Docs Home
Packages
We recommend using Azure Native.
Azure Classic v6.2.0 published on Friday, Sep 27, 2024 by Pulumi
azure.sentinel.AlertRuleScheduled
Explore with Pulumi AI
Manages a Sentinel Scheduled Alert Rule.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "West Europe",
});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", {
name: "example-workspace",
location: example.location,
resourceGroupName: example.name,
sku: "PerGB2018",
});
const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", {workspaceId: exampleAnalyticsWorkspace.id});
const exampleAlertRuleScheduled = new azure.sentinel.AlertRuleScheduled("example", {
name: "example",
logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId,
displayName: "example",
severity: "High",
query: `AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
`,
});
import pulumi
import pulumi_azure as azure
example = azure.core.ResourceGroup("example",
name="example-resources",
location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("example",
name="example-workspace",
location=example.location,
resource_group_name=example.name,
sku="PerGB2018")
example_log_analytics_workspace_onboarding = azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", workspace_id=example_analytics_workspace.id)
example_alert_rule_scheduled = azure.sentinel.AlertRuleScheduled("example",
name="example",
log_analytics_workspace_id=example_log_analytics_workspace_onboarding.workspace_id,
display_name="example",
severity="High",
query="""AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/operationalinsights"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/sentinel"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-resources"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "example", &operationalinsights.AnalyticsWorkspaceArgs{
Name: pulumi.String("example-workspace"),
Location: example.Location,
ResourceGroupName: example.Name,
Sku: pulumi.String("PerGB2018"),
})
if err != nil {
return err
}
exampleLogAnalyticsWorkspaceOnboarding, err := sentinel.NewLogAnalyticsWorkspaceOnboarding(ctx, "example", &sentinel.LogAnalyticsWorkspaceOnboardingArgs{
WorkspaceId: exampleAnalyticsWorkspace.ID(),
})
if err != nil {
return err
}
_, err = sentinel.NewAlertRuleScheduled(ctx, "example", &sentinel.AlertRuleScheduledArgs{
Name: pulumi.String("example"),
LogAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
DisplayName: pulumi.String("example"),
Severity: pulumi.String("High"),
Query: pulumi.String("AzureActivity |\n where OperationName == \"Create or Update Virtual Machine\" or OperationName ==\"Create Deployment\" |\n where ActivityStatus == \"Succeeded\" |\n make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-resources",
Location = "West Europe",
});
var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("example", new()
{
Name = "example-workspace",
Location = example.Location,
ResourceGroupName = example.Name,
Sku = "PerGB2018",
});
var exampleLogAnalyticsWorkspaceOnboarding = new Azure.Sentinel.LogAnalyticsWorkspaceOnboarding("example", new()
{
WorkspaceId = exampleAnalyticsWorkspace.Id,
});
var exampleAlertRuleScheduled = new Azure.Sentinel.AlertRuleScheduled("example", new()
{
Name = "example",
LogAnalyticsWorkspaceId = exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
DisplayName = "example",
Severity = "High",
Query = @"AzureActivity |
where OperationName == ""Create or Update Virtual Machine"" or OperationName ==""Create Deployment"" |
where ActivityStatus == ""Succeeded"" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
import com.pulumi.azure.sentinel.AlertRuleScheduled;
import com.pulumi.azure.sentinel.AlertRuleScheduledArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-resources")
.location("West Europe")
.build());
var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()
.name("example-workspace")
.location(example.location())
.resourceGroupName(example.name())
.sku("PerGB2018")
.build());
var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()
.workspaceId(exampleAnalyticsWorkspace.id())
.build());
var exampleAlertRuleScheduled = new AlertRuleScheduled("exampleAlertRuleScheduled", AlertRuleScheduledArgs.builder()
.name("example")
.logAnalyticsWorkspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
.displayName("example")
.severity("High")
.query("""
AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")
.build());
}
}
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-resources
location: West Europe
exampleAnalyticsWorkspace:
type: azure:operationalinsights:AnalyticsWorkspace
name: example
properties:
name: example-workspace
location: ${example.location}
resourceGroupName: ${example.name}
sku: PerGB2018
exampleLogAnalyticsWorkspaceOnboarding:
type: azure:sentinel:LogAnalyticsWorkspaceOnboarding
name: example
properties:
workspaceId: ${exampleAnalyticsWorkspace.id}
exampleAlertRuleScheduled:
type: azure:sentinel:AlertRuleScheduled
name: example
properties:
name: example
logAnalyticsWorkspaceId: ${exampleLogAnalyticsWorkspaceOnboarding.workspaceId}
