pulumi-azure-kotlin/com.pulumi.azure.sentinel.kotlin/AlertRuleAnomalyDuplicate

AlertRuleAnomalyDuplicate

class AlertRuleAnomalyDuplicate : KotlinCustomResource

Manages a Duplicated Anomaly Alert Rule.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const exampleResourceGroup = new azure.core.ResourceGroup("example", {
    name: "example-resources",
    location: "West Europe",
});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", {
    name: "example-law",
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    sku: "PerGB2018",
});
const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", {
    workspaceId: exampleAnalyticsWorkspace.id,
    customerManagedKeyEnabled: false,
});
const example = azure.sentinel.getAlertRuleAnomalyOutput({
    logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId,
    displayName: "UEBA Anomalous Sign In",
});
const exampleAlertRuleAnomalyDuplicate = new azure.sentinel.AlertRuleAnomalyDuplicate("example", {
    displayName: "example duplicated UEBA Anomalous Sign In",
    logAnalyticsWorkspaceId: exampleAnalyticsWorkspace.id,
    builtInRuleId: example.apply(example => example.id),
    enabled: true,
    mode: "Flighting",
    thresholdObservations: [{
        name: "Anomaly score threshold",
        value: "0.6",
    }],
});

import pulumi
import pulumi_azure as azure
example_resource_group = azure.core.ResourceGroup("example",
    name="example-resources",
    location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("example",
    name="example-law",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    sku="PerGB2018")
example_log_analytics_workspace_onboarding = azure.sentinel.LogAnalyticsWorkspaceOnboarding("example",
    workspace_id=example_analytics_workspace.id,
    customer_managed_key_enabled=False)
example = azure.sentinel.get_alert_rule_anomaly_output(log_analytics_workspace_id=example_log_analytics_workspace_onboarding.workspace_id,
    display_name="UEBA Anomalous Sign In")
example_alert_rule_anomaly_duplicate = azure.sentinel.AlertRuleAnomalyDuplicate("example",
    display_name="example duplicated UEBA Anomalous Sign In",
    log_analytics_workspace_id=example_analytics_workspace.id,
    built_in_rule_id=example.id,
    enabled=True,
    mode="Flighting",
    threshold_observations=[{
        "name": "Anomaly score threshold",
        "value": "0.6",
    }])

