Datadog v4.36.1 published on Friday, Nov 15, 2024 by Pulumi
datadog.getSecurityMonitoringRules
Explore with Pulumi AI
Use this data source to retrieve information about existing security monitoring rules for use in other resources.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as datadog from "@pulumi/datadog";
const test = datadog.getSecurityMonitoringRules({
nameFilter: "attack",
tagsFilters: ["foo:bar"],
defaultOnlyFilter: true,
});
import pulumi
import pulumi_datadog as datadog
test = datadog.get_security_monitoring_rules(name_filter="attack",
tags_filters=["foo:bar"],
default_only_filter=True)
package main
import (
"github.com/pulumi/pulumi-datadog/sdk/v4/go/datadog"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := datadog.GetSecurityMonitoringRules(ctx, &datadog.GetSecurityMonitoringRulesArgs{
NameFilter: pulumi.StringRef("attack"),
TagsFilters: []string{
"foo:bar",
},
DefaultOnlyFilter: pulumi.BoolRef(true),
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Datadog = Pulumi.Datadog;
return await Deployment.RunAsync(() =>
{
var test = Datadog.GetSecurityMonitoringRules.Invoke(new()
{
NameFilter = "attack",
TagsFilters = new[]
{
"foo:bar",
},
DefaultOnlyFilter = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.datadog.DatadogFunctions;
import com.pulumi.datadog.inputs.GetSecurityMonitoringRulesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var test = DatadogFunctions.getSecurityMonitoringRules(GetSecurityMonitoringRulesArgs.builder()
.nameFilter("attack")
.tagsFilters("foo:bar")
.defaultOnlyFilter(true)
.build());
}
}
variables:
test:
fn::invoke:
Function: datadog:getSecurityMonitoringRules
Arguments:
nameFilter: attack
tagsFilters:
- foo:bar
defaultOnlyFilter: true
Using getSecurityMonitoringRules
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getSecurityMonitoringRules(args: GetSecurityMonitoringRulesArgs, opts?: InvokeOptions): Promise<GetSecurityMonitoringRulesResult>
function getSecurityMonitoringRulesOutput(args: GetSecurityMonitoringRulesOutputArgs, opts?: InvokeOptions): Output<GetSecurityMonitoringRulesResult>
def get_security_monitoring_rules(default_only_filter: Optional[bool] = None,
name_filter: Optional[str] = None,
tags_filters: Optional[Sequence[str]] = None,
user_only_filter: Optional[bool] = None,
opts: Optional[InvokeOptions] = None) -> GetSecurityMonitoringRulesResult
def get_security_monitoring_rules_output(default_only_filter: Optional[pulumi.Input[bool]] = None,
name_filter: Optional[pulumi.Input[str]] = None,
tags_filters: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
user_only_filter: Optional[pulumi.Input[bool]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetSecurityMonitoringRulesResult]
func GetSecurityMonitoringRules(ctx *Context, args *GetSecurityMonitoringRulesArgs, opts ...InvokeOption) (*GetSecurityMonitoringRulesResult, error)
func GetSecurityMonitoringRulesOutput(ctx *Context, args *GetSecurityMonitoringRulesOutputArgs, opts ...InvokeOption) GetSecurityMonitoringRulesResultOutput
> Note: This function is named GetSecurityMonitoringRules
in the Go SDK.
public static class GetSecurityMonitoringRules
{
public static Task<GetSecurityMonitoringRulesResult> InvokeAsync(GetSecurityMonitoringRulesArgs args, InvokeOptions? opts = null)
public static Output<GetSecurityMonitoringRulesResult> Invoke(GetSecurityMonitoringRulesInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetSecurityMonitoringRulesResult> getSecurityMonitoringRules(GetSecurityMonitoringRulesArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: datadog:index/getSecurityMonitoringRules:getSecurityMonitoringRules
arguments:
# arguments dictionary
The following arguments are supported:
- Default
Only boolFilter - Limit the search to default rules
- Name
Filter string - A rule name to limit the search
- List<string>
- A list of tags to limit the search
- User
Only boolFilter - Limit the search to user rules
- Default
Only boolFilter - Limit the search to default rules
- Name
Filter string - A rule name to limit the search
- []string
- A list of tags to limit the search
- User
Only boolFilter - Limit the search to user rules
- default
Only BooleanFilter - Limit the search to default rules
- name
Filter String - A rule name to limit the search
- List<String>
- A list of tags to limit the search
- user
Only BooleanFilter - Limit the search to user rules
- default
Only booleanFilter - Limit the search to default rules
- name
Filter string - A rule name to limit the search
- string[]
- A list of tags to limit the search
- user
Only booleanFilter - Limit the search to user rules
- default_
only_ boolfilter - Limit the search to default rules
- name_
filter str - A rule name to limit the search
- Sequence[str]
- A list of tags to limit the search
- user_
only_ boolfilter - Limit the search to user rules
- default
Only BooleanFilter - Limit the search to default rules
- name
Filter String - A rule name to limit the search
- List<String>
- A list of tags to limit the search
- user
Only BooleanFilter - Limit the search to user rules
getSecurityMonitoringRules Result
The following output properties are available:
- Id string
- The provider-assigned unique ID for this managed resource.