displayName: example
severity: High
query: |
AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
Create AlertRuleScheduled Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AlertRuleScheduled(name: string, args: AlertRuleScheduledArgs, opts?: CustomResourceOptions);@overload
def AlertRuleScheduled(resource_name: str,
args: AlertRuleScheduledArgs,
opts: Optional[ResourceOptions] = None)
@overload
def AlertRuleScheduled(resource_name: str,
opts: Optional[ResourceOptions] = None,
log_analytics_workspace_id: Optional[str] = None,
display_name: Optional[str] = None,
severity: Optional[str] = None,
query: Optional[str] = None,
enabled: Optional[bool] = None,
query_frequency: Optional[str] = None,
alert_rule_template_guid: Optional[str] = None,
entity_mappings: Optional[Sequence[AlertRuleScheduledEntityMappingArgs]] = None,
event_grouping: Optional[AlertRuleScheduledEventGroupingArgs] = None,
custom_details: Optional[Mapping[str, str]] = None,
alert_rule_template_version: Optional[str] = None,
trigger_threshold: Optional[int] = None,
incident: Optional[AlertRuleScheduledIncidentArgs] = None,
description: Optional[str] = None,
query_period: Optional[str] = None,
sentinel_entity_mappings: Optional[Sequence[AlertRuleScheduledSentinelEntityMappingArgs]] = None,
alert_details_overrides: Optional[Sequence[AlertRuleScheduledAlertDetailsOverrideArgs]] = None,
suppression_duration: Optional[str] = None,
suppression_enabled: Optional[bool] = None,
tactics: Optional[Sequence[str]] = None,
techniques: Optional[Sequence[str]] = None,
trigger_operator: Optional[str] = None,
name: Optional[str] = None)func NewAlertRuleScheduled(ctx *Context, name string, args AlertRuleScheduledArgs, opts ...ResourceOption) (*AlertRuleScheduled, error)public AlertRuleScheduled(string name, AlertRuleScheduledArgs args, CustomResourceOptions? opts = null)
public AlertRuleScheduled(String name, AlertRuleScheduledArgs args)
public AlertRuleScheduled(String name, AlertRuleScheduledArgs args, CustomResourceOptions options)
type: azure:sentinel:AlertRuleScheduled
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AlertRuleScheduledArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AlertRuleScheduledArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AlertRuleScheduledArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AlertRuleScheduledArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AlertRuleScheduledArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var alertRuleScheduledResource = new Azure.Sentinel.AlertRuleScheduled("alertRuleScheduledResource", new()
{
LogAnalyticsWorkspaceId = "string",
DisplayName = "string",
Severity = "string",
Query = "string",
Enabled = false,
QueryFrequency = "string",
AlertRuleTemplateGuid = "string",
EntityMappings = new[]
{
new Azure.Sentinel.Inputs.AlertRuleScheduledEntityMappingArgs
{
EntityType = "string",
FieldMappings = new[]
{
new Azure.Sentinel.Inputs.AlertRuleScheduledEntityMappingFieldMappingArgs
{
ColumnName = "string",
Identifier = "string",
},
},
},
},
EventGrouping = new Azure.Sentinel.Inputs.AlertRuleScheduledEventGroupingArgs
{
AggregationMethod = "string",
},
CustomDetails =
{
{ "string", "string" },
},
AlertRuleTemplateVersion = "string",
TriggerThreshold = 0,
Incident = new Azure.Sentinel.Inputs.AlertRuleScheduledIncidentArgs
{
CreateIncidentEnabled = false,
Grouping = new Azure.Sentinel.Inputs.AlertRuleScheduledIncidentGroupingArgs
{
ByAlertDetails = new[]
{
"string",
},
ByCustomDetails = new[]
{
"string",
},
ByEntities = new[]
{
"string",
},
Enabled = false,
EntityMatchingMethod = "string",
LookbackDuration = "string",
ReopenClosedIncidents = false,
},
},
Description = "string",
QueryPeriod = "string",
SentinelEntityMappings = new[]
{
new Azure.Sentinel.Inputs.AlertRuleScheduledSentinelEntityMappingArgs
{
ColumnName = "string",
},
},
AlertDetailsOverrides = new[]
{
new Azure.Sentinel.Inputs.AlertRuleScheduledAlertDetailsOverrideArgs
{
DescriptionFormat = "string",
DisplayNameFormat = "string",
DynamicProperties = new[]
{
new Azure.Sentinel.Inputs.AlertRuleScheduledAlertDetailsOverrideDynamicPropertyArgs
{
Name = "string",
Value = "string",
},
},
SeverityColumnName = "string",
TacticsColumnName = "string",
},
},
SuppressionDuration = "string",
SuppressionEnabled = false,
Tactics = new[]
{
"string",
},
Techniques = new[]
{
"string",
},
TriggerOperator = "string",
Name = "string",
});
example, err := sentinel.NewAlertRuleScheduled(ctx, "alertRuleScheduledResource", &sentinel.AlertRuleScheduledArgs{
LogAnalyticsWorkspaceId: pulumi.String("string"),
DisplayName: pulumi.String("string"),
Severity: pulumi.String("string"),
Query: pulumi.String("string"),
Enabled: pulumi.Bool(false),
QueryFrequency: pulumi.String("string"),
AlertRuleTemplateGuid: pulumi.String("string"),
EntityMappings: sentinel.AlertRuleScheduledEntityMappingArray{
&sentinel.AlertRuleScheduledEntityMappingArgs{
EntityType: pulumi.String("string"),
