pulumi-azure-native-kotlin/com.pulumi.azurenative.securityinsights.kotlin/ScheduledAlertRuleArgs

ScheduledAlertRuleArgs

data class ScheduledAlertRuleArgs(val alertDetailsOverride: Output<AlertDetailsOverrideArgs>? = null, val alertRuleTemplateName: Output<String>? = null, val customDetails: Output<Map<String, String>>? = null, val description: Output<String>? = null, val displayName: Output<String>? = null, val enabled: Output<Boolean>? = null, val entityMappings: Output<List<EntityMappingArgs>>? = null, val eventGroupingSettings: Output<EventGroupingSettingsArgs>? = null, val incidentConfiguration: Output<IncidentConfigurationArgs>? = null, val kind: Output<String>? = null, val query: Output<String>? = null, val queryFrequency: Output<String>? = null, val queryPeriod: Output<String>? = null, val resourceGroupName: Output<String>? = null, val ruleId: Output<String>? = null, val severity: Output<Either<String, AlertSeverity>>? = null, val suppressionDuration: Output<String>? = null, val suppressionEnabled: Output<Boolean>? = null, val tactics: Output<List<Either<String, AttackTactic>>>? = null, val techniques: Output<List<String>>? = null, val templateVersion: Output<String>? = null, val triggerOperator: Output<TriggerOperator>? = null, val triggerThreshold: Output<Int>? = null, val workspaceName: Output<String>? = null) : ConvertibleToJava<ScheduledAlertRuleArgs>

Represents scheduled alert rule. Azure REST API version: 2023-02-01. Prior API version in Azure Native 1.x: 2020-01-01.

Example Usage

Creates or updates a Fusion alert rule.

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
    var scheduledAlertRule = new AzureNative.SecurityInsights.ScheduledAlertRule("scheduledAlertRule", new()
    {
        ResourceGroupName = "myRg",
        RuleId = "myFirstFusionRule",
        WorkspaceName = "myWorkspace",
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewScheduledAlertRule(ctx, "scheduledAlertRule", &securityinsights.ScheduledAlertRuleArgs{
			ResourceGroupName: pulumi.String("myRg"),
			RuleId:            pulumi.String("myFirstFusionRule"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRule;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var scheduledAlertRule = new ScheduledAlertRule("scheduledAlertRule", ScheduledAlertRuleArgs.builder()
            .resourceGroupName("myRg")
            .ruleId("myFirstFusionRule")
            .workspaceName("myWorkspace")
            .build());
    }
}
Content copied to clipboard

Creates or updates a MicrosoftSecurityIncidentCreation rule.

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
    var scheduledAlertRule = new AzureNative.SecurityInsights.ScheduledAlertRule("scheduledAlertRule", new()
    {
        ResourceGroupName = "myRg",
        RuleId = "microsoftSecurityIncidentCreationRuleExample",
        WorkspaceName = "myWorkspace",
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewScheduledAlertRule(ctx, "scheduledAlertRule", &securityinsights.ScheduledAlertRuleArgs{
			ResourceGroupName: pulumi.String("myRg"),
			RuleId:            pulumi.String("microsoftSecurityIncidentCreationRuleExample"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRule;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var scheduledAlertRule = new ScheduledAlertRule("scheduledAlertRule", ScheduledAlertRuleArgs.builder()
            .resourceGroupName("myRg")
            .ruleId("microsoftSecurityIncidentCreationRuleExample")
            .workspaceName("myWorkspace")
            .build());
    }
}
Content copied to clipboard

Creates or updates a Scheduled alert rule.

