String>
- A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,ImpairProcessControl
,InhibitResponseFunction
,InitialAccess
,LateralMovement
,Persistence
,PreAttack
,PrivilegeEscalation
,Reconnaissance
andResourceDevelopment
. - techniques List<String>
- A list of techniques of attacks by which to classify the rule.
- display
Name string - The friendly name of this Sentinel NRT Alert Rule.
- event
Grouping AlertRule Nrt Event Grouping - A
event_grouping
block as defined below. - log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query string
- The query of this Sentinel NRT Alert Rule.
- severity string
- The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
. - alert
Details AlertOverrides Rule Nrt Alert Details Override[] - An
alert_details_override
block as defined below. - alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert
Rule stringTemplate Version - The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom
Details {[key: string]: string} - A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description string
- The description of this Sentinel NRT Alert Rule.
- enabled boolean
- Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
. - entity
Mappings AlertRule Nrt Entity Mapping[] - A list of
entity_mapping
blocks as defined below. - incident
Alert
Rule Nrt Incident - A
incident
block as defined below. - name string
- The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- sentinel
Entity AlertMappings Rule Nrt Sentinel Entity Mapping[] A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- suppression
Duration string - If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
. - suppression
Enabled boolean - Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
. - tactics string[]
- A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,ImpairProcessControl
,InhibitResponseFunction
,InitialAccess
,LateralMovement
,Persistence
,PreAttack
,PrivilegeEscalation
,Reconnaissance
andResourceDevelopment
. - techniques string[]
- A list of techniques of attacks by which to classify the rule.
- display_
name str - The friendly name of this Sentinel NRT Alert Rule.
- event_
grouping AlertRule Nrt Event Grouping Args - A
event_grouping
block as defined below. - log_
analytics_ strworkspace_ id - The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query str
- The query of this Sentinel NRT Alert Rule.
- severity str
- The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
. - alert_
details_ Sequence[Alertoverrides Rule Nrt Alert Details Override Args] - An
alert_details_override
block as defined below. - alert_
rule_ strtemplate_ guid - The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert_
rule_ strtemplate_ version - The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom_
details Mapping[str, str] - A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description str
- The description of this Sentinel NRT Alert Rule.
- enabled bool
- Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
. - entity_
mappings Sequence[AlertRule Nrt Entity Mapping Args] - A list of
entity_mapping
blocks as defined below. - incident
Alert
Rule Nrt Incident Args - A
incident
block as defined below. - name str
- The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- sentinel_
entity_ Sequence[Alertmappings Rule Nrt Sentinel Entity Mapping Args] A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- suppression_
duration str - If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
. - suppression_
enabled bool - Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
. - tactics Sequence[str]
- A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,ImpairProcessControl
,InhibitResponseFunction
,InitialAccess
,LateralMovement
,Persistence
,PreAttack
,PrivilegeEscalation
,Reconnaissance
andResourceDevelopment
. - techniques Sequence[str]
- A list of techniques of attacks by which to classify the rule.
- display
Name String - The friendly name of this Sentinel NRT Alert Rule.
- event
Grouping Property Map - A
event_grouping
block as defined below. - log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query String
- The query of this Sentinel NRT Alert Rule.
- severity String
- The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
. - alert
Details List<Property Map>Overrides - An
alert_details_override
block as defined below. - alert
Rule StringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert
Rule StringTemplate Version - The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom
Details Map<String> - A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description String
- The description of this Sentinel NRT Alert Rule.
- enabled Boolean
- Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
. - entity
Mappings List<Property Map> - A list of
entity_mapping
blocks as defined below. - incident Property Map
- A
incident
block as defined below. - name String
- The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- sentinel
Entity List<Property Map>Mappings A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- suppression
Duration String - If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
. - suppression
Enabled Boolean - Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
. - tactics List<String>
- A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,ImpairProcessControl
,InhibitResponseFunction
,InitialAccess
,LateralMovement
,Persistence
,PreAttack
,PrivilegeEscalation
,Reconnaissance
andResourceDevelopment
. - techniques List<String>
- A list of techniques of attacks by which to classify the rule.