FieldMappings: sentinel.AlertRuleScheduledEntityMappingFieldMappingArray{
&sentinel.AlertRuleScheduledEntityMappingFieldMappingArgs{
ColumnName: pulumi.String("string"),
Identifier: pulumi.String("string"),
},
},
},
},
EventGrouping: &sentinel.AlertRuleScheduledEventGroupingArgs{
AggregationMethod: pulumi.String("string"),
},
CustomDetails: pulumi.StringMap{
"string": pulumi.String("string"),
},
AlertRuleTemplateVersion: pulumi.String("string"),
TriggerThreshold: pulumi.Int(0),
Incident: &sentinel.AlertRuleScheduledIncidentArgs{
CreateIncidentEnabled: pulumi.Bool(false),
Grouping: &sentinel.AlertRuleScheduledIncidentGroupingArgs{
ByAlertDetails: pulumi.StringArray{
pulumi.String("string"),
},
ByCustomDetails: pulumi.StringArray{
pulumi.String("string"),
},
ByEntities: pulumi.StringArray{
pulumi.String("string"),
},
Enabled: pulumi.Bool(false),
EntityMatchingMethod: pulumi.String("string"),
LookbackDuration: pulumi.String("string"),
ReopenClosedIncidents: pulumi.Bool(false),
},
},
Description: pulumi.String("string"),
QueryPeriod: pulumi.String("string"),
SentinelEntityMappings: sentinel.AlertRuleScheduledSentinelEntityMappingArray{
&sentinel.AlertRuleScheduledSentinelEntityMappingArgs{
ColumnName: pulumi.String("string"),
},
},
AlertDetailsOverrides: sentinel.AlertRuleScheduledAlertDetailsOverrideArray{
&sentinel.AlertRuleScheduledAlertDetailsOverrideArgs{
DescriptionFormat: pulumi.String("string"),
DisplayNameFormat: pulumi.String("string"),
DynamicProperties: sentinel.AlertRuleScheduledAlertDetailsOverrideDynamicPropertyArray{
&sentinel.AlertRuleScheduledAlertDetailsOverrideDynamicPropertyArgs{
Name: pulumi.String("string"),
Value: pulumi.String("string"),
},
},
SeverityColumnName: pulumi.String("string"),
TacticsColumnName: pulumi.String("string"),
},
},
SuppressionDuration: pulumi.String("string"),
SuppressionEnabled: pulumi.Bool(false),
Tactics: pulumi.StringArray{
pulumi.String("string"),
},
Techniques: pulumi.StringArray{
pulumi.String("string"),
},
TriggerOperator: pulumi.String("string"),
Name: pulumi.String("string"),
})
var alertRuleScheduledResource = new AlertRuleScheduled("alertRuleScheduledResource", AlertRuleScheduledArgs.builder()
.logAnalyticsWorkspaceId("string")
.displayName("string")
.severity("string")
.query("string")
.enabled(false)
.queryFrequency("string")
.alertRuleTemplateGuid("string")
.entityMappings(AlertRuleScheduledEntityMappingArgs.builder()
.entityType("string")
.fieldMappings(AlertRuleScheduledEntityMappingFieldMappingArgs.builder()
.columnName("string")
.identifier("string")
.build())
.build())
.eventGrouping(AlertRuleScheduledEventGroupingArgs.builder()
.aggregationMethod("string")
.build())
.customDetails(Map.of("string", "string"))
.alertRuleTemplateVersion("string")
.triggerThreshold(0)
.incident(AlertRuleScheduledIncidentArgs.builder()
.createIncidentEnabled(false)
.grouping(AlertRuleScheduledIncidentGroupingArgs.builder()
.byAlertDetails("string")
.byCustomDetails("string")
.byEntities("string")
.enabled(false)
.entityMatchingMethod("string")
.lookbackDuration("string")
.reopenClosedIncidents(false)
.build())
.build())
.description("string")
.queryPeriod("string")
.sentinelEntityMappings(AlertRuleScheduledSentinelEntityMappingArgs.builder()
.columnName("string")
.build())
.alertDetailsOverrides(AlertRuleScheduledAlertDetailsOverrideArgs.builder()
.descriptionFormat("string")
.displayNameFormat("string")
.dynamicProperties(AlertRuleScheduledAlertDetailsOverrideDynamicPropertyArgs.builder()
.name("string")
.value("string")
.build())
.severityColumnName("string")
.tacticsColumnName("string")
.build())
.suppressionDuration("string")
.suppressionEnabled(false)
.tactics("string")
.techniques("string")
.triggerOperator("string")
.name("string")
.build());
alert_rule_scheduled_resource = azure.sentinel.AlertRuleScheduled("alertRuleScheduledResource",
log_analytics_workspace_id="string",
display_name="string",
severity="string",
query="string",
enabled=False,
query_frequency="string",
alert_rule_template_guid="string",
entity_mappings=[{
"entityType": "string",
"fieldMappings": [{
"columnName": "string",
"identifier": "string",
}],
}],
event_grouping={
"aggregationMethod": "string",
},
custom_details={
"string": "string",
},
alert_rule_template_version="string",
trigger_threshold=0,
incident={
"createIncidentEnabled": False,
"grouping": {
"byAlertDetails": ["string"],
"byCustomDetails": ["string"],
"byEntities": ["string"],
"enabled": False,
"entityMatchingMethod": "string",
"lookbackDuration": "string",
"reopenClosedIncidents": False,
},
},
description="string",
query_period="string",
sentinel_entity_mappings=[{
"columnName": "string",
}],
alert_details_overrides=[{
"descriptionFormat": "string",
"displayNameFormat": "string",
"dynamicProperties": [{
"name": "string",
"value": "string",
}],
"severityColumnName": "string",
"tacticsColumnName": "string",
}],
suppression_duration="string",
suppression_enabled=False,
tactics=["string"],
techniques=["string"],
trigger_operator="string",
name="string")
