pulumi-azure-native-kotlin/com.pulumi.azurenative.securityinsights.kotlin/ScheduledAlertRuleArgs

ScheduledAlertRuleArgs

data class ScheduledAlertRuleArgs(val alertDetailsOverride: Output<AlertDetailsOverrideArgs>? = null, val alertRuleTemplateName: Output<String>? = null, val customDetails: Output<Map<String, String>>? = null, val description: Output<String>? = null, val displayName: Output<String>? = null, val enabled: Output<Boolean>? = null, val entityMappings: Output<List<EntityMappingArgs>>? = null, val eventGroupingSettings: Output<EventGroupingSettingsArgs>? = null, val incidentConfiguration: Output<IncidentConfigurationArgs>? = null, val kind: Output<String>? = null, val query: Output<String>? = null, val queryFrequency: Output<String>? = null, val queryPeriod: Output<String>? = null, val resourceGroupName: Output<String>? = null, val ruleId: Output<String>? = null, val severity: Output<Either<String, AlertSeverity>>? = null, val suppressionDuration: Output<String>? = null, val suppressionEnabled: Output<Boolean>? = null, val tactics: Output<List<Either<String, AttackTactic>>>? = null, val techniques: Output<List<String>>? = null, val templateVersion: Output<String>? = null, val triggerOperator: Output<TriggerOperator>? = null, val triggerThreshold: Output<Int>? = null, val workspaceName: Output<String>? = null) : ConvertibleToJava<ScheduledAlertRuleArgs>

Represents scheduled alert rule. Uses Azure REST API version 2024-09-01. In version 2.x of the Azure Native provider, it used API version 2023-02-01.

Example Usage

Creates or updates a Fusion alert rule.

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
    var scheduledAlertRule = new AzureNative.SecurityInsights.ScheduledAlertRule("scheduledAlertRule", new()
    {
        ResourceGroupName = "myRg",
        RuleId = "myFirstFusionRule",
        WorkspaceName = "myWorkspace",
    });
});

package main
import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewScheduledAlertRule(ctx, "scheduledAlertRule", &securityinsights.ScheduledAlertRuleArgs{
			ResourceGroupName: pulumi.String("myRg"),
			RuleId:            pulumi.String("myFirstFusionRule"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRule;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var scheduledAlertRule = new ScheduledAlertRule("scheduledAlertRule", ScheduledAlertRuleArgs.builder()
            .resourceGroupName("myRg")
            .ruleId("myFirstFusionRule")
            .workspaceName("myWorkspace")
            .build());
    }
}

Creates or updates a MicrosoftSecurityIncidentCreation rule.

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
    var scheduledAlertRule = new AzureNative.SecurityInsights.ScheduledAlertRule("scheduledAlertRule", new()
    {
        ResourceGroupName = "myRg",
        RuleId = "microsoftSecurityIncidentCreationRuleExample",
        WorkspaceName = "myWorkspace",
    });
});

package main
import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewScheduledAlertRule(ctx, "scheduledAlertRule", &securityinsights.ScheduledAlertRuleArgs{
			ResourceGroupName: pulumi.String("myRg"),
			RuleId:            pulumi.String("microsoftSecurityIncidentCreationRuleExample"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRule;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var scheduledAlertRule = new ScheduledAlertRule("scheduledAlertRule", ScheduledAlertRuleArgs.builder()
            .resourceGroupName("myRg")
            .ruleId("microsoftSecurityIncidentCreationRuleExample")
            .workspaceName("myWorkspace")
            .build());
    }
}

Creates or updates a Scheduled alert rule.