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
    var scheduledAlertRule = new AzureNative.SecurityInsights.ScheduledAlertRule("scheduledAlertRule", new()
    {
        AlertDetailsOverride = new AzureNative.SecurityInsights.Inputs.AlertDetailsOverrideArgs
        {
            AlertDescriptionFormat = "Suspicious activity was made by {{ComputerIP}}",
            AlertDisplayNameFormat = "Alert from {{Computer}}",
            AlertDynamicProperties = new[]
            {
                new AzureNative.SecurityInsights.Inputs.AlertPropertyMappingArgs
                {
                    AlertProperty = "ProductComponentName",
                    Value = "ProductComponentNameCustomColumn",
                },
                new AzureNative.SecurityInsights.Inputs.AlertPropertyMappingArgs
                {
                    AlertProperty = "ProductName",
                    Value = "ProductNameCustomColumn",
                },
                new AzureNative.SecurityInsights.Inputs.AlertPropertyMappingArgs
                {
                    AlertProperty = "AlertLink",
                    Value = "Link",
                },
            },
        },
        CustomDetails =
        {
            { "OperatingSystemName", "OSName" },
            { "OperatingSystemType", "OSType" },
        },
        Description = "An example for a scheduled rule",
        DisplayName = "My scheduled rule",
        Enabled = true,
        EntityMappings = new[]
        {
            new AzureNative.SecurityInsights.Inputs.EntityMappingArgs
            {
                EntityType = "Host",
                FieldMappings = new[]
                {
                    new AzureNative.SecurityInsights.Inputs.FieldMappingArgs
                    {
                        ColumnName = "Computer",
                        Identifier = "FullName",
                    },
                },
            },
            new AzureNative.SecurityInsights.Inputs.EntityMappingArgs
            {
                EntityType = "IP",
                FieldMappings = new[]
                {
                    new AzureNative.SecurityInsights.Inputs.FieldMappingArgs
                    {
                        ColumnName = "ComputerIP",
                        Identifier = "Address",
                    },
                },
            },
        },
        EventGroupingSettings = new AzureNative.SecurityInsights.Inputs.EventGroupingSettingsArgs
        {
            AggregationKind = "AlertPerResult",
        },
        IncidentConfiguration = new AzureNative.SecurityInsights.Inputs.IncidentConfigurationArgs
        {
            CreateIncident = true,
            GroupingConfiguration = new AzureNative.SecurityInsights.Inputs.GroupingConfigurationArgs
            {
                Enabled = true,
                GroupByAlertDetails = new[]
                {
                    "DisplayName",
                },
                GroupByCustomDetails = new[]
                {
                    "OperatingSystemType",
                    "OperatingSystemName",
                },
                GroupByEntities = new[]
                {
                    "Host",
                },
                LookbackDuration = "PT5H",
                MatchingMethod = "Selected",
                ReopenClosedIncident = false,
            },
        },
        Kind = "Scheduled",
        Query = "Heartbeat",
        QueryFrequency = "PT1H",
        QueryPeriod = "P2DT1H30M",
        ResourceGroupName = "myRg",
        RuleId = "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
        Severity = "High",
        SuppressionDuration = "PT1H",
        SuppressionEnabled = false,
        Tactics = new[]
        {
            "Persistence",
            "LateralMovement",
        },
        TriggerOperator = AzureNative.SecurityInsights.TriggerOperator.GreaterThan,
        TriggerThreshold = 0,
        WorkspaceName = "myWorkspace",
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewScheduledAlertRule(ctx, "scheduledAlertRule", &securityinsights.ScheduledAlertRuleArgs{
			AlertDetailsOverride: securityinsights.AlertDetailsOverrideResponse{
				AlertDescriptionFormat: pulumi.String("Suspicious activity was made by {{ComputerIP}}"),
				AlertDisplayNameFormat: pulumi.String("Alert from {{Computer}}"),
				AlertDynamicProperties: securityinsights.AlertPropertyMappingArray{
					&securityinsights.AlertPropertyMappingArgs{
						AlertProperty: pulumi.String("ProductComponentName"),
						Value:         pulumi.String("ProductComponentNameCustomColumn"),
					},
					&securityinsights.AlertPropertyMappingArgs{
						AlertProperty: pulumi.String("ProductName"),
						Value:         pulumi.String("ProductNameCustomColumn"),
					},
					&securityinsights.AlertPropertyMappingArgs{
						AlertProperty: pulumi.String("AlertLink"),
						Value:         pulumi.String("Link"),
					},
				},
			},
			CustomDetails: pulumi.StringMap{
				"OperatingSystemName": pulumi.String("OSName"),
				"OperatingSystemType": pulumi.String("OSType"),
			},
			Description: pulumi.String("An example for a scheduled rule"),
			DisplayName: pulumi.String("My scheduled rule"),
			Enabled:     pulumi.Bool(true),
			EntityMappings: []securityinsights.EntityMappingArgs{
				{
					EntityType: pulumi.String("Host"),