- Rule
Ids List<string> - List of IDs of the matched rules.
- Rules
List<Get
Security Monitoring Rules Rule> - List of rules.
- Default
Only boolFilter - Limit the search to default rules
- Name
Filter string - A rule name to limit the search
- List<string>
- A list of tags to limit the search
- User
Only boolFilter - Limit the search to user rules
- Id string
- The provider-assigned unique ID for this managed resource.
- Rule
Ids []string - List of IDs of the matched rules.
- Rules
[]Get
Security Monitoring Rules Rule - List of rules.
- Default
Only boolFilter - Limit the search to default rules
- Name
Filter string - A rule name to limit the search
- []string
- A list of tags to limit the search
- User
Only boolFilter - Limit the search to user rules
- id String
- The provider-assigned unique ID for this managed resource.
- rule
Ids List<String> - List of IDs of the matched rules.
- rules
List<Get
Security Monitoring Rules Rule> - List of rules.
- default
Only BooleanFilter - Limit the search to default rules
- name
Filter String - A rule name to limit the search
- List<String>
- A list of tags to limit the search
- user
Only BooleanFilter - Limit the search to user rules
- id string
- The provider-assigned unique ID for this managed resource.
- rule
Ids string[] - List of IDs of the matched rules.
- rules
Get
Security Monitoring Rules Rule[] - List of rules.
- default
Only booleanFilter - Limit the search to default rules
- name
Filter string - A rule name to limit the search
- string[]
- A list of tags to limit the search
- user
Only booleanFilter - Limit the search to user rules
- id str
- The provider-assigned unique ID for this managed resource.
- rule_
ids Sequence[str] - List of IDs of the matched rules.
- rules
Sequence[Get
Security Monitoring Rules Rule] - List of rules.
- default_
only_ boolfilter - Limit the search to default rules
- name_
filter str - A rule name to limit the search
- Sequence[str]
- A list of tags to limit the search
- user_
only_ boolfilter - Limit the search to user rules
- id String
- The provider-assigned unique ID for this managed resource.
- rule
Ids List<String> - List of IDs of the matched rules.
- rules List<Property Map>
- List of rules.
- default
Only BooleanFilter - Limit the search to default rules
- name
Filter String - A rule name to limit the search
- List<String>
- A list of tags to limit the search
- user
Only BooleanFilter - Limit the search to user rules
Supporting Types
GetSecurityMonitoringRulesRule
- Message string
- Message for generated signals.
- Name string
- The name of the rule.
- Cases
List<Get
Security Monitoring Rules Rule Case> - Cases for generating signals.
- Enabled bool
- Whether the rule is enabled.
- Filters
List<Get
Security Monitoring Rules Rule Filter> - Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
- Has
Extended boolTitle - Whether the notifications include the triggering group-by values in their title.
- Options
Get
Security Monitoring Rules Rule Options - Options on rules.
- Queries
List<Get
Security Monitoring Rules Rule Query> - Queries for selecting logs which are part of the rule.
- Reference
Tables List<GetSecurity Monitoring Rules Rule Reference Table> - Reference tables for filtering query results.
- Signal
Queries List<GetSecurity Monitoring Rules Rule Signal Query> - Queries for selecting logs which are part of the rule.
- List<string>
- Tags for generated signals.
- Third
Party List<GetCases Security Monitoring Rules Rule Third Party Case> - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- Type string
- The rule type.
- Message string
- Message for generated signals.
- Name string
- The name of the rule.