const alertRuleScheduledResource = new azure.sentinel.AlertRuleScheduled("alertRuleScheduledResource", {
logAnalyticsWorkspaceId: "string",
displayName: "string",
severity: "string",
query: "string",
enabled: false,
queryFrequency: "string",
alertRuleTemplateGuid: "string",
entityMappings: [{
entityType: "string",
fieldMappings: [{
columnName: "string",
identifier: "string",
}],
}],
eventGrouping: {
aggregationMethod: "string",
},
customDetails: {
string: "string",
},
alertRuleTemplateVersion: "string",
triggerThreshold: 0,
incident: {
createIncidentEnabled: false,
grouping: {
byAlertDetails: ["string"],
byCustomDetails: ["string"],
byEntities: ["string"],
enabled: false,
entityMatchingMethod: "string",
lookbackDuration: "string",
reopenClosedIncidents: false,
},
},
description: "string",
queryPeriod: "string",
sentinelEntityMappings: [{
columnName: "string",
}],
alertDetailsOverrides: [{
descriptionFormat: "string",
displayNameFormat: "string",
dynamicProperties: [{
name: "string",
value: "string",
}],
severityColumnName: "string",
tacticsColumnName: "string",
}],
suppressionDuration: "string",
suppressionEnabled: false,
tactics: ["string"],
techniques: ["string"],
triggerOperator: "string",
name: "string",
});
type: azure:sentinel:AlertRuleScheduled
properties:
alertDetailsOverrides:
- descriptionFormat: string
displayNameFormat: string
dynamicProperties:
- name: string
value: string
severityColumnName: string
tacticsColumnName: string
alertRuleTemplateGuid: string
alertRuleTemplateVersion: string
customDetails:
string: string
description: string
displayName: string
enabled: false
entityMappings:
- entityType: string
fieldMappings:
- columnName: string
identifier: string
eventGrouping:
aggregationMethod: string
incident:
createIncidentEnabled: false
grouping:
byAlertDetails:
- string
byCustomDetails:
- string
byEntities:
- string
enabled: false
entityMatchingMethod: string
lookbackDuration: string
reopenClosedIncidents: false
logAnalyticsWorkspaceId: string
name: string
query: string
queryFrequency: string
queryPeriod: string
sentinelEntityMappings:
- columnName: string
severity: string
suppressionDuration: string
suppressionEnabled: false
tactics:
- string
techniques:
- string
triggerOperator: string
triggerThreshold: 0
AlertRuleScheduled Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The AlertRuleScheduled resource accepts the following input properties:
- Display
Name string - The friendly name of this Sentinel Scheduled Alert Rule.
- Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- Query string
- The query of this Sentinel Scheduled Alert Rule.
- Severity string
- The alert severity of this Sentinel Scheduled Alert Rule. Possible values are
High,Medium,LowandInformational. - Alert
Details List<AlertOverrides Rule Scheduled Alert Details Override> - An
alert_details_overrideblock as defined below. - Alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- Alert
Rule stringTemplate Version - The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule.
- Custom
Details Dictionary<string, string> - A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- Description string
- The description of this Sentinel Scheduled Alert Rule.
- Enabled bool
- Should the Sentinel Scheduled Alert Rule be enabled? Defaults to
true. - Entity
Mappings List<AlertRule Scheduled Entity Mapping> - A list of
entity_mappingblocks as defined below. - Event
Grouping AlertRule Scheduled Event Grouping - A
event_groupingblock as defined below. - Incident
Alert
Rule Scheduled Incident - A
incidentblock as defined below. - Name string
- The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- Query
Frequency string - The ISO 8601 timespan duration between two consecutive queries. Defaults to
PT5H. - Query
Period string The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to
PT5H.NOTE
query_periodmust larger than or equal toquery_frequency, which ensures there is no gaps in the overall query coverage.- Sentinel
Entity List<AlertMappings Rule Scheduled Sentinel Entity Mapping> A list of
sentinel_entity_mappingblocks as defined below.NOTE:
entity_mappingandsentinel_entity_mappingtogether can't exceed 5.- Suppression
Duration string If
suppression_enabledistrue, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H.NOTE
suppression_durationmust larger than or equal toquery_frequency, otherwise the suppression has no actual effect since no query will happen during the suppression duration.- Suppression
Enabled bool - Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to
false. - Tactics List<string>
- A list of categories of attacks by which to classify the rule. Possible values are
Collection,CommandAndControl,CredentialAccess,DefenseEvasion,Discovery,Execution,Exfiltration,ImpairProcessControl,InhibitResponseFunction,Impact,InitialAccess,LateralMovement,Persistence,PrivilegeEscalation,PreAttack,ReconnaissanceandResourceDevelopment. - Techniques List<string>
- A list of techniques of attacks by which to classify the rule.