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
    var scheduledAlertRule = new AzureNative.SecurityInsights.ScheduledAlertRule("scheduledAlertRule", new()
    {
        AlertDetailsOverride = new AzureNative.SecurityInsights.Inputs.AlertDetailsOverrideArgs
        {
            AlertDescriptionFormat = "Suspicious activity was made by {{ComputerIP}}",
            AlertDisplayNameFormat = "Alert from {{Computer}}",
            AlertDynamicProperties = new[]
            {
                new AzureNative.SecurityInsights.Inputs.AlertPropertyMappingArgs
                {
                    AlertProperty = AzureNative.SecurityInsights.AlertProperty.ProductComponentName,
                    Value = "ProductComponentNameCustomColumn",
                },
                new AzureNative.SecurityInsights.Inputs.AlertPropertyMappingArgs
                {
                    AlertProperty = AzureNative.SecurityInsights.AlertProperty.ProductName,
                    Value = "ProductNameCustomColumn",
                },
                new AzureNative.SecurityInsights.Inputs.AlertPropertyMappingArgs
                {
                    AlertProperty = AzureNative.SecurityInsights.AlertProperty.AlertLink,
                    Value = "Link",
                },
            },
        },
        CustomDetails =
        {
            { "OperatingSystemName", "OSName" },
            { "OperatingSystemType", "OSType" },
        },
        Description = "An example for a scheduled rule",
        DisplayName = "My scheduled rule",
        Enabled = true,
        EntityMappings = new[]
        {
            new AzureNative.SecurityInsights.Inputs.EntityMappingArgs
            {
                EntityType = AzureNative.SecurityInsights.EntityMappingType.Host,
                FieldMappings = new[]
                {
                    new AzureNative.SecurityInsights.Inputs.FieldMappingArgs
                    {
                        ColumnName = "Computer",
                        Identifier = "FullName",
                    },
                },
            },
            new AzureNative.SecurityInsights.Inputs.EntityMappingArgs
            {
                EntityType = AzureNative.SecurityInsights.EntityMappingType.IP,
                FieldMappings = new[]
                {
                    new AzureNative.SecurityInsights.Inputs.FieldMappingArgs
                    {
                        ColumnName = "ComputerIP",
                        Identifier = "Address",
                    },
                },
            },
        },
        EventGroupingSettings = new AzureNative.SecurityInsights.Inputs.EventGroupingSettingsArgs
        {
            AggregationKind = AzureNative.SecurityInsights.EventGroupingAggregationKind.AlertPerResult,
        },
        IncidentConfiguration = new AzureNative.SecurityInsights.Inputs.IncidentConfigurationArgs
        {
            CreateIncident = true,
            GroupingConfiguration = new AzureNative.SecurityInsights.Inputs.GroupingConfigurationArgs
            {
                Enabled = true,
                GroupByAlertDetails = new[]
                {
                    AzureNative.SecurityInsights.AlertDetail.DisplayName,
                },
                GroupByCustomDetails = new[]
                {
                    "OperatingSystemType",
                    "OperatingSystemName",
                },
                GroupByEntities = new[]
                {
                    AzureNative.SecurityInsights.EntityMappingType.Host,
                },
                LookbackDuration = "PT5H",
                MatchingMethod = AzureNative.SecurityInsights.MatchingMethod.Selected,
                ReopenClosedIncident = false,
            },
        },
        Kind = "Scheduled",
        Query = "Heartbeat",
        QueryFrequency = "PT1H",
        QueryPeriod = "P2DT1H30M",
        ResourceGroupName = "myRg",
        RuleId = "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
        Severity = AzureNative.SecurityInsights.AlertSeverity.High,
        SuppressionDuration = "PT1H",
        SuppressionEnabled = false,
        Tactics = new[]
        {
            AzureNative.SecurityInsights.AttackTactic.Persistence,
            AzureNative.SecurityInsights.AttackTactic.LateralMovement,
        },
        TriggerOperator = AzureNative.SecurityInsights.TriggerOperator.GreaterThan,
        TriggerThreshold = 0,
        WorkspaceName = "myWorkspace",
    });
});