Outputs
All input properties are implicitly available as output properties. Additionally, the AlertRuleNrt resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing AlertRuleNrt Resource
Get an existing AlertRuleNrt resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AlertRuleNrtState, opts?: CustomResourceOptions): AlertRuleNrt
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
alert_rule_template_guid: Optional[str] = None,
alert_rule_template_version: Optional[str] = None,
custom_details: Optional[Mapping[str, str]] = None,
description: Optional[str] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
incident: Optional[AlertRuleNrtIncidentArgs] = None,
log_analytics_workspace_id: Optional[str] = None,
name: Optional[str] = None,
query: Optional[str] = None,
sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
severity: Optional[str] = None,
suppression_duration: Optional[str] = None,
suppression_enabled: Optional[bool] = None,
tactics: Optional[Sequence[str]] = None,
techniques: Optional[Sequence[str]] = None) -> AlertRuleNrt
func GetAlertRuleNrt(ctx *Context, name string, id IDInput, state *AlertRuleNrtState, opts ...ResourceOption) (*AlertRuleNrt, error)
public static AlertRuleNrt Get(string name, Input<string> id, AlertRuleNrtState? state, CustomResourceOptions? opts = null)
public static AlertRuleNrt get(String name, Output<String> id, AlertRuleNrtState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Alert
Details List<AlertOverrides Rule Nrt Alert Details Override> - An
alert_details_override
block as defined below. - Alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Alert
Rule stringTemplate Version - The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Custom
Details Dictionary<string, string> - A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- Description string
- The description of this Sentinel NRT Alert Rule.
- Display
Name string - The friendly name of this Sentinel NRT Alert Rule.
- Enabled bool
- Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
. - Entity
Mappings List<AlertRule Nrt Entity Mapping> - A list of
entity_mapping
blocks as defined below. - Event
Grouping AlertRule Nrt Event Grouping - A
event_grouping
block as defined below. - Incident
Alert
Rule Nrt Incident - A
incident
block as defined below. - Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Name string
- The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Query string
- The query of this Sentinel NRT Alert Rule.
- Sentinel
Entity List<AlertMappings Rule Nrt Sentinel Entity Mapping> A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- Severity string
- The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
. - Suppression
Duration string - If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
. - Suppression
Enabled bool - Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
. - Tactics List<string>
- A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,ImpairProcessControl
,InhibitResponseFunction
,InitialAccess
,LateralMovement
,Persistence
,PreAttack
,PrivilegeEscalation
,Reconnaissance
andResourceDevelopment
. - Techniques List<string>
- A list of techniques of attacks by which to classify the rule.
- Alert
Details []AlertOverrides Rule Nrt Alert Details Override Args - An
alert_details_override
block as defined below. - Alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Alert
Rule stringTemplate Version - The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Custom
Details map[string]string - A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- Description string
- The description of this Sentinel NRT Alert Rule.
- Display
Name string - The friendly name of this Sentinel NRT Alert Rule.
- Enabled bool
- Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
. - Entity
Mappings []AlertRule Nrt Entity Mapping Args - A list of
entity_mapping
blocks as defined below. - Event
Grouping AlertRule Nrt Event Grouping Args - A
event_grouping
block as defined below. - Incident
Alert
Rule Nrt Incident Args - A
incident
block as defined below. - Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Name string
- The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- Query string
- The query of this Sentinel NRT Alert Rule.
- Sentinel
Entity []AlertMappings Rule Nrt Sentinel Entity Mapping Args A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- Severity string
- The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
. - Suppression
Duration string - If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
. - Suppression
Enabled bool - Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
. - Tactics []string
- A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,ImpairProcessControl
,InhibitResponseFunction
,InitialAccess
,LateralMovement
,Persistence
,PreAttack
,PrivilegeEscalation
,Reconnaissance
andResourceDevelopment
. - Techniques []string
- A list of techniques of attacks by which to classify the rule.
