pulumi-gcp-kotlin/com.pulumi.gcp.chronicle.kotlin/Rule

Rule

class Rule : KotlinCustomResource

The Rule resource represents a user-created rule. To get more information about Rule, see:

Example Usage

Chronicle Rule Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.Rule("example", {
    location: "us",
    instance: "00000000-0000-0000-0000-000000000000",
    deletionPolicy: "DEFAULT",
    text: "rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n",
});
Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.Rule("example",
    location="us",
    instance="00000000-0000-0000-0000-000000000000",
    deletion_policy="DEFAULT",
    text="rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n")
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var example = new Gcp.Chronicle.Rule("example", new()
    {
        Location = "us",
        Instance = "00000000-0000-0000-0000-000000000000",
        DeletionPolicy = "DEFAULT",
        Text = @"rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
",
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := chronicle.NewRule(ctx, "example", &chronicle.RuleArgs{
			Location:       pulumi.String("us"),
			Instance:       pulumi.String("00000000-0000-0000-0000-000000000000"),
			DeletionPolicy: pulumi.String("DEFAULT"),
			Text:           pulumi.String("rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.Rule;
import com.pulumi.gcp.chronicle.RuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new Rule("example", RuleArgs.builder()
            .location("us")
            .instance("00000000-0000-0000-0000-000000000000")
            .deletionPolicy("DEFAULT")
            .text("""
rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
            """)
            .build());
    }
}
Content copied to clipboard
resources:
  example:
    type: gcp:chronicle:Rule
    properties:
      location: us
      instance: 00000000-0000-0000-0000-000000000000
      deletionPolicy: DEFAULT
      text: |
        rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
Content copied to clipboard

Chronicle Rule With Force Deletion

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.Rule("example", {
    location: "us",
    instance: "00000000-0000-0000-0000-000000000000",
    deletionPolicy: "FORCE",
    text: "rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n",
});
Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.Rule("example",
    location="us",
    instance="00000000-0000-0000-0000-000000000000",
    deletion_policy="FORCE",
    text="rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n")
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var example = new Gcp.Chronicle.Rule("example", new()
    {
        Location = "us",
        Instance = "00000000-0000-0000-0000-000000000000",
        DeletionPolicy = "FORCE",
        Text = @"rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
",
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := chronicle.NewRule(ctx, "example", &chronicle.RuleArgs{
			Location:       pulumi.String("us"),
			Instance:       pulumi.String("00000000-0000-0000-0000-000000000000"),
			DeletionPolicy: pulumi.String("FORCE"),
			Text:           pulumi.String("rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.Rule;
import com.pulumi.gcp.chronicle.RuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new Rule("example", RuleArgs.builder()
            .location("us")
            .instance("00000000-0000-0000-0000-000000000000")
            .deletionPolicy("FORCE")
            .text("""
rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
            """)
            .build());
    }
}
Content copied to clipboard
resources:
  example:
    type: gcp:chronicle:Rule
    properties:
      location: us
      instance: 00000000-0000-0000-0000-000000000000
      deletionPolicy: FORCE
      text: |
        rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
Content copied to clipboard