- Trigger
Operator string - The alert trigger operator, combined with
trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areEqual,GreaterThan,LessThan,NotEqual. Defaults toGreaterThan. - Trigger
Threshold int - The baseline number of query results generated, combined with
trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0.
- Display
Name string - The friendly name of this Sentinel Scheduled Alert Rule.
- Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- Query string
- The query of this Sentinel Scheduled Alert Rule.
- Severity string
- The alert severity of this Sentinel Scheduled Alert Rule. Possible values are
High,Medium,LowandInformational. - Alert
Details []AlertOverrides Rule Scheduled Alert Details Override Args - An
alert_details_overrideblock as defined below. - Alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- Alert
Rule stringTemplate Version - The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule.
- Custom
Details map[string]string - A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- Description string
- The description of this Sentinel Scheduled Alert Rule.
- Enabled bool
- Should the Sentinel Scheduled Alert Rule be enabled? Defaults to
true. - Entity
Mappings []AlertRule Scheduled Entity Mapping Args - A list of
entity_mappingblocks as defined below. - Event
Grouping AlertRule Scheduled Event Grouping Args - A
event_groupingblock as defined below. - Incident
Alert
Rule Scheduled Incident Args - A
incidentblock as defined below. - Name string
- The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- Query
Frequency string - The ISO 8601 timespan duration between two consecutive queries. Defaults to
PT5H. - Query
Period string The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to
PT5H.NOTE
query_periodmust larger than or equal toquery_frequency, which ensures there is no gaps in the overall query coverage.- Sentinel
Entity []AlertMappings Rule Scheduled Sentinel Entity Mapping Args A list of
sentinel_entity_mappingblocks as defined below.NOTE:
entity_mappingandsentinel_entity_mappingtogether can't exceed 5.- Suppression
Duration string If
suppression_enabledistrue, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H.NOTE
suppression_durationmust larger than or equal toquery_frequency, otherwise the suppression has no actual effect since no query will happen during the suppression duration.- Suppression
Enabled bool - Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to
false. - Tactics []string
- A list of categories of attacks by which to classify the rule. Possible values are
Collection,CommandAndControl,CredentialAccess,DefenseEvasion,Discovery,Execution,Exfiltration,ImpairProcessControl,InhibitResponseFunction,Impact,InitialAccess,LateralMovement,Persistence,PrivilegeEscalation,PreAttack,ReconnaissanceandResourceDevelopment. - Techniques []string
- A list of techniques of attacks by which to classify the rule.
- Trigger
Operator string - The alert trigger operator, combined with
trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areEqual,GreaterThan,LessThan,NotEqual. Defaults toGreaterThan. - Trigger
Threshold int - The baseline number of query results generated, combined with
trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0.
- display
Name String - The friendly name of this Sentinel Scheduled Alert Rule.
- log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- query String
- The query of this Sentinel Scheduled Alert Rule.
- severity String
- The alert severity of this Sentinel Scheduled Alert Rule. Possible values are
High,Medium,LowandInformational. - alert
Details List<AlertOverrides Rule Scheduled Alert Details Override> - An
alert_details_overrideblock as defined below. - alert
Rule StringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- alert
Rule StringTemplate Version - The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule.
- custom
Details Map<String,String> - A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description String
- The description of this Sentinel Scheduled Alert Rule.
- enabled Boolean
- Should the Sentinel Scheduled Alert Rule be enabled? Defaults to
true. - entity
Mappings List<AlertRule Scheduled Entity Mapping> - A list of
entity_mappingblocks as defined below. - event
Grouping AlertRule Scheduled Event Grouping - A
event_groupingblock as defined below. - incident
Alert
Rule Scheduled Incident - A
incidentblock as defined below. - name String
- The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- query
Frequency String - The ISO 8601 timespan duration between two consecutive queries. Defaults to
PT5H. - query
Period String The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to
PT5H.NOTE
query_periodmust larger than or equal toquery_frequency, which ensures there is no gaps in the overall query coverage.- sentinel
Entity List<AlertMappings Rule Scheduled Sentinel Entity Mapping> A list of
sentinel_entity_mappingblocks as defined below.NOTE:
entity_mappingandsentinel_entity_mappingtogether can't exceed 5.- suppression
Duration String If
suppression_enabledistrue, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H.NOTE
suppression_durationmust larger than or equal toquery_frequency, otherwise the suppression has no actual effect since no query will happen during the suppression duration.- suppression
Enabled Boolean - Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to
false. - tactics List<String>
- A list of categories of attacks by which to classify the rule. Possible values are
Collection,CommandAndControl,CredentialAccess,DefenseEvasion,Discovery,Execution,Exfiltration,ImpairProcessControl,InhibitResponseFunction,Impact,InitialAccess,LateralMovement,Persistence,PrivilegeEscalation,PreAttack,ReconnaissanceandResourceDevelopment. - techniques List<String>
- A list of techniques of attacks by which to classify the rule.
- trigger
Operator String - The alert trigger operator, combined with
trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areEqual,GreaterThan,LessThan,NotEqual. Defaults toGreaterThan. - trigger
Threshold Integer - The baseline number of query results generated, combined with
trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0.
- display
Name string - The friendly name of this Sentinel Scheduled Alert Rule.