- alert
Details List<AlertOverrides Rule Nrt Alert Details Override> - An
alert_details_override
block as defined below. - alert
Rule StringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert
Rule StringTemplate Version - The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom
Details Map<String,String> - A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description String
- The description of this Sentinel NRT Alert Rule.
- display
Name String - The friendly name of this Sentinel NRT Alert Rule.
- enabled Boolean
- Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
. - entity
Mappings List<AlertRule Nrt Entity Mapping> - A list of
entity_mapping
blocks as defined below. - event
Grouping AlertRule Nrt Event Grouping - A
event_grouping
block as defined below. - incident
Alert
Rule Nrt Incident - A
incident
block as defined below. - log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- name String
- The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query String
- The query of this Sentinel NRT Alert Rule.
- sentinel
Entity List<AlertMappings Rule Nrt Sentinel Entity Mapping> A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- severity String
- The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
. - suppression
Duration String - If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
. - suppression
Enabled Boolean - Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
. - tactics List<String>
- A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,ImpairProcessControl
,InhibitResponseFunction
,InitialAccess
,LateralMovement
,Persistence
,PreAttack
,PrivilegeEscalation
,Reconnaissance
andResourceDevelopment
. - techniques List<String>
- A list of techniques of attacks by which to classify the rule.
- alert
Details AlertOverrides Rule Nrt Alert Details Override[] - An
alert_details_override
block as defined below. - alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert
Rule stringTemplate Version - The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom
Details {[key: string]: string} - A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description string
- The description of this Sentinel NRT Alert Rule.
- display
Name string - The friendly name of this Sentinel NRT Alert Rule.
- enabled boolean
- Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
. - entity
Mappings AlertRule Nrt Entity Mapping[] - A list of
entity_mapping
blocks as defined below. - event
Grouping AlertRule Nrt Event Grouping - A
event_grouping
block as defined below. - incident
Alert
Rule Nrt Incident - A
incident
block as defined below. - log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- name string
- The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query string
- The query of this Sentinel NRT Alert Rule.
- sentinel
Entity AlertMappings Rule Nrt Sentinel Entity Mapping[] A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- severity string
- The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
. - suppression
Duration string - If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
. - suppression
Enabled boolean - Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
. - tactics string[]
- A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,ImpairProcessControl
,InhibitResponseFunction
,InitialAccess
,LateralMovement
,Persistence
,PreAttack
,PrivilegeEscalation
,Reconnaissance
andResourceDevelopment
. - techniques string[]
- A list of techniques of attacks by which to classify the rule.
- alert_
details_ Sequence[Alertoverrides Rule Nrt Alert Details Override Args] - An
alert_details_override
block as defined below. - alert_
rule_ strtemplate_ guid - The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert_
rule_ strtemplate_ version - The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom_
details Mapping[str, str] - A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description str
- The description of this Sentinel NRT Alert Rule.
- display_
name str - The friendly name of this Sentinel NRT Alert Rule.
- enabled bool
- Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
. - entity_
mappings Sequence[AlertRule Nrt Entity Mapping Args] - A list of
entity_mapping
blocks as defined below. - event_
grouping AlertRule Nrt Event Grouping Args - A
event_grouping
block as defined below. - incident
Alert
Rule Nrt Incident Args - A
incident
block as defined below. - log_
analytics_ strworkspace_ id - The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- name str
- The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query str
- The query of this Sentinel NRT Alert Rule.
- sentinel_
entity_ Sequence[Alertmappings Rule Nrt Sentinel Entity Mapping Args] A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- severity str
- The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
. - suppression_
duration str - If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
. - suppression_
enabled bool - Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
. - tactics Sequence[str]
- A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,ImpairProcessControl
,InhibitResponseFunction
,InitialAccess
,LateralMovement
,Persistence
,PreAttack
,PrivilegeEscalation
,Reconnaissance
andResourceDevelopment
. - techniques Sequence[str]
- A list of techniques of attacks by which to classify the rule.