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
    var exampleResourceGroup = new Azure.Core.ResourceGroup("example", new()
    {
        Name = "example-resources",
        Location = "West Europe",
    });
    var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("example", new()
    {
        Name = "example-law",
        Location = exampleResourceGroup.Location,
        ResourceGroupName = exampleResourceGroup.Name,
        Sku = "PerGB2018",
    });
    var exampleLogAnalyticsWorkspaceOnboarding = new Azure.Sentinel.LogAnalyticsWorkspaceOnboarding("example", new()
    {
        WorkspaceId = exampleAnalyticsWorkspace.Id,
        CustomerManagedKeyEnabled = false,
    });
    var example = Azure.Sentinel.GetAlertRuleAnomaly.Invoke(new()
    {
        LogAnalyticsWorkspaceId = exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
        DisplayName = "UEBA Anomalous Sign In",
    });
    var exampleAlertRuleAnomalyDuplicate = new Azure.Sentinel.AlertRuleAnomalyDuplicate("example", new()
    {
        DisplayName = "example duplicated UEBA Anomalous Sign In",
        LogAnalyticsWorkspaceId = exampleAnalyticsWorkspace.Id,
        BuiltInRuleId = example.Apply(getAlertRuleAnomalyResult => getAlertRuleAnomalyResult.Id),
        Enabled = true,
        Mode = "Flighting",
        ThresholdObservations = new[]
        {
            new Azure.Sentinel.Inputs.AlertRuleAnomalyDuplicateThresholdObservationArgs
            {
                Name = "Anomaly score threshold",
                Value = "0.6",
            },
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/operationalinsights"
	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/sentinel"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleResourceGroup, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
			Name:     pulumi.String("example-resources"),
			Location: pulumi.String("West Europe"),
		})
		if err != nil {
			return err
		}
		exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "example", &operationalinsights.AnalyticsWorkspaceArgs{
			Name:              pulumi.String("example-law"),
			Location:          exampleResourceGroup.Location,
			ResourceGroupName: exampleResourceGroup.Name,
			Sku:               pulumi.String("PerGB2018"),
		})
		if err != nil {
			return err
		}
		exampleLogAnalyticsWorkspaceOnboarding, err := sentinel.NewLogAnalyticsWorkspaceOnboarding(ctx, "example", &sentinel.LogAnalyticsWorkspaceOnboardingArgs{
			WorkspaceId:               exampleAnalyticsWorkspace.ID(),
			CustomerManagedKeyEnabled: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		example := sentinel.GetAlertRuleAnomalyOutput(ctx, sentinel.GetAlertRuleAnomalyOutputArgs{
			LogAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
			DisplayName:             pulumi.String("UEBA Anomalous Sign In"),
		}, nil)
		_, err = sentinel.NewAlertRuleAnomalyDuplicate(ctx, "example", &sentinel.AlertRuleAnomalyDuplicateArgs{
			DisplayName:             pulumi.String("example duplicated UEBA Anomalous Sign In"),
			LogAnalyticsWorkspaceId: exampleAnalyticsWorkspace.ID(),
			BuiltInRuleId: pulumi.String(example.ApplyT(func(example sentinel.GetAlertRuleAnomalyResult) (*string, error) {
				return &example.Id, nil
			}).(pulumi.StringPtrOutput)),
			Enabled: pulumi.Bool(true),
			Mode:    pulumi.String("Flighting"),
			ThresholdObservations: sentinel.AlertRuleAnomalyDuplicateThresholdObservationArray{
				&sentinel.AlertRuleAnomalyDuplicateThresholdObservationArgs{
					Name:  pulumi.String("Anomaly score threshold"),
					Value: pulumi.String("0.6"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
import com.pulumi.azure.sentinel.SentinelFunctions;
import com.pulumi.azure.sentinel.inputs.GetAlertRuleAnomalyArgs;
import com.pulumi.azure.sentinel.AlertRuleAnomalyDuplicate;
import com.pulumi.azure.sentinel.AlertRuleAnomalyDuplicateArgs;
import com.pulumi.azure.sentinel.inputs.AlertRuleAnomalyDuplicateThresholdObservationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()
            .name("example-resources")
            .location("West Europe")
            .build());
        var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()
            .name("example-law")
            .location(exampleResourceGroup.location())
            .resourceGroupName(exampleResourceGroup.name())
            .sku("PerGB2018")
            .build());
        var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()
            .workspaceId(exampleAnalyticsWorkspace.id())
            .customerManagedKeyEnabled(false)
            .build());
        final var example = SentinelFunctions.getAlertRuleAnomaly(GetAlertRuleAnomalyArgs.builder()
            .logAnalyticsWorkspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
            .displayName("UEBA Anomalous Sign In")
            .build());
        var exampleAlertRuleAnomalyDuplicate = new AlertRuleAnomalyDuplicate("exampleAlertRuleAnomalyDuplicate", AlertRuleAnomalyDuplicateArgs.builder()
            .displayName("example duplicated UEBA Anomalous Sign In")
            .logAnalyticsWorkspaceId(exampleAnalyticsWorkspace.id())
            .builtInRuleId(example.applyValue(_example -> _example.id()))
            .enabled(true)
            .mode("Flighting")
            .thresholdObservations(AlertRuleAnomalyDuplicateThresholdObservationArgs.builder()
                .name("Anomaly score threshold")
                .value("0.6")
                .build())
            .build());
    }
}

resources:
  exampleResourceGroup:
    type: azure:core:ResourceGroup
    name: example
    properties:
      name: example-resources
      location: West Europe
  exampleAnalyticsWorkspace:
    type: azure:operationalinsights:AnalyticsWorkspace
    name: example
    properties:
      name: example-law
      location: ${exampleResourceGroup.location}
      resourceGroupName: ${exampleResourceGroup.name}
      sku: PerGB2018
  exampleLogAnalyticsWorkspaceOnboarding:
    type: azure:sentinel:LogAnalyticsWorkspaceOnboarding
    name: example
    properties:
      workspaceId: ${exampleAnalyticsWorkspace.id}
      customerManagedKeyEnabled: false
  exampleAlertRuleAnomalyDuplicate:
    type: azure:sentinel:AlertRuleAnomalyDuplicate
    name: example
    properties:
      displayName: example duplicated UEBA Anomalous Sign In
      logAnalyticsWorkspaceId: ${exampleAnalyticsWorkspace.id}
      builtInRuleId: ${example.id}
      enabled: true
      mode: Flighting
      thresholdObservations:
        - name: Anomaly score threshold
          value: '0.6'
variables:
  example:
    fn::invoke:
      function: azure:sentinel:getAlertRuleAnomaly
      arguments:
        logAnalyticsWorkspaceId: ${exampleLogAnalyticsWorkspaceOnboarding.workspaceId}
        displayName: UEBA Anomalous Sign In

Import

Built In Anomaly Alert Rules can be imported using the resource id, e.g.

$ pulumi import azure:sentinel/alertRuleAnomalyDuplicate:AlertRuleAnomalyDuplicate example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/setting1