					FieldMappings: securityinsights.FieldMappingArray{
						{
							ColumnName: pulumi.String("Computer"),
							Identifier: pulumi.String("FullName"),
						},
					},
				},
				{
					EntityType: pulumi.String("IP"),
					FieldMappings: securityinsights.FieldMappingArray{
						{
							ColumnName: pulumi.String("ComputerIP"),
							Identifier: pulumi.String("Address"),
						},
					},
				},
			},
			EventGroupingSettings: &securityinsights.EventGroupingSettingsArgs{
				AggregationKind: pulumi.String("AlertPerResult"),
			},
			IncidentConfiguration: securityinsights.IncidentConfigurationResponse{
				CreateIncident: pulumi.Bool(true),
				GroupingConfiguration: &securityinsights.GroupingConfigurationArgs{
					Enabled: pulumi.Bool(true),
					GroupByAlertDetails: pulumi.StringArray{
						pulumi.String("DisplayName"),
					},
					GroupByCustomDetails: pulumi.StringArray{
						pulumi.String("OperatingSystemType"),
						pulumi.String("OperatingSystemName"),
					},
					GroupByEntities: pulumi.StringArray{
						pulumi.String("Host"),
					},
					LookbackDuration:     pulumi.String("PT5H"),
					MatchingMethod:       pulumi.String("Selected"),
					ReopenClosedIncident: pulumi.Bool(false),
				},
			},
			Kind:                pulumi.String("Scheduled"),
			Query:               pulumi.String("Heartbeat"),
			QueryFrequency:      pulumi.String("PT1H"),
			QueryPeriod:         pulumi.String("P2DT1H30M"),
			ResourceGroupName:   pulumi.String("myRg"),
			RuleId:              pulumi.String("73e01a99-5cd7-4139-a149-9f2736ff2ab5"),
			Severity:            pulumi.String("High"),
			SuppressionDuration: pulumi.String("PT1H"),
			SuppressionEnabled:  pulumi.Bool(false),
			Tactics: pulumi.StringArray{
				pulumi.String("Persistence"),
				pulumi.String("LateralMovement"),
			},
			TriggerOperator:  securityinsights.TriggerOperatorGreaterThan,
			TriggerThreshold: pulumi.Int(0),
			WorkspaceName:    pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRule;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var scheduledAlertRule = new ScheduledAlertRule("scheduledAlertRule", ScheduledAlertRuleArgs.builder()
            .alertDetailsOverride(Map.ofEntries(
                Map.entry("alertDescriptionFormat", "Suspicious activity was made by {{ComputerIP}}"),
                Map.entry("alertDisplayNameFormat", "Alert from {{Computer}}"),
                Map.entry("alertDynamicProperties",
                    Map.ofEntries(
                        Map.entry("alertProperty", "ProductComponentName"),
                        Map.entry("value", "ProductComponentNameCustomColumn")
                    ),
                    Map.ofEntries(
                        Map.entry("alertProperty", "ProductName"),
                        Map.entry("value", "ProductNameCustomColumn")
                    ),
                    Map.ofEntries(
                        Map.entry("alertProperty", "AlertLink"),
                        Map.entry("value", "Link")
                    ))
            ))
            .customDetails(Map.ofEntries(
                Map.entry("OperatingSystemName", "OSName"),
                Map.entry("OperatingSystemType", "OSType")
            ))
            .description("An example for a scheduled rule")
            .displayName("My scheduled rule")
            .enabled(true)
            .entityMappings(
                Map.ofEntries(
                    Map.entry("entityType", "Host"),
                    Map.entry("fieldMappings", Map.ofEntries(
                        Map.entry("columnName", "Computer"),
                        Map.entry("identifier", "FullName")
                    ))
                ),
                Map.ofEntries(
                    Map.entry("entityType", "IP"),
                    Map.entry("fieldMappings", Map.ofEntries(
                        Map.entry("columnName", "ComputerIP"),
                        Map.entry("identifier", "Address")
                    ))
                ))
            .eventGroupingSettings(Map.of("aggregationKind", "AlertPerResult"))
            .incidentConfiguration(Map.ofEntries(
                Map.entry("createIncident", true),
                Map.entry("groupingConfiguration", Map.ofEntries(
                    Map.entry("enabled", true),
                    Map.entry("groupByAlertDetails", "DisplayName"),
                    Map.entry("groupByCustomDetails",
                        "OperatingSystemType",
                        "OperatingSystemName"),
                    Map.entry("groupByEntities", "Host"),
                    Map.entry("lookbackDuration", "PT5H"),
                    Map.entry("matchingMethod", "Selected"),
                    Map.entry("reopenClosedIncident", false)
                ))
            ))
            .kind("Scheduled")
            .query("Heartbeat")
            .queryFrequency("PT1H")
            .queryPeriod("P2DT1H30M")
            .resourceGroupName("myRg")
            .ruleId("73e01a99-5cd7-4139-a149-9f2736ff2ab5")
            .severity("High")
            .suppressionDuration("PT1H")
            .suppressionEnabled(false)
            .tactics(
                "Persistence",
                "LateralMovement")
            .triggerOperator("GreaterThan")
            .triggerThreshold(0)
            .workspaceName("myWorkspace")
            .build());
    }
}
Content copied to clipboard

