pulumi-azure-kotlin/com.pulumi.azure.sentinel.kotlin/AlertRuleScheduledArgs

AlertRuleScheduledArgs

data class AlertRuleScheduledArgs(val alertDetailsOverrides: Output<List<AlertRuleScheduledAlertDetailsOverrideArgs>>? = null, val alertRuleTemplateGuid: Output<String>? = null, val alertRuleTemplateVersion: Output<String>? = null, val customDetails: Output<Map<String, String>>? = null, val description: Output<String>? = null, val displayName: Output<String>? = null, val enabled: Output<Boolean>? = null, val entityMappings: Output<List<AlertRuleScheduledEntityMappingArgs>>? = null, val eventGrouping: Output<AlertRuleScheduledEventGroupingArgs>? = null, val incidentConfiguration: Output<AlertRuleScheduledIncidentConfigurationArgs>? = null, val logAnalyticsWorkspaceId: Output<String>? = null, val name: Output<String>? = null, val query: Output<String>? = null, val queryFrequency: Output<String>? = null, val queryPeriod: Output<String>? = null, val sentinelEntityMappings: Output<List<AlertRuleScheduledSentinelEntityMappingArgs>>? = null, val severity: Output<String>? = null, val suppressionDuration: Output<String>? = null, val suppressionEnabled: Output<Boolean>? = null, val tactics: Output<List<String>>? = null, val techniques: Output<List<String>>? = null, val triggerOperator: Output<String>? = null, val triggerThreshold: Output<Int>? = null) : ConvertibleToJava<AlertRuleScheduledArgs>

Manages a Sentinel Scheduled Alert Rule.

Example Usage

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
import com.pulumi.azure.sentinel.AlertRuleScheduled;
import com.pulumi.azure.sentinel.AlertRuleScheduledArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new ResourceGroup("example", ResourceGroupArgs.builder()
            .name("example-resources")
            .location("West Europe")
            .build());
        var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()
            .name("example-workspace")
            .location(example.location())
            .resourceGroupName(example.name())
            .sku("PerGB2018")
            .build());
        var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()
            .workspaceId(exampleAnalyticsWorkspace.id())
            .build());
        var exampleAlertRuleScheduled = new AlertRuleScheduled("exampleAlertRuleScheduled", AlertRuleScheduledArgs.builder()
            .name("example")
            .logAnalyticsWorkspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
            .displayName("example")
            .severity("High")
            .query("""
AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
            """)
            .build());
    }
}

Import

Sentinel Scheduled Alert Rules can be imported using the resource id, e.g.

$ pulumi import azure:sentinel/alertRuleScheduled:AlertRuleScheduled example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1

Constructors

AlertRuleScheduledArgs

fun AlertRuleScheduledArgs(alertDetailsOverrides: Output<List<AlertRuleScheduledAlertDetailsOverrideArgs>>? = null, alertRuleTemplateGuid: Output<String>? = null, alertRuleTemplateVersion: Output<String>? = null, customDetails: Output<Map<String, String>>? = null, description: Output<String>? = null, displayName: Output<String>? = null, enabled: Output<Boolean>? = null, entityMappings: Output<List<AlertRuleScheduledEntityMappingArgs>>? = null, eventGrouping: Output<AlertRuleScheduledEventGroupingArgs>? = null, incidentConfiguration: Output<AlertRuleScheduledIncidentConfigurationArgs>? = null, logAnalyticsWorkspaceId: Output<String>? = null, name: Output<String>? = null, query: Output<String>? = null, queryFrequency: Output<String>? = null, queryPeriod: Output<String>? = null, sentinelEntityMappings: Output<List<AlertRuleScheduledSentinelEntityMappingArgs>>? = null, severity: Output<String>? = null, suppressionDuration: Output<String>? = null, suppressionEnabled: Output<Boolean>? = null, tactics: Output<List<String>>? = null, techniques: Output<List<String>>? = null, triggerOperator: Output<String>? = null, triggerThreshold: Output<Int>? = null)

Functions

toJava

open override fun toJava(): AlertRuleScheduledArgs

Properties

alertDetailsOverrides

val alertDetailsOverrides: Output<List<AlertRuleScheduledAlertDetailsOverrideArgs>>? = null

An alert_details_override block as defined below.

alertRuleTemplateGuid

val alertRuleTemplateGuid: Output<String>? = null

The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

alertRuleTemplateVersion

val alertRuleTemplateVersion: Output<String>? = null

The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

customDetails

val customDetails: Output<Map<String, String>>? = null

A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.

description

val description: Output<String>? = null

The description of this Sentinel Scheduled Alert Rule.

displayName

val displayName: Output<String>? = null

The friendly name of this Sentinel Scheduled Alert Rule.

enabled

val enabled: Output<Boolean>? = null

Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.

entityMappings

val entityMappings: Output<List<AlertRuleScheduledEntityMappingArgs>>? = null

A list of entity_mapping blocks as defined below.

eventGrouping

val eventGrouping: Output<AlertRuleScheduledEventGroupingArgs>? = null

A event_grouping block as defined below.

incidentConfiguration

val incidentConfiguration: Output<AlertRuleScheduledIncidentConfigurationArgs>? = null

A incident_configuration block as defined below.

logAnalyticsWorkspaceId

val logAnalyticsWorkspaceId: Output<String>? = null

The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

name

val name: Output<String>? = null

The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

query

val query: Output<String>? = null

The query of this Sentinel Scheduled Alert Rule.

queryFrequency

val queryFrequency: Output<String>? = null

The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.

queryPeriod

val queryPeriod: Output<String>? = null

The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.

sentinelEntityMappings

val sentinelEntityMappings: Output<List<AlertRuleScheduledSentinelEntityMappingArgs>>? = null

A list of sentinel_entity_mapping blocks as defined below.

severity

val severity: Output<String>? = null

The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.

suppressionDuration

val suppressionDuration: Output<String>? = null

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

suppressionEnabled

val suppressionEnabled: Output<Boolean>? = null

Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.

tactics

val tactics: Output<List<String>>? = null

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, ImpairProcessControl, InhibitResponseFunction, Impact, InitialAccess, LateralMovement, Persistence, PrivilegeEscalation, PreAttack, Reconnaissance and ResourceDevelopment.

techniques

val techniques: Output<List<String>>? = null

A list of techniques of attacks by which to classify the rule.

triggerOperator

val triggerOperator: Output<String>? = null

The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual. Defaults to GreaterThan.

triggerThreshold

val triggerThreshold: Output<Int>? = null

The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to 0.