- Cases
[]Get
Security Monitoring Rules Rule Case - Cases for generating signals.
- Enabled bool
- Whether the rule is enabled.
- Filters
[]Get
Security Monitoring Rules Rule Filter - Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
- Has
Extended boolTitle - Whether the notifications include the triggering group-by values in their title.
- Options
Get
Security Monitoring Rules Rule Options - Options on rules.
- Queries
[]Get
Security Monitoring Rules Rule Query - Queries for selecting logs which are part of the rule.
- Reference
Tables []GetSecurity Monitoring Rules Rule Reference Table - Reference tables for filtering query results.
- Signal
Queries []GetSecurity Monitoring Rules Rule Signal Query - Queries for selecting logs which are part of the rule.
- []string
- Tags for generated signals.
- Third
Party []GetCases Security Monitoring Rules Rule Third Party Case - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- Type string
- The rule type.
- message String
- Message for generated signals.
- name String
- The name of the rule.
- cases
List<Get
Security Monitoring Rules Rule Case> - Cases for generating signals.
- enabled Boolean
- Whether the rule is enabled.
- filters
List<Get
Security Monitoring Rules Rule Filter> - Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
- has
Extended BooleanTitle - Whether the notifications include the triggering group-by values in their title.
- options
Get
Security Monitoring Rules Rule Options - Options on rules.
- queries
List<Get
Security Monitoring Rules Rule Query> - Queries for selecting logs which are part of the rule.
- reference
Tables List<GetSecurity Monitoring Rules Rule Reference Table> - Reference tables for filtering query results.
- signal
Queries List<GetSecurity Monitoring Rules Rule Signal Query> - Queries for selecting logs which are part of the rule.
- List<String>
- Tags for generated signals.
- third
Party List<GetCases Security Monitoring Rules Rule Third Party Case> - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- type String
- The rule type.
- message string
- Message for generated signals.
- name string
- The name of the rule.
- cases
Get
Security Monitoring Rules Rule Case[] - Cases for generating signals.
- enabled boolean
- Whether the rule is enabled.
- filters
Get
Security Monitoring Rules Rule Filter[] - Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
- has
Extended booleanTitle - Whether the notifications include the triggering group-by values in their title.
- options
Get
Security Monitoring Rules Rule Options - Options on rules.
- queries
Get
Security Monitoring Rules Rule Query[] - Queries for selecting logs which are part of the rule.
- reference
Tables GetSecurity Monitoring Rules Rule Reference Table[] - Reference tables for filtering query results.
- signal
Queries GetSecurity Monitoring Rules Rule Signal Query[] - Queries for selecting logs which are part of the rule.
- string[]
- Tags for generated signals.
- third
Party GetCases Security Monitoring Rules Rule Third Party Case[] - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- type string
- The rule type.
- message str
- Message for generated signals.
- name str
- The name of the rule.
- cases
Sequence[Get
Security Monitoring Rules Rule Case] - Cases for generating signals.
- enabled bool
- Whether the rule is enabled.
- filters
Sequence[Get
Security Monitoring Rules Rule Filter] - Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
- has_
extended_ booltitle - Whether the notifications include the triggering group-by values in their title.
- options
Get
Security Monitoring Rules Rule Options - Options on rules.
- queries
Sequence[Get
Security Monitoring Rules Rule Query] - Queries for selecting logs which are part of the rule.
- reference_
tables Sequence[GetSecurity Monitoring Rules Rule Reference Table] - Reference tables for filtering query results.
- signal_
queries Sequence[GetSecurity Monitoring Rules Rule Signal Query] - Queries for selecting logs which are part of the rule.
- Sequence[str]
- Tags for generated signals.
- third_
party_ Sequence[Getcases Security Monitoring Rules Rule Third Party Case] - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- type str
- The rule type.
- message String
- Message for generated signals.
- name String
- The name of the rule.
- cases List<Property Map>
- Cases for generating signals.
- enabled Boolean
- Whether the rule is enabled.
- filters List<Property Map>
- Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
- has
Extended BooleanTitle - Whether the notifications include the triggering group-by values in their title.
- options Property Map
- Options on rules.
- queries List<Property Map>
- Queries for selecting logs which are part of the rule.
- reference
Tables List<Property Map> - Reference tables for filtering query results.
- signal
Queries List<Property Map> - Queries for selecting logs which are part of the rule.
- List<String>
- Tags for generated signals.