- alert
Details List<Property Map>Overrides - An
alert_details_override
block as defined below. - alert
Rule StringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- alert
Rule StringTemplate Version - The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- custom
Details Map<String> - A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description String
- The description of this Sentinel NRT Alert Rule.
- display
Name String - The friendly name of this Sentinel NRT Alert Rule.
- enabled Boolean
- Should the Sentinel NRT Alert Rule be enabled? Defaults to
true
. - entity
Mappings List<Property Map> - A list of
entity_mapping
blocks as defined below. - event
Grouping Property Map - A
event_grouping
block as defined below. - incident Property Map
- A
incident
block as defined below. - log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
- name String
- The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
- query String
- The query of this Sentinel NRT Alert Rule.
- sentinel
Entity List<Property Map>Mappings A list of
sentinel_entity_mapping
blocks as defined below.NOTE:
entity_mapping
andsentinel_entity_mapping
together can't exceed 5.- severity String
- The alert severity of this Sentinel NRT Alert Rule. Possible values are
High
,Medium
,Low
andInformational
. - suppression
Duration String - If
suppression_enabled
istrue
, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H
. - suppression
Enabled Boolean - Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to
false
. - tactics List<String>
- A list of categories of attacks by which to classify the rule. Possible values are
Collection
,CommandAndControl
,CredentialAccess
,DefenseEvasion
,Discovery
,Execution
,Exfiltration
,Impact
,ImpairProcessControl
,InhibitResponseFunction
,InitialAccess
,LateralMovement
,Persistence
,PreAttack
,PrivilegeEscalation
,Reconnaissance
andResourceDevelopment
. - techniques List<String>
- A list of techniques of attacks by which to classify the rule.
Supporting Types
AlertRuleNrtAlertDetailsOverride, AlertRuleNrtAlertDetailsOverrideArgs
- Description
Format string - The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- Display
Name stringFormat - The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- Dynamic
Properties List<AlertRule Nrt Alert Details Override Dynamic Property> - A list of
dynamic_property
blocks as defined below. - Severity
Column stringName - The column name to take the alert severity from.
- Tactics
Column stringName - The column name to take the alert tactics from.
- Description
Format string - The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- Display
Name stringFormat - The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- Dynamic
Properties []AlertRule Nrt Alert Details Override Dynamic Property - A list of
dynamic_property
blocks as defined below. - Severity
Column stringName - The column name to take the alert severity from.
- Tactics
Column stringName - The column name to take the alert tactics from.
- description
Format String - The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- display
Name StringFormat - The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- dynamic
Properties List<AlertRule Nrt Alert Details Override Dynamic Property> - A list of
dynamic_property
blocks as defined below. - severity
Column StringName - The column name to take the alert severity from.
- tactics
Column StringName - The column name to take the alert tactics from.
- description
Format string - The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- display
Name stringFormat - The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- dynamic
Properties AlertRule Nrt Alert Details Override Dynamic Property[] - A list of
dynamic_property
blocks as defined below. - severity
Column stringName - The column name to take the alert severity from.
- tactics
Column stringName - The column name to take the alert tactics from.
- description_
format str - The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- display_
name_ strformat - The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- dynamic_
properties Sequence[AlertRule Nrt Alert Details Override Dynamic Property] - A list of
dynamic_property
blocks as defined below. - severity_
column_ strname - The column name to take the alert severity from.
- tactics_
column_ strname - The column name to take the alert tactics from.
- description
Format String - The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- display
Name StringFormat - The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- dynamic
Properties List<Property Map> - A list of
dynamic_property
blocks as defined below. - severity
Column StringName - The column name to take the alert severity from.