Chronicle Rule With Data Access Scope

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const dataAccessScopeTest = new gcp.chronicle.DataAccessScope("data_access_scope_test", {
    location: "us",
    instance: "00000000-0000-0000-0000-000000000000",
    dataAccessScopeId: "scope-name",
    description: "scope-description",
    allowedDataAccessLabels: [{
        logType: "GCP_CLOUDAUDIT",
    }],
});
const example = new gcp.chronicle.Rule("example", {
    location: "us",
    instance: "00000000-0000-0000-0000-000000000000",
    scope: googleChronicleDataAccessScope.dataAccessScopeTest.name,
    text: "rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n",
});
Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
data_access_scope_test = gcp.chronicle.DataAccessScope("data_access_scope_test",
    location="us",
    instance="00000000-0000-0000-0000-000000000000",
    data_access_scope_id="scope-name",
    description="scope-description",
    allowed_data_access_labels=[{
        "log_type": "GCP_CLOUDAUDIT",
    }])
example = gcp.chronicle.Rule("example",
    location="us",
    instance="00000000-0000-0000-0000-000000000000",
    scope=google_chronicle_data_access_scope["dataAccessScopeTest"]["name"],
    text="rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n")
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var dataAccessScopeTest = new Gcp.Chronicle.DataAccessScope("data_access_scope_test", new()
    {
        Location = "us",
        Instance = "00000000-0000-0000-0000-000000000000",
        DataAccessScopeId = "scope-name",
        Description = "scope-description",
        AllowedDataAccessLabels = new[]
        {
            new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
            {
                LogType = "GCP_CLOUDAUDIT",
            },
        },
    });
    var example = new Gcp.Chronicle.Rule("example", new()
    {
        Location = "us",
        Instance = "00000000-0000-0000-0000-000000000000",
        Scope = googleChronicleDataAccessScope.DataAccessScopeTest.Name,
        Text = @"rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
",
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := chronicle.NewDataAccessScope(ctx, "data_access_scope_test", &chronicle.DataAccessScopeArgs{
			Location:          pulumi.String("us"),
			Instance:          pulumi.String("00000000-0000-0000-0000-000000000000"),
			DataAccessScopeId: pulumi.String("scope-name"),
			Description:       pulumi.String("scope-description"),
			AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
				&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
					LogType: pulumi.String("GCP_CLOUDAUDIT"),
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = chronicle.NewRule(ctx, "example", &chronicle.RuleArgs{
			Location: pulumi.String("us"),
			Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
			Scope:    pulumi.Any(googleChronicleDataAccessScope.DataAccessScopeTest.Name),
			Text:     pulumi.String("rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import com.pulumi.gcp.chronicle.Rule;
import com.pulumi.gcp.chronicle.RuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var dataAccessScopeTest = new DataAccessScope("dataAccessScopeTest", DataAccessScopeArgs.builder()
            .location("us")
            .instance("00000000-0000-0000-0000-000000000000")
            .dataAccessScopeId("scope-name")
            .description("scope-description")
            .allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
                .logType("GCP_CLOUDAUDIT")
                .build())
            .build());
        var example = new Rule("example", RuleArgs.builder()
            .location("us")
            .instance("00000000-0000-0000-0000-000000000000")
            .scope(googleChronicleDataAccessScope.dataAccessScopeTest().name())
            .text("""
rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
            """)
            .build());
    }
}
Content copied to clipboard
resources:
  dataAccessScopeTest:
    type: gcp:chronicle:DataAccessScope
    name: data_access_scope_test
    properties:
      location: us
      instance: 00000000-0000-0000-0000-000000000000
      dataAccessScopeId: scope-name
      description: scope-description
      allowedDataAccessLabels:
        - logType: GCP_CLOUDAUDIT
  example:
    type: gcp:chronicle:Rule
    properties:
      location: us
      instance: 00000000-0000-0000-0000-000000000000
      scope: ${googleChronicleDataAccessScope.dataAccessScopeTest.name}
      text: |
        rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
Content copied to clipboard

Import

Rule can be imported using any of these accepted formats:

  • projects/{{project}}/locations/{{location}}/instances/{{instance}}/rules/{{rule_id}}

  • {{project}}/{{location}}/{{instance}}/{{rule_id}}

  • {{location}}/{{instance}}/{{rule_id}} When using the pulumi import command, Rule can be imported using one of the formats above. For example:

$ pulumi import gcp:chronicle/rule:Rule default projects/{{project}}/locations/{{location}}/instances/{{instance}}/rules/{{rule_id}}
Content copied to clipboard
$ pulumi import gcp:chronicle/rule:Rule default {{project}}/{{location}}/{{instance}}/{{rule_id}}
Content copied to clipboard
$ pulumi import gcp:chronicle/rule:Rule default {{location}}/{{instance}}/{{rule_id}}
Content copied to clipboard

Properties

Link copied to clipboard
val allowedRunFrequencies: Output<List<String>>

Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.

Link copied to clipboard
val author: Output<String>

Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.

Link copied to clipboard
val compilationDiagnostics: Output<List<RuleCompilationDiagnostic>>

Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.

Link copied to clipboard
val compilationState: Output<String>

Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED

Link copied to clipboard
val createTime: Output<String>

Output only. The timestamp of when the rule was created. Populated in FULL view.

Link copied to clipboard
val dataTables: Output<List<String>>

Output only. Resource names of the data tables used in this rule.

Link copied to clipboard
val deletionPolicy: Output<String>?

Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE

Link copied to clipboard
val displayName: Output<String>

The display name of the severity level. Extracted from the meta section of the rule text.

Link copied to clipboard
val etag: Output<String>

The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val instance: Output<String>

The unique identifier for the Chronicle instance, which is the same as the customer ID.

Link copied to clipboard
val location: Output<String>

The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".

Link copied to clipboard
val metadata: Output<Map<String, String>>

Output only. Additional metadata specified in the meta section of text. Populated in FULL view.

Link copied to clipboard
val name: Output<String>

Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}

Link copied to clipboard
val nearRealTimeLiveRuleEligible: Output<Boolean>

Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.

Link copied to clipboard
val project: Output<String>

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val referenceLists: Output<List<String>>

Output only. Resource names of the reference lists used in this rule. Populated in FULL view.

Link copied to clipboard
val revisionCreateTime: Output<String>

Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.

Link copied to clipboard
val revisionId: Output<String>

Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.

Link copied to clipboard
val ruleId: Output<String>

Rule Id is the ID of the Rule.

Link copied to clipboard
val scope: Output<String>?

Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".

Link copied to clipboard
val severities: Output<List<RuleSeverity>>

(Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR

Link copied to clipboard
val text: Output<String>?

The YARA-L content of the rule. Populated in FULL view.

Link copied to clipboard
val type: Output<String>

Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

Link copied to clipboard
val urn: Output<String>