- third
Party List<Property Map>Cases - Cases for generating signals for third-party rules. Only required and accepted for third-party rules
- type String
- The rule type.
GetSecurityMonitoringRulesRuleCase
- Status string
- Severity of the Security Signal.
- Condition string
- A rule case contains logical operations (
>
,>=
,&&
,||
) to determine if a signal should be generated based on the event counts in the previously defined queries. - Name string
- Name of the case.
- Notifications List<string>
- Notification targets for each rule case.
- Status string
- Severity of the Security Signal.
- Condition string
- A rule case contains logical operations (
>
,>=
,&&
,||
) to determine if a signal should be generated based on the event counts in the previously defined queries. - Name string
- Name of the case.
- Notifications []string
- Notification targets for each rule case.
- status String
- Severity of the Security Signal.
- condition String
- A rule case contains logical operations (
>
,>=
,&&
,||
) to determine if a signal should be generated based on the event counts in the previously defined queries. - name String
- Name of the case.
- notifications List<String>
- Notification targets for each rule case.
- status string
- Severity of the Security Signal.
- condition string
- A rule case contains logical operations (
>
,>=
,&&
,||
) to determine if a signal should be generated based on the event counts in the previously defined queries. - name string
- Name of the case.
- notifications string[]
- Notification targets for each rule case.
- status str
- Severity of the Security Signal.
- condition str
- A rule case contains logical operations (
>
,>=
,&&
,||
) to determine if a signal should be generated based on the event counts in the previously defined queries. - name str
- Name of the case.
- notifications Sequence[str]
- Notification targets for each rule case.
- status String
- Severity of the Security Signal.
- condition String
- A rule case contains logical operations (
>
,>=
,&&
,||
) to determine if a signal should be generated based on the event counts in the previously defined queries. - name String
- Name of the case.
- notifications List<String>
- Notification targets for each rule case.
GetSecurityMonitoringRulesRuleFilter
GetSecurityMonitoringRulesRuleOptions
- Decrease
Criticality boolBased On Env - If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging
,test
, ordev
. Only available when the rule type islog_detection
. - Detection
Method string - The detection method.
- Evaluation
Window int - A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time.
- Impossible
Travel GetOptions Security Monitoring Rules Rule Options Impossible Travel Options - Options for rules using the impossible travel detection method.
- Keep
Alive int - Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds).
- Max
Signal intDuration - A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp.
- New
Value GetOptions Security Monitoring Rules Rule Options New Value Options - New value rules specific options.
- Third
Party GetRule Options Security Monitoring Rules Rule Options Third Party Rule Options - Options for rules using the third-party detection method.
- Decrease
Criticality boolBased On Env - If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging
,test
, ordev
. Only available when the rule type islog_detection
. - Detection
Method string - The detection method.
- Evaluation
Window int - A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time.
- Impossible
Travel GetOptions Security Monitoring Rules Rule Options Impossible Travel Options - Options for rules using the impossible travel detection method.
- Keep
Alive int - Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds).
- Max
Signal intDuration - A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp.
- New
Value GetOptions Security Monitoring Rules Rule Options New Value Options - New value rules specific options.
- Third
Party GetRule Options Security Monitoring Rules Rule Options Third Party Rule Options - Options for rules using the third-party detection method.
- decrease
Criticality BooleanBased On Env - If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging
,test
, ordev
. Only available when the rule type islog_detection
. - detection
Method String - The detection method.
- evaluation
Window Integer - A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time.
- impossible
Travel GetOptions Security Monitoring Rules Rule Options Impossible Travel Options - Options for rules using the impossible travel detection method.
- keep
Alive Integer - Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds).
- max
Signal IntegerDuration - A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp.
- new
Value GetOptions Security Monitoring Rules Rule Options New Value Options - New value rules specific options.
- third
Party GetRule Options Security Monitoring Rules Rule Options Third Party Rule Options - Options for rules using the third-party detection method.
- decrease
Criticality booleanBased On Env - If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging
,test
, ordev
. Only available when the rule type islog_detection
. - detection
Method string - The detection method.
- evaluation
Window number - A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time.
- impossible
Travel GetOptions Security Monitoring Rules Rule Options Impossible Travel Options - Options for rules using the impossible travel detection method.
- keep
Alive number - Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds).
- max
Signal numberDuration - A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp.