- tactics
Column StringName - The column name to take the alert tactics from.
AlertRuleNrtAlertDetailsOverrideDynamicProperty, AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs
- Name string
- The name of the dynamic property. Possible Values are
AlertLink
,ConfidenceLevel
,ConfidenceScore
,ExtendedLinks
,ProductComponentName
,ProductName
,ProviderName
,RemediationSteps
andTechniques
. - Value string
- The value of the dynamic property. Pssible Values are
Caller
,dcount_ResourceId
andEventSubmissionTimestamp
.
- Name string
- The name of the dynamic property. Possible Values are
AlertLink
,ConfidenceLevel
,ConfidenceScore
,ExtendedLinks
,ProductComponentName
,ProductName
,ProviderName
,RemediationSteps
andTechniques
. - Value string
- The value of the dynamic property. Pssible Values are
Caller
,dcount_ResourceId
andEventSubmissionTimestamp
.
- name String
- The name of the dynamic property. Possible Values are
AlertLink
,ConfidenceLevel
,ConfidenceScore
,ExtendedLinks
,ProductComponentName
,ProductName
,ProviderName
,RemediationSteps
andTechniques
. - value String
- The value of the dynamic property. Pssible Values are
Caller
,dcount_ResourceId
andEventSubmissionTimestamp
.
- name string
- The name of the dynamic property. Possible Values are
AlertLink
,ConfidenceLevel
,ConfidenceScore
,ExtendedLinks
,ProductComponentName
,ProductName
,ProviderName
,RemediationSteps
andTechniques
. - value string
- The value of the dynamic property. Pssible Values are
Caller
,dcount_ResourceId
andEventSubmissionTimestamp
.
- name str
- The name of the dynamic property. Possible Values are
AlertLink
,ConfidenceLevel
,ConfidenceScore
,ExtendedLinks
,ProductComponentName
,ProductName
,ProviderName
,RemediationSteps
andTechniques
. - value str
- The value of the dynamic property. Pssible Values are
Caller
,dcount_ResourceId
andEventSubmissionTimestamp
.
- name String
- The name of the dynamic property. Possible Values are
AlertLink
,ConfidenceLevel
,ConfidenceScore
,ExtendedLinks
,ProductComponentName
,ProductName
,ProviderName
,RemediationSteps
andTechniques
. - value String
- The value of the dynamic property. Pssible Values are
Caller
,dcount_ResourceId
andEventSubmissionTimestamp
.
AlertRuleNrtEntityMapping, AlertRuleNrtEntityMappingArgs
- Entity
Type string - The type of the entity. Possible values are
Account
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
. - Field
Mappings List<AlertRule Nrt Entity Mapping Field Mapping> - A list of
field_mapping
blocks as defined below.
- Entity
Type string - The type of the entity. Possible values are
Account
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
. - Field
Mappings []AlertRule Nrt Entity Mapping Field Mapping - A list of
field_mapping
blocks as defined below.
- entity
Type String - The type of the entity. Possible values are
Account
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
. - field
Mappings List<AlertRule Nrt Entity Mapping Field Mapping> - A list of
field_mapping
blocks as defined below.
- entity
Type string - The type of the entity. Possible values are
Account
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
. - field
Mappings AlertRule Nrt Entity Mapping Field Mapping[] - A list of
field_mapping
blocks as defined below.
- entity_
type str - The type of the entity. Possible values are
Account
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
. - field_
mappings Sequence[AlertRule Nrt Entity Mapping Field Mapping] - A list of
field_mapping
blocks as defined below.
- entity
Type String - The type of the entity. Possible values are
Account
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
. - field
Mappings List<Property Map> - A list of
field_mapping
blocks as defined below.
AlertRuleNrtEntityMappingFieldMapping, AlertRuleNrtEntityMappingFieldMappingArgs
- Column
Name string - The column name to be mapped to the identifier.
- Identifier string
- The identifier of the entity.
- Column
Name string - The column name to be mapped to the identifier.
- Identifier string
- The identifier of the entity.
- column
Name String - The column name to be mapped to the identifier.
- identifier String
- The identifier of the entity.
- column
Name string - The column name to be mapped to the identifier.
- identifier string
- The identifier of the entity.
- column_
name str - The column name to be mapped to the identifier.
- identifier str
- The identifier of the entity.
- column
Name String - The column name to be mapped to the identifier.
- identifier String
- The identifier of the entity.
AlertRuleNrtEventGrouping, AlertRuleNrtEventGroupingArgs
- Aggregation
Method string - The aggregation type of grouping the events. Possible values are
AlertPerResult
andSingleAlert
.
- Aggregation
Method string - The aggregation type of grouping the events. Possible values are
AlertPerResult
andSingleAlert
.
- aggregation
Method String - The aggregation type of grouping the events. Possible values are
AlertPerResult
andSingleAlert
.
- aggregation
Method string - The aggregation type of grouping the events. Possible values are
AlertPerResult
andSingleAlert
.
- aggregation_
method str - The aggregation type of grouping the events. Possible values are
AlertPerResult
andSingleAlert
.
- aggregation
Method String - The aggregation type of grouping the events. Possible values are
AlertPerResult
andSingleAlert
.
AlertRuleNrtIncident, AlertRuleNrtIncidentArgs
- Create
Incident boolEnabled - Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
- Grouping
Alert
Rule Nrt Incident Grouping - A
grouping
block as defined below.
- Create
Incident boolEnabled - Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
- Grouping
Alert
Rule Nrt Incident Grouping - A
grouping
block as defined below.
- create
Incident BooleanEnabled - Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
- grouping
Alert
Rule Nrt Incident Grouping - A
grouping
block as defined below.
- create
Incident booleanEnabled - Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
- grouping
Alert
Rule Nrt Incident Grouping - A
grouping
block as defined below.
- create_
incident_ boolenabled - Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
- grouping
Alert
Rule Nrt Incident Grouping - A
grouping
block as defined below.
- create
Incident BooleanEnabled - Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
- grouping Property Map
- A
grouping
block as defined below.
AlertRuleNrtIncidentGrouping, AlertRuleNrtIncidentGroupingArgs
- By
Alert List<string>Details - A list of alert details to group by, only when the
entity_matching_method
isSelected
. Possible values areDisplayName
andSeverity
. - By
Custom List<string>Details - A list of custom details keys to group by, only when the
entity_matching_method
isSelected
. Only keys defined in thecustom_details
may be used. - By
Entities List<string> - A list of entity types to group by, only when the
entity_matching_method
isSelected
. Possible values areAccount
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
. - Enabled bool
- Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to
true
. - Entity
Matching stringMethod - The method used to group incidents. Possible values are
AnyAlert
,Selected
andAllEntities
. Defaults toAnyAlert
. - Lookback
Duration string - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M
. - Reopen
Closed boolIncidents - Whether to re-open closed matching incidents? Defaults to
false
.
- By
Alert []stringDetails - A list of alert details to group by, only when the
entity_matching_method
isSelected
. Possible values areDisplayName
andSeverity
. - By
Custom []stringDetails - A list of custom details keys to group by, only when the
entity_matching_method
isSelected
. Only keys defined in thecustom_details
may be used. - By
Entities []string - A list of entity types to group by, only when the
entity_matching_method
isSelected
. Possible values areAccount
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
. - Enabled bool
- Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to
true
. - Entity
Matching stringMethod - The method used to group incidents. Possible values are
AnyAlert
,Selected
andAllEntities
. Defaults toAnyAlert
. - Lookback
Duration string - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M
. - Reopen
Closed boolIncidents - Whether to re-open closed matching incidents? Defaults to
false
.
- by
Alert List<String>Details - A list of alert details to group by, only when the
entity_matching_method
isSelected
. Possible values areDisplayName
andSeverity
. - by
Custom List<String>Details - A list of custom details keys to group by, only when the
entity_matching_method
isSelected
. Only keys defined in thecustom_details
may be used. - by
Entities List<String> - A list of entity types to group by, only when the
entity_matching_method
isSelected
. Possible values areAccount
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
. - enabled Boolean
- Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to
true
. - entity
Matching StringMethod - The method used to group incidents. Possible values are
AnyAlert
,Selected
andAllEntities
. Defaults toAnyAlert
. - lookback
Duration String - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M
. - reopen
Closed BooleanIncidents - Whether to re-open closed matching incidents? Defaults to
false
.
- by
Alert string[]Details - A list of alert details to group by, only when the
entity_matching_method
isSelected
. Possible values areDisplayName
andSeverity
. - by
Custom string[]Details - A list of custom details keys to group by, only when the
entity_matching_method
isSelected
. Only keys defined in thecustom_details
may be used. - by
Entities string[] - A list of entity types to group by, only when the
entity_matching_method
isSelected
. Possible values areAccount
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
. - enabled boolean
- Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to
true
. - entity
Matching stringMethod - The method used to group incidents. Possible values are
AnyAlert
,Selected
andAllEntities
. Defaults toAnyAlert
. - lookback
Duration string - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M
. - reopen
Closed booleanIncidents - Whether to re-open closed matching incidents? Defaults to
false
.
- by_
alert_ Sequence[str]details - A list of alert details to group by, only when the
entity_matching_method
isSelected
. Possible values areDisplayName
andSeverity
. - by_
custom_ Sequence[str]details - A list of custom details keys to group by, only when the
entity_matching_method
isSelected
. Only keys defined in thecustom_details
may be used. - by_
entities Sequence[str] - A list of entity types to group by, only when the
entity_matching_method
isSelected
. Possible values areAccount
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
. - enabled bool
- Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to
true
. - entity_
matching_ strmethod - The method used to group incidents. Possible values are
AnyAlert
,Selected
andAllEntities
. Defaults toAnyAlert
. - lookback_
duration str - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M
. - reopen_
closed_ boolincidents - Whether to re-open closed matching incidents? Defaults to
false
.
- by
Alert List<String>Details - A list of alert details to group by, only when the
entity_matching_method
isSelected
. Possible values areDisplayName
andSeverity
. - by
Custom List<String>Details - A list of custom details keys to group by, only when the
entity_matching_method
isSelected
. Only keys defined in thecustom_details
may be used. - by
Entities List<String> - A list of entity types to group by, only when the
entity_matching_method
isSelected
. Possible values areAccount
,AzureResource
,CloudApplication
,DNS
,File
,FileHash
,Host
,IP
,Mailbox
,MailCluster
,MailMessage
,Malware
,Process
,RegistryKey
,RegistryValue
,SecurityGroup
,SubmissionMail
,URL
. - enabled Boolean
- Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to
true
. - entity
Matching StringMethod - The method used to group incidents. Possible values are
AnyAlert
,Selected
andAllEntities
. Defaults toAnyAlert
. - lookback
Duration String - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M
. - reopen
Closed BooleanIncidents - Whether to re-open closed matching incidents? Defaults to
false
.
AlertRuleNrtSentinelEntityMapping, AlertRuleNrtSentinelEntityMappingArgs
- Column
Name string - The column name to be mapped to the identifier.
- Column
Name string - The column name to be mapped to the identifier.
- column
Name String - The column name to be mapped to the identifier.
- column
Name string - The column name to be mapped to the identifier.
- column_
name str - The column name to be mapped to the identifier.
- column
Name String - The column name to be mapped to the identifier.
Import
Sentinel NRT Alert Rules can be imported using the resource id
, e.g.
$ pulumi import azure:sentinel/alertRuleNrt:AlertRuleNrt example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azurerm
Terraform Provider.