Import

An existing resource can be imported using its type token, name, and identifier, e.g.

$ pulumi import azure-native:securityinsights:ScheduledAlertRule 73e01a99-5cd7-4139-a149-9f2736ff2ab5 /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}
Content copied to clipboard

Constructors

Link copied to clipboard
fun ScheduledAlertRuleArgs(alertDetailsOverride: Output<AlertDetailsOverrideArgs>? = null, alertRuleTemplateName: Output<String>? = null, customDetails: Output<Map<String, String>>? = null, description: Output<String>? = null, displayName: Output<String>? = null, enabled: Output<Boolean>? = null, entityMappings: Output<List<EntityMappingArgs>>? = null, eventGroupingSettings: Output<EventGroupingSettingsArgs>? = null, incidentConfiguration: Output<IncidentConfigurationArgs>? = null, kind: Output<String>? = null, query: Output<String>? = null, queryFrequency: Output<String>? = null, queryPeriod: Output<String>? = null, resourceGroupName: Output<String>? = null, ruleId: Output<String>? = null, severity: Output<Either<String, AlertSeverity>>? = null, suppressionDuration: Output<String>? = null, suppressionEnabled: Output<Boolean>? = null, tactics: Output<List<Either<String, AttackTactic>>>? = null, techniques: Output<List<String>>? = null, templateVersion: Output<String>? = null, triggerOperator: Output<TriggerOperator>? = null, triggerThreshold: Output<Int>? = null, workspaceName: Output<String>? = null)

Functions

Link copied to clipboard
open override fun toJava(): ScheduledAlertRuleArgs

Properties

Link copied to clipboard
val alertDetailsOverride: Output<AlertDetailsOverrideArgs>? = null

The alert details override settings

Link copied to clipboard
val alertRuleTemplateName: Output<String>? = null

The Name of the alert rule template used to create this rule.

Link copied to clipboard
val customDetails: Output<Map<String, String>>? = null

Dictionary of string key-value pairs of columns to be attached to the alert

Link copied to clipboard
val description: Output<String>? = null

The description of the alert rule.

Link copied to clipboard
val displayName: Output<String>? = null

The display name for alerts created by this alert rule.

Link copied to clipboard
val enabled: Output<Boolean>? = null

Determines whether this alert rule is enabled or disabled.

Link copied to clipboard
val entityMappings: Output<List<EntityMappingArgs>>? = null

Array of the entity mappings of the alert rule

Link copied to clipboard
val eventGroupingSettings: Output<EventGroupingSettingsArgs>? = null

The event grouping settings.

Link copied to clipboard
val incidentConfiguration: Output<IncidentConfigurationArgs>? = null

The settings of the incidents that created from alerts triggered by this analytics rule

Link copied to clipboard
val kind: Output<String>? = null

The kind of the alert rule Expected value is 'Scheduled'.

Link copied to clipboard
val query: Output<String>? = null

The query that creates alerts for this rule.

Link copied to clipboard
val queryFrequency: Output<String>? = null

The frequency (in ISO 8601 duration format) for this alert rule to run.

Link copied to clipboard
val queryPeriod: Output<String>? = null

The period (in ISO 8601 duration format) that this alert rule looks at.

Link copied to clipboard
val resourceGroupName: Output<String>? = null

The name of the resource group. The name is case insensitive.

Link copied to clipboard
val ruleId: Output<String>? = null

Alert rule ID

Link copied to clipboard
val severity: Output<Either<String, AlertSeverity>>? = null

The severity for alerts created by this alert rule.

Link copied to clipboard
val suppressionDuration: Output<String>? = null

The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.

Link copied to clipboard
val suppressionEnabled: Output<Boolean>? = null

Determines whether the suppression for this alert rule is enabled or disabled.

Link copied to clipboard
val tactics: Output<List<Either<String, AttackTactic>>>? = null

The tactics of the alert rule

Link copied to clipboard
val techniques: Output<List<String>>? = null

The techniques of the alert rule

Link copied to clipboard
val templateVersion: Output<String>? = null

The version of the alert rule template used to create this rule - in format , where all are numbers, for example 0 <1.0.2>

Link copied to clipboard
val triggerOperator: Output<TriggerOperator>? = null

The operation against the threshold that triggers alert rule.

Link copied to clipboard
val triggerThreshold: Output<Int>? = null

The threshold triggers this alert rule.

Link copied to clipboard
val workspaceName: Output<String>? = null

The name of the workspace.