- new
Value GetOptions Security Monitoring Rules Rule Options New Value Options - New value rules specific options.
- third
Party GetRule Options Security Monitoring Rules Rule Options Third Party Rule Options - Options for rules using the third-party detection method.
- decrease_
criticality_ boolbased_ on_ env - If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging
,test
, ordev
. Only available when the rule type islog_detection
. - detection_
method str - The detection method.
- evaluation_
window int - A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time.
- impossible_
travel_ Getoptions Security Monitoring Rules Rule Options Impossible Travel Options - Options for rules using the impossible travel detection method.
- keep_
alive int - Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds).
- max_
signal_ intduration - A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp.
- new_
value_ Getoptions Security Monitoring Rules Rule Options New Value Options - New value rules specific options.
- third_
party_ Getrule_ options Security Monitoring Rules Rule Options Third Party Rule Options - Options for rules using the third-party detection method.
- decrease
Criticality BooleanBased On Env - If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with
staging
,test
, ordev
. Only available when the rule type islog_detection
. - detection
Method String - The detection method.
- evaluation
Window Number - A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time.
- impossible
Travel Property MapOptions - Options for rules using the impossible travel detection method.
- keep
Alive Number - Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds).
- max
Signal NumberDuration - A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp.
- new
Value Property MapOptions - New value rules specific options.
- third
Party Property MapRule Options - Options for rules using the third-party detection method.
GetSecurityMonitoringRulesRuleOptionsImpossibleTravelOptions
- Baseline
User boolLocations - If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
- Baseline
User boolLocations - If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
- baseline
User BooleanLocations - If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
- baseline
User booleanLocations - If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
- baseline_
user_ boollocations - If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
- baseline
User BooleanLocations - If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
GetSecurityMonitoringRulesRuleOptionsNewValueOptions
- Forget
After int - The duration in days after which a learned value is forgotten.
- Learning
Duration int - The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
- Learning
Method string - The learning method used to determine when signals should be generated for values that weren't learned.
- Learning
Threshold int - A number of occurrences after which signals are generated for values that weren't learned.
- Forget
After int - The duration in days after which a learned value is forgotten.
- Learning
Duration int - The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
- Learning
Method string - The learning method used to determine when signals should be generated for values that weren't learned.
- Learning
Threshold int - A number of occurrences after which signals are generated for values that weren't learned.
- forget
After Integer - The duration in days after which a learned value is forgotten.
- learning
Duration Integer - The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
- learning
Method String - The learning method used to determine when signals should be generated for values that weren't learned.
- learning
Threshold Integer - A number of occurrences after which signals are generated for values that weren't learned.
- forget
After number - The duration in days after which a learned value is forgotten.
- learning
Duration number - The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
- learning
Method string - The learning method used to determine when signals should be generated for values that weren't learned.
- learning
Threshold number - A number of occurrences after which signals are generated for values that weren't learned.
- forget_
after int - The duration in days after which a learned value is forgotten.
- learning_
duration int - The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
- learning_
method str - The learning method used to determine when signals should be generated for values that weren't learned.
- learning_
threshold int - A number of occurrences after which signals are generated for values that weren't learned.
- forget
After Number - The duration in days after which a learned value is forgotten.
- learning
Duration Number - The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
- learning
Method String - The learning method used to determine when signals should be generated for values that weren't learned.
- learning
Threshold Number - A number of occurrences after which signals are generated for values that weren't learned.
GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptions
- Default
Status string - Severity of the default rule case, when none of the third-party cases match.
- Root
Queries List<GetSecurity Monitoring Rules Rule Options Third Party Rule Options Root Query> - Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
- Default
Notifications List<string> - Notification targets for the default rule case, when none of the third-party cases match.
- Signal
Title stringTemplate - A template for the signal title; if omitted, the title is generated based on the case name.
- Default
Status string - Severity of the default rule case, when none of the third-party cases match.
- Root
Queries []GetSecurity Monitoring Rules Rule Options Third Party Rule Options Root Query - Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
- Default
Notifications []string - Notification targets for the default rule case, when none of the third-party cases match.
- Signal
Title stringTemplate - A template for the signal title; if omitted, the title is generated based on the case name.
- default
Status String - Severity of the default rule case, when none of the third-party cases match.
- root
Queries List<GetSecurity Monitoring Rules Rule Options Third Party Rule Options Root Query> - Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
- default
Notifications List<String> - Notification targets for the default rule case, when none of the third-party cases match.
- signal
Title StringTemplate - A template for the signal title; if omitted, the title is generated based on the case name.
- default
Status string - Severity of the default rule case, when none of the third-party cases match.
- root
Queries GetSecurity Monitoring Rules Rule Options Third Party Rule Options Root Query[] - Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
- default
Notifications string[] - Notification targets for the default rule case, when none of the third-party cases match.
- signal
Title stringTemplate - A template for the signal title; if omitted, the title is generated based on the case name.
- default_
status str - Severity of the default rule case, when none of the third-party cases match.
- root_
queries Sequence[GetSecurity Monitoring Rules Rule Options Third Party Rule Options Root Query] - Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
- default_
notifications Sequence[str] - Notification targets for the default rule case, when none of the third-party cases match.
- signal_
title_ strtemplate - A template for the signal title; if omitted, the title is generated based on the case name.
- default
Status String - Severity of the default rule case, when none of the third-party cases match.
- root
Queries List<Property Map> - Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
- default
Notifications List<String> - Notification targets for the default rule case, when none of the third-party cases match.
- signal
Title StringTemplate - A template for the signal title; if omitted, the title is generated based on the case name.
GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptionsRootQuery
- Query string
- Query to filter logs.
- Group
By List<string>Fields - Fields to group by. If empty, each log triggers a signal.
- Query string
- Query to filter logs.
- Group
By []stringFields - Fields to group by. If empty, each log triggers a signal.
- query String
- Query to filter logs.
- group
By List<String>Fields - Fields to group by. If empty, each log triggers a signal.
- query string
- Query to filter logs.
- group
By string[]Fields - Fields to group by. If empty, each log triggers a signal.
- query str
- Query to filter logs.
- group_
by_ Sequence[str]fields - Fields to group by. If empty, each log triggers a signal.
- query String
- Query to filter logs.
- group
By List<String>Fields - Fields to group by. If empty, each log triggers a signal.
GetSecurityMonitoringRulesRuleQuery
- Metrics List<string>
- Group of target fields to aggregate over when using the
sum
,max
,geo_data
, ornew_value
aggregations. Thesum
,max
, andgeo_data
aggregations only accept one value in this list, whereas thenew_value
aggregation accepts up to five values. - Query string
- Query to run on logs.
- Agent
Rules List<GetSecurity Monitoring Rules Rule Query Agent Rule> - Deprecated. It won't be applied anymore.
- Aggregation string
- The aggregation type. For Signal Correlation rules, it must be event_count.
- Distinct
Fields List<string> - Field for which the cardinality is measured. Sent as an array.
- Group
By List<string>Fields - Fields to group by.
- Metric string
- The target field to aggregate over when using the
sum
,max
, orgeo_data
aggregations. - Name string
- Name of the query. Not compatible with
new_value
aggregations.
- Metrics []string
- Group of target fields to aggregate over when using the
sum
,max
,geo_data
, ornew_value
aggregations. Thesum
,max
, andgeo_data
aggregations only accept one value in this list, whereas thenew_value
aggregation accepts up to five values. - Query string
- Query to run on logs.
- Agent
Rules []GetSecurity Monitoring Rules Rule Query Agent Rule - Deprecated. It won't be applied anymore.
- Aggregation string
- The aggregation type. For Signal Correlation rules, it must be event_count.
- Distinct
Fields []string - Field for which the cardinality is measured. Sent as an array.
- Group
By []stringFields - Fields to group by.
- Metric string
- The target field to aggregate over when using the
sum
,max
, orgeo_data
aggregations. - Name string
- Name of the query. Not compatible with
new_value
aggregations.
- metrics List<String>
- Group of target fields to aggregate over when using the
sum
,max
,geo_data
, ornew_value
aggregations. Thesum
,max
, andgeo_data
aggregations only accept one value in this list, whereas thenew_value
aggregation accepts up to five values. - query String
- Query to run on logs.
- agent
Rules List<GetSecurity Monitoring Rules Rule Query Agent Rule> - Deprecated. It won't be applied anymore.
- aggregation String
- The aggregation type. For Signal Correlation rules, it must be event_count.
- distinct
Fields List<String> - Field for which the cardinality is measured. Sent as an array.
- group
By List<String>Fields - Fields to group by.