package main
import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewScheduledAlertRule(ctx, "scheduledAlertRule", &securityinsights.ScheduledAlertRuleArgs{
			AlertDetailsOverride: &securityinsights.AlertDetailsOverrideArgs{
				AlertDescriptionFormat: pulumi.String("Suspicious activity was made by {{ComputerIP}}"),
				AlertDisplayNameFormat: pulumi.String("Alert from {{Computer}}"),
				AlertDynamicProperties: securityinsights.AlertPropertyMappingArray{
					&securityinsights.AlertPropertyMappingArgs{
						AlertProperty: pulumi.String(securityinsights.AlertPropertyProductComponentName),
						Value:         pulumi.String("ProductComponentNameCustomColumn"),
					},
					&securityinsights.AlertPropertyMappingArgs{
						AlertProperty: pulumi.String(securityinsights.AlertPropertyProductName),
						Value:         pulumi.String("ProductNameCustomColumn"),
					},
					&securityinsights.AlertPropertyMappingArgs{
						AlertProperty: pulumi.String(securityinsights.AlertPropertyAlertLink),
						Value:         pulumi.String("Link"),
					},
				},
			},
			CustomDetails: pulumi.StringMap{
				"OperatingSystemName": pulumi.String("OSName"),
				"OperatingSystemType": pulumi.String("OSType"),
			},
			Description: pulumi.String("An example for a scheduled rule"),
			DisplayName: pulumi.String("My scheduled rule"),
			Enabled:     pulumi.Bool(true),
			EntityMappings: securityinsights.EntityMappingArray{
				&securityinsights.EntityMappingArgs{
					EntityType: pulumi.String(securityinsights.EntityMappingTypeHost),
					FieldMappings: securityinsights.FieldMappingArray{
						&securityinsights.FieldMappingArgs{
							ColumnName: pulumi.String("Computer"),
							Identifier: pulumi.String("FullName"),
						},
					},
				},
				&securityinsights.EntityMappingArgs{
					EntityType: pulumi.String(securityinsights.EntityMappingTypeIP),
					FieldMappings: securityinsights.FieldMappingArray{
						&securityinsights.FieldMappingArgs{
							ColumnName: pulumi.String("ComputerIP"),
							Identifier: pulumi.String("Address"),
						},
					},
				},
			},
			EventGroupingSettings: &securityinsights.EventGroupingSettingsArgs{
				AggregationKind: pulumi.String(securityinsights.EventGroupingAggregationKindAlertPerResult),
			},
			IncidentConfiguration: &securityinsights.IncidentConfigurationArgs{
				CreateIncident: pulumi.Bool(true),
				GroupingConfiguration: &securityinsights.GroupingConfigurationArgs{
					Enabled: pulumi.Bool(true),
					GroupByAlertDetails: pulumi.StringArray{
						pulumi.String(securityinsights.AlertDetailDisplayName),
					},
					GroupByCustomDetails: pulumi.StringArray{
						pulumi.String("OperatingSystemType"),
						pulumi.String("OperatingSystemName"),
					},
					GroupByEntities: pulumi.StringArray{
						pulumi.String(securityinsights.EntityMappingTypeHost),
					},
					LookbackDuration:     pulumi.String("PT5H"),
					MatchingMethod:       pulumi.String(securityinsights.MatchingMethodSelected),
					ReopenClosedIncident: pulumi.Bool(false),
				},
			},
			Kind:                pulumi.String("Scheduled"),
			Query:               pulumi.String("Heartbeat"),
			QueryFrequency:      pulumi.String("PT1H"),
			QueryPeriod:         pulumi.String("P2DT1H30M"),
			ResourceGroupName:   pulumi.String("myRg"),
			RuleId:              pulumi.String("73e01a99-5cd7-4139-a149-9f2736ff2ab5"),
			Severity:            pulumi.String(securityinsights.AlertSeverityHigh),
			SuppressionDuration: pulumi.String("PT1H"),
			SuppressionEnabled:  pulumi.Bool(false),
			Tactics: pulumi.StringArray{
				pulumi.String(securityinsights.AttackTacticPersistence),
				pulumi.String(securityinsights.AttackTacticLateralMovement),
			},
			TriggerOperator:  securityinsights.TriggerOperatorGreaterThan,
			TriggerThreshold: pulumi.Int(0),
			WorkspaceName:    pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRule;
import com.pulumi.azurenative.securityinsights.ScheduledAlertRuleArgs;
import com.pulumi.azurenative.securityinsights.inputs.AlertDetailsOverrideArgs;
import com.pulumi.azurenative.securityinsights.inputs.EntityMappingArgs;
import com.pulumi.azurenative.securityinsights.inputs.EventGroupingSettingsArgs;
import com.pulumi.azurenative.securityinsights.inputs.IncidentConfigurationArgs;
import com.pulumi.azurenative.securityinsights.inputs.GroupingConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var scheduledAlertRule = new ScheduledAlertRule("scheduledAlertRule", ScheduledAlertRuleArgs.builder()
            .alertDetailsOverride(AlertDetailsOverrideArgs.builder()
                .alertDescriptionFormat("Suspicious activity was made by {{ComputerIP}}")
                .alertDisplayNameFormat("Alert from {{Computer}}")
                .alertDynamicProperties(
                    AlertPropertyMappingArgs.builder()
                        .alertProperty("ProductComponentName")
                        .value("ProductComponentNameCustomColumn")
                        .build(),
                    AlertPropertyMappingArgs.builder()
                        .alertProperty("ProductName")
                        .value("ProductNameCustomColumn")
                        .build(),
                    AlertPropertyMappingArgs.builder()
                        .alertProperty("AlertLink")
                        .value("Link")
                        .build())
                .build())
            .customDetails(Map.ofEntries(
                Map.entry("OperatingSystemName", "OSName"),
                Map.entry("OperatingSystemType", "OSType")
            ))
            .description("An example for a scheduled rule")
            .displayName("My scheduled rule")
            .enabled(true)
            .entityMappings(
                EntityMappingArgs.builder()
                    .entityType("Host")
                    .fieldMappings(FieldMappingArgs.builder()
                        .columnName("Computer")
                        .identifier("FullName")
                        .build())
                    .build(),
                EntityMappingArgs.builder()
                    .entityType("IP")
                    .fieldMappings(FieldMappingArgs.builder()
                        .columnName("ComputerIP")
                        .identifier("Address")
                        .build())
                    .build())
            .eventGroupingSettings(EventGroupingSettingsArgs.builder()
                .aggregationKind("AlertPerResult")
                .build())
            .incidentConfiguration(IncidentConfigurationArgs.builder()
                .createIncident(true)
                .groupingConfiguration(GroupingConfigurationArgs.builder()
                    .enabled(true)
                    .groupByAlertDetails("DisplayName")
                    .groupByCustomDetails(
                        "OperatingSystemType",
                        "OperatingSystemName")
                    .groupByEntities("Host")
                    .lookbackDuration("PT5H")
                    .matchingMethod("Selected")
                    .reopenClosedIncident(false)
                    .build())
                .build())
            .kind("Scheduled")
            .query("Heartbeat")
            .queryFrequency("PT1H")
            .queryPeriod("P2DT1H30M")
            .resourceGroupName("myRg")
            .ruleId("73e01a99-5cd7-4139-a149-9f2736ff2ab5")
            .severity("High")
            .suppressionDuration("PT1H")
            .suppressionEnabled(false)
            .tactics(
                "Persistence",
                "LateralMovement")
            .triggerOperator("GreaterThan")
            .triggerThreshold(0)
            .workspaceName("myWorkspace")
            .build());
    }
}