- log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- query string
- The query of this Sentinel Scheduled Alert Rule.
- severity string
- The alert severity of this Sentinel Scheduled Alert Rule. Possible values are
High,Medium,LowandInformational. - alert
Details AlertOverrides Rule Scheduled Alert Details Override[] - An
alert_details_overrideblock as defined below. - alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- alert
Rule stringTemplate Version - The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule.
- custom
Details {[key: string]: string} - A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description string
- The description of this Sentinel Scheduled Alert Rule.
- enabled boolean
- Should the Sentinel Scheduled Alert Rule be enabled? Defaults to
true. - entity
Mappings AlertRule Scheduled Entity Mapping[] - A list of
entity_mappingblocks as defined below. - event
Grouping AlertRule Scheduled Event Grouping - A
event_groupingblock as defined below. - incident
Alert
Rule Scheduled Incident - A
incidentblock as defined below. - name string
- The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- query
Frequency string - The ISO 8601 timespan duration between two consecutive queries. Defaults to
PT5H. - query
Period string The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to
PT5H.NOTE
query_periodmust larger than or equal toquery_frequency, which ensures there is no gaps in the overall query coverage.- sentinel
Entity AlertMappings Rule Scheduled Sentinel Entity Mapping[] A list of
sentinel_entity_mappingblocks as defined below.NOTE:
entity_mappingandsentinel_entity_mappingtogether can't exceed 5.- suppression
Duration string If
suppression_enabledistrue, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H.NOTE
suppression_durationmust larger than or equal toquery_frequency, otherwise the suppression has no actual effect since no query will happen during the suppression duration.- suppression
Enabled boolean - Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to
false. - tactics string[]
- A list of categories of attacks by which to classify the rule. Possible values are
Collection,CommandAndControl,CredentialAccess,DefenseEvasion,Discovery,Execution,Exfiltration,ImpairProcessControl,InhibitResponseFunction,Impact,InitialAccess,LateralMovement,Persistence,PrivilegeEscalation,PreAttack,ReconnaissanceandResourceDevelopment. - techniques string[]
- A list of techniques of attacks by which to classify the rule.
- trigger
Operator string - The alert trigger operator, combined with
trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areEqual,GreaterThan,LessThan,NotEqual. Defaults toGreaterThan. - trigger
Threshold number - The baseline number of query results generated, combined with
trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0.
- display_
name str - The friendly name of this Sentinel Scheduled Alert Rule.
- log_
analytics_ strworkspace_ id - The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- query str
- The query of this Sentinel Scheduled Alert Rule.
- severity str
- The alert severity of this Sentinel Scheduled Alert Rule. Possible values are
High,Medium,LowandInformational. - alert_
details_ Sequence[Alertoverrides Rule Scheduled Alert Details Override Args] - An
alert_details_overrideblock as defined below. - alert_
rule_ strtemplate_ guid - The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- alert_
rule_ strtemplate_ version - The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule.
- custom_
details Mapping[str, str] - A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description str
- The description of this Sentinel Scheduled Alert Rule.
- enabled bool
- Should the Sentinel Scheduled Alert Rule be enabled? Defaults to
true. - entity_
mappings Sequence[AlertRule Scheduled Entity Mapping Args] - A list of
entity_mappingblocks as defined below. - event_
grouping AlertRule Scheduled Event Grouping Args - A
event_groupingblock as defined below. - incident
Alert
Rule Scheduled Incident Args - A
incidentblock as defined below. - name str
- The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- query_
frequency str - The ISO 8601 timespan duration between two consecutive queries. Defaults to
PT5H. - query_
period str The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to
PT5H.NOTE
query_periodmust larger than or equal toquery_frequency, which ensures there is no gaps in the overall query coverage.- sentinel_
entity_ Sequence[Alertmappings Rule Scheduled Sentinel Entity Mapping Args] A list of
sentinel_entity_mappingblocks as defined below.NOTE:
entity_mappingandsentinel_entity_mappingtogether can't exceed 5.- suppression_
duration str If
suppression_enabledistrue, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H.NOTE
suppression_durationmust larger than or equal toquery_frequency, otherwise the suppression has no actual effect since no query will happen during the suppression duration.- suppression_
enabled bool - Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to
false. - tactics Sequence[str]
- A list of categories of attacks by which to classify the rule. Possible values are
Collection,CommandAndControl,CredentialAccess,DefenseEvasion,Discovery,Execution,Exfiltration,ImpairProcessControl,InhibitResponseFunction,Impact,InitialAccess,LateralMovement,Persistence,PrivilegeEscalation,PreAttack,ReconnaissanceandResourceDevelopment. - techniques Sequence[str]
- A list of techniques of attacks by which to classify the rule.
- trigger_
operator str - The alert trigger operator, combined with
trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areEqual,GreaterThan,LessThan,NotEqual. Defaults toGreaterThan. - trigger_
threshold int - The baseline number of query results generated, combined with
trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0.
- display
Name String - The friendly name of this Sentinel Scheduled Alert Rule.
- log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- query String
- The query of this Sentinel Scheduled Alert Rule.
- severity String
- The alert severity of this Sentinel Scheduled Alert Rule. Possible values are
High,Medium,LowandInformational. - alert
Details List<Property Map>Overrides - An
alert_details_overrideblock as defined below. - alert
Rule StringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- alert
Rule StringTemplate Version - The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule.
- custom
Details Map<String> - A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description String
- The description of this Sentinel Scheduled Alert Rule.
- enabled Boolean
- Should the Sentinel Scheduled Alert Rule be enabled? Defaults to
true. - entity
Mappings List<Property Map> - A list of
entity_mappingblocks as defined below. - event
Grouping Property Map - A
event_groupingblock as defined below. - incident Property Map
- A
incidentblock as defined below. - name String
- The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- query
Frequency String - The ISO 8601 timespan duration between two consecutive queries. Defaults to
PT5H. - query
Period String The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to
PT5H.NOTE
query_periodmust larger than or equal toquery_frequency, which ensures there is no gaps in the overall query coverage.- sentinel
Entity List<Property Map>Mappings A list of
sentinel_entity_mappingblocks as defined below.NOTE:
entity_mappingandsentinel_entity_mappingtogether can't exceed 5.- suppression
Duration String If
suppression_enabledistrue, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H.NOTE
suppression_durationmust larger than or equal toquery_frequency, otherwise the suppression has no actual effect since no query will happen during the suppression duration.- suppression
Enabled Boolean - Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to
false. - tactics List<String>
- A list of categories of attacks by which to classify the rule. Possible values are
Collection,CommandAndControl,CredentialAccess,DefenseEvasion,Discovery,Execution,Exfiltration,ImpairProcessControl,InhibitResponseFunction,Impact,InitialAccess,LateralMovement,Persistence,PrivilegeEscalation,PreAttack,ReconnaissanceandResourceDevelopment. - techniques List<String>
- A list of techniques of attacks by which to classify the rule.
- trigger
Operator String - The alert trigger operator, combined with
trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areEqual,GreaterThan,LessThan,NotEqual. Defaults toGreaterThan. - trigger
Threshold Number - The baseline number of query results generated, combined with
trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0.
Outputs
All input properties are implicitly available as output properties. Additionally, the AlertRuleScheduled resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing AlertRuleScheduled Resource
Get an existing AlertRuleScheduled resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AlertRuleScheduledState, opts?: CustomResourceOptions): AlertRuleScheduled@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
alert_details_overrides: Optional[Sequence[AlertRuleScheduledAlertDetailsOverrideArgs]] = None,
alert_rule_template_guid: Optional[str] = None,
alert_rule_template_version: Optional[str] = None,
custom_details: Optional[Mapping[str, str]] = None,
description: Optional[str] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
entity_mappings: Optional[Sequence[AlertRuleScheduledEntityMappingArgs]] = None,
event_grouping: Optional[AlertRuleScheduledEventGroupingArgs] = None,
incident: Optional[AlertRuleScheduledIncidentArgs] = None,
log_analytics_workspace_id: Optional[str] = None,
name: Optional[str] = None,
query: Optional[str] = None,
query_frequency: Optional[str] = None,
query_period: Optional[str] = None,
sentinel_entity_mappings: Optional[Sequence[AlertRuleScheduledSentinelEntityMappingArgs]] = None,
severity: Optional[str] = None,
suppression_duration: Optional[str] = None,
suppression_enabled: Optional[bool] = None,
tactics: Optional[Sequence[str]] = None,
techniques: Optional[Sequence[str]] = None,
trigger_operator: Optional[str] = None,
trigger_threshold: Optional[int] = None) -> AlertRuleScheduledfunc GetAlertRuleScheduled(ctx *Context, name string, id IDInput, state *AlertRuleScheduledState, opts ...ResourceOption) (*AlertRuleScheduled, error)public static AlertRuleScheduled Get(string name, Input<string> id, AlertRuleScheduledState? state, CustomResourceOptions? opts = null)public static AlertRuleScheduled get(String name, Output<String> id, AlertRuleScheduledState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Alert
Details List<AlertOverrides Rule Scheduled Alert Details Override> - An
alert_details_overrideblock as defined below. - Alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- Alert
Rule stringTemplate Version - The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule.
- Custom
Details Dictionary<string, string> - A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- Description string
- The description of this Sentinel Scheduled Alert Rule.
- Display
Name string - The friendly name of this Sentinel Scheduled Alert Rule.
- Enabled bool
- Should the Sentinel Scheduled Alert Rule be enabled? Defaults to
true. - Entity
Mappings List<AlertRule Scheduled Entity Mapping> - A list of
entity_mappingblocks as defined below. - Event
Grouping AlertRule Scheduled Event Grouping - A
event_groupingblock as defined below. - Incident
Alert
Rule Scheduled Incident - A
incidentblock as defined below. - Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- Name string
- The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- Query string
- The query of this Sentinel Scheduled Alert Rule.
- Query
Frequency string - The ISO 8601 timespan duration between two consecutive queries. Defaults to
PT5H. - Query
Period string The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to
PT5H.NOTE
query_periodmust larger than or equal toquery_frequency, which ensures there is no gaps in the overall query coverage.- Sentinel
Entity List<AlertMappings Rule Scheduled Sentinel Entity Mapping> A list of
sentinel_entity_mappingblocks as defined below.NOTE:
entity_mappingandsentinel_entity_mappingtogether can't exceed 5.- Severity string
- The alert severity of this Sentinel Scheduled Alert Rule. Possible values are
High,Medium,LowandInformational. - Suppression
Duration string If
suppression_enabledistrue, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H.NOTE
suppression_durationmust larger than or equal toquery_frequency, otherwise the suppression has no actual effect since no query will happen during the suppression duration.- Suppression
Enabled bool - Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to
false. - Tactics List<string>
- A list of categories of attacks by which to classify the rule. Possible values are
Collection,CommandAndControl,CredentialAccess,DefenseEvasion,Discovery,Execution,Exfiltration,ImpairProcessControl,InhibitResponseFunction,Impact,InitialAccess,LateralMovement,Persistence,PrivilegeEscalation,PreAttack,ReconnaissanceandResourceDevelopment. - Techniques List<string>
- A list of techniques of attacks by which to classify the rule.
- Trigger
Operator string - The alert trigger operator, combined with
trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areEqual,GreaterThan,LessThan,NotEqual. Defaults toGreaterThan. - Trigger
Threshold int - The baseline number of query results generated, combined with
trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0.
- Alert
Details []AlertOverrides Rule Scheduled Alert Details Override Args - An
alert_details_overrideblock as defined below. - Alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- Alert
Rule stringTemplate Version - The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule.
- Custom
Details map[string]string - A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- Description string
- The description of this Sentinel Scheduled Alert Rule.
- Display
Name string - The friendly name of this Sentinel Scheduled Alert Rule.
- Enabled bool
- Should the Sentinel Scheduled Alert Rule be enabled? Defaults to
true. - Entity
Mappings []AlertRule Scheduled Entity Mapping Args - A list of
entity_mappingblocks as defined below. - Event
Grouping AlertRule Scheduled Event Grouping Args - A
event_groupingblock as defined below. - Incident
Alert
Rule Scheduled Incident Args - A
incidentblock as defined below. - Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- Name string
- The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- Query string
- The query of this Sentinel Scheduled Alert Rule.
- Query
Frequency string - The ISO 8601 timespan duration between two consecutive queries. Defaults to
PT5H. - Query
Period string The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to
PT5H.NOTE
query_periodmust larger than or equal toquery_frequency, which ensures there is no gaps in the overall query coverage.- Sentinel
Entity []AlertMappings Rule Scheduled Sentinel Entity Mapping Args A list of
sentinel_entity_mappingblocks as defined below.NOTE:
entity_mappingandsentinel_entity_mappingtogether can't exceed 5.- Severity string
- The alert severity of this Sentinel Scheduled Alert Rule. Possible values are
High,Medium,LowandInformational. - Suppression
Duration string If
suppression_enabledistrue, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H.NOTE
suppression_durationmust larger than or equal toquery_frequency, otherwise the suppression has no actual effect since no query will happen during the suppression duration.- Suppression
Enabled bool - Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to
false. - Tactics []string
- A list of categories of attacks by which to classify the rule. Possible values are
Collection,CommandAndControl,CredentialAccess,DefenseEvasion,Discovery,Execution,Exfiltration,ImpairProcessControl,InhibitResponseFunction,Impact,InitialAccess,LateralMovement,Persistence,PrivilegeEscalation,PreAttack,ReconnaissanceandResourceDevelopment. - Techniques []string
- A list of techniques of attacks by which to classify the rule.
- Trigger
Operator string - The alert trigger operator, combined with
trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areEqual,GreaterThan,LessThan,NotEqual. Defaults toGreaterThan. - Trigger
Threshold int - The baseline number of query results generated, combined with
trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0.
- alert
Details List<AlertOverrides Rule Scheduled Alert Details Override> - An
alert_details_overrideblock as defined below. - alert
Rule StringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- alert
Rule StringTemplate Version - The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule.
- custom
Details Map<String,String> - A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description String
- The description of this Sentinel Scheduled Alert Rule.
- display
Name String - The friendly name of this Sentinel Scheduled Alert Rule.
- enabled Boolean
- Should the Sentinel Scheduled Alert Rule be enabled? Defaults to
true. - entity
Mappings List<AlertRule Scheduled Entity Mapping> - A list of
entity_mappingblocks as defined below. - event
Grouping AlertRule Scheduled Event Grouping - A
event_groupingblock as defined below. - incident
Alert
Rule Scheduled Incident - A
incidentblock as defined below. - log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- name String
- The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- query String
- The query of this Sentinel Scheduled Alert Rule.
- query
Frequency String - The ISO 8601 timespan duration between two consecutive queries. Defaults to
PT5H. - query
Period String The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to
PT5H.NOTE
query_periodmust larger than or equal toquery_frequency, which ensures there is no gaps in the overall query coverage.- sentinel
Entity List<AlertMappings Rule Scheduled Sentinel Entity Mapping> A list of
sentinel_entity_mappingblocks as defined below.NOTE:
entity_mappingandsentinel_entity_mappingtogether can't exceed 5.- severity String
- The alert severity of this Sentinel Scheduled Alert Rule. Possible values are
High,Medium,LowandInformational. - suppression
Duration String If
suppression_enabledistrue, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H.NOTE
suppression_durationmust larger than