- metric String
- The target field to aggregate over when using the
sum
,max
, orgeo_data
aggregations. - name String
- Name of the query. Not compatible with
new_value
aggregations.
- metrics string[]
- Group of target fields to aggregate over when using the
sum
,max
,geo_data
, ornew_value
aggregations. Thesum
,max
, andgeo_data
aggregations only accept one value in this list, whereas thenew_value
aggregation accepts up to five values. - query string
- Query to run on logs.
- agent
Rules GetSecurity Monitoring Rules Rule Query Agent Rule[] - Deprecated. It won't be applied anymore.
- aggregation string
- The aggregation type. For Signal Correlation rules, it must be event_count.
- distinct
Fields string[] - Field for which the cardinality is measured. Sent as an array.
- group
By string[]Fields - Fields to group by.
- metric string
- The target field to aggregate over when using the
sum
,max
, orgeo_data
aggregations. - name string
- Name of the query. Not compatible with
new_value
aggregations.
- metrics Sequence[str]
- Group of target fields to aggregate over when using the
sum
,max
,geo_data
, ornew_value
aggregations. Thesum
,max
, andgeo_data
aggregations only accept one value in this list, whereas thenew_value
aggregation accepts up to five values. - query str
- Query to run on logs.
- agent_
rules Sequence[GetSecurity Monitoring Rules Rule Query Agent Rule] - Deprecated. It won't be applied anymore.
- aggregation str
- The aggregation type. For Signal Correlation rules, it must be event_count.
- distinct_
fields Sequence[str] - Field for which the cardinality is measured. Sent as an array.
- group_
by_ Sequence[str]fields - Fields to group by.
- metric str
- The target field to aggregate over when using the
sum
,max
, orgeo_data
aggregations. - name str
- Name of the query. Not compatible with
new_value
aggregations.
- metrics List<String>
- Group of target fields to aggregate over when using the
sum
,max
,geo_data
, ornew_value
aggregations. Thesum
,max
, andgeo_data
aggregations only accept one value in this list, whereas thenew_value
aggregation accepts up to five values. - query String
- Query to run on logs.
- agent
Rules List<Property Map> - Deprecated. It won't be applied anymore.
- aggregation String
- The aggregation type. For Signal Correlation rules, it must be event_count.
- distinct
Fields List<String> - Field for which the cardinality is measured. Sent as an array.
- group
By List<String>Fields - Fields to group by.
- metric String
- The target field to aggregate over when using the
sum
,max
, orgeo_data
aggregations. - name String
- Name of the query. Not compatible with
new_value
aggregations.
GetSecurityMonitoringRulesRuleQueryAgentRule
- Agent
Rule stringId - Deprecated. It won't be applied anymore.
- Expression string
- Deprecated. It won't be applied anymore.
- Agent
Rule stringId - Deprecated. It won't be applied anymore.
- Expression string
- Deprecated. It won't be applied anymore.
- agent
Rule StringId - Deprecated. It won't be applied anymore.
- expression String
- Deprecated. It won't be applied anymore.
- agent
Rule stringId - Deprecated. It won't be applied anymore.
- expression string
- Deprecated. It won't be applied anymore.
- agent_
rule_ strid - Deprecated. It won't be applied anymore.
- expression str
- Deprecated. It won't be applied anymore.
- agent
Rule StringId - Deprecated. It won't be applied anymore.
- expression String
- Deprecated. It won't be applied anymore.
GetSecurityMonitoringRulesRuleReferenceTable
- Check
Presence bool - Whether to include or exclude logs that match the reference table.
- Column
Name string - The name of the column in the reference table.
- Log
Field stringPath - The field in the log that should be matched against the reference table.
- Rule
Query stringName - The name of the query to filter.
- Table
Name string - The name of the reference table.
- Check
Presence bool - Whether to include or exclude logs that match the reference table.
- Column
Name string - The name of the column in the reference table.
- Log
Field stringPath - The field in the log that should be matched against the reference table.
- Rule
Query stringName - The name of the query to filter.
- Table
Name string - The name of the reference table.
- check
Presence Boolean - Whether to include or exclude logs that match the reference table.
- column
Name String - The name of the column in the reference table.
- log
Field StringPath - The field in the log that should be matched against the reference table.
- rule
Query StringName - The name of the query to filter.
- table
Name String - The name of the reference table.
- check
Presence boolean - Whether to include or exclude logs that match the reference table.
- column
Name string - The name of the column in the reference table.
- log
Field stringPath - The field in the log that should be matched against the reference table.
- rule
Query stringName - The name of the query to filter.
- table
Name string - The name of the reference table.
- check_
presence bool - Whether to include or exclude logs that match the reference table.
- column_
name str - The name of the column in the reference table.
- log_
field_ strpath - The field in the log that should be matched against the reference table.
- rule_
query_ strname - The name of the query to filter.
- table_
name str - The name of the reference table.
- check
Presence Boolean - Whether to include or exclude logs that match the reference table.
- column
Name String - The name of the column in the reference table.
- log
Field StringPath - The field in the log that should be matched against the reference table.
- rule
Query StringName - The name of the query to filter.
- table
Name String - The name of the reference table.
GetSecurityMonitoringRulesRuleSignalQuery
- Rule
Id string - Rule ID of the signal to correlate.
- Aggregation string
- The aggregation type. For Signal Correlation rules, it must be event_count.
- List<string>
- Fields to correlate by.
- string
- Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
- Default
Rule stringId - Default Rule ID of the signal to correlate. This value is READ-ONLY.
- Name string
- Name of the query. Not compatible with
new_value
aggregations.
- Rule
Id string - Rule ID of the signal to correlate.
- Aggregation string
- The aggregation type. For Signal Correlation rules, it must be event_count.
- []string
- Fields to correlate by.
- string
- Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
- Default
Rule stringId - Default Rule ID of the signal to correlate. This value is READ-ONLY.
- Name string
- Name of the query. Not compatible with
new_value
aggregations.
- rule
Id String - Rule ID of the signal to correlate.
- aggregation String
- The aggregation type. For Signal Correlation rules, it must be event_count.
- List<String>
- Fields to correlate by.
- String
- Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
- default
Rule StringId - Default Rule ID of the signal to correlate. This value is READ-ONLY.
- name String
- Name of the query. Not compatible with
new_value
aggregations.
- rule
Id string - Rule ID of the signal to correlate.
- aggregation string
- The aggregation type. For Signal Correlation rules, it must be event_count.
- string[]
- Fields to correlate by.
- string
- Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
- default
Rule stringId - Default Rule ID of the signal to correlate. This value is READ-ONLY.
- name string
- Name of the query. Not compatible with
new_value
aggregations.
- rule_
id str - Rule ID of the signal to correlate.
- aggregation str
- The aggregation type. For Signal Correlation rules, it must be event_count.
- Sequence[str]
- Fields to correlate by.
- str
- Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
- default_
rule_ strid - Default Rule ID of the signal to correlate. This value is READ-ONLY.
- name str
- Name of the query. Not compatible with
new_value
aggregations.
- rule
Id String - Rule ID of the signal to correlate.
- aggregation String
- The aggregation type. For Signal Correlation rules, it must be event_count.
- List<String>
- Fields to correlate by.
- String
- Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
- default
Rule StringId - Default Rule ID of the signal to correlate. This value is READ-ONLY.
- name String
- Name of the query. Not compatible with
new_value
aggregations.
GetSecurityMonitoringRulesRuleThirdPartyCase
- Status string
- Severity of the Security Signal.
- Name string
- Name of the case.
- Notifications List<string>
- Notification targets for each rule case.
- Query string
- A query to associate a third-party event to this case.
- Status string
- Severity of the Security Signal.
- Name string
- Name of the case.
- Notifications []string
- Notification targets for each rule case.
- Query string
- A query to associate a third-party event to this case.
- status String
- Severity of the Security Signal.
- name String
- Name of the case.
- notifications List<String>
- Notification targets for each rule case.
- query String
- A query to associate a third-party event to this case.
- status string
- Severity of the Security Signal.
- name string
- Name of the case.
- notifications string[]
- Notification targets for each rule case.
- query string
- A query to associate a third-party event to this case.
- status str
- Severity of the Security Signal.
- name str
- Name of the case.
- notifications Sequence[str]
- Notification targets for each rule case.
- query str
- A query to associate a third-party event to this case.
- status String
- Severity of the Security Signal.
- name String
- Name of the case.
- notifications List<String>
- Notification targets for each rule case.
- query String
- A query to associate a third-party event to this case.
Package Details
- Repository
- Datadog pulumi/pulumi-datadog
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
datadog
Terraform Provider.