Import

An existing resource can be imported using its type token, name, and identifier, e.g.

$ pulumi import azure-native:securityinsights:ScheduledAlertRule 73e01a99-5cd7-4139-a149-9f2736ff2ab5 /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}

Constructors

ScheduledAlertRuleArgs

constructor(alertDetailsOverride: Output<AlertDetailsOverrideArgs>? = null, alertRuleTemplateName: Output<String>? = null, customDetails: Output<Map<String, String>>? = null, description: Output<String>? = null, displayName: Output<String>? = null, enabled: Output<Boolean>? = null, entityMappings: Output<List<EntityMappingArgs>>? = null, eventGroupingSettings: Output<EventGroupingSettingsArgs>? = null, incidentConfiguration: Output<IncidentConfigurationArgs>? = null, kind: Output<String>? = null, query: Output<String>? = null, queryFrequency: Output<String>? = null, queryPeriod: Output<String>? = null, resourceGroupName: Output<String>? = null, ruleId: Output<String>? = null, severity: Output<Either<String, AlertSeverity>>? = null, suppressionDuration: Output<String>? = null, suppressionEnabled: Output<Boolean>? = null, tactics: Output<List<Either<String, AttackTactic>>>? = null, techniques: Output<List<String>>? = null, templateVersion: Output<String>? = null, triggerOperator: Output<TriggerOperator>? = null, triggerThreshold: Output<Int>? = null, workspaceName: Output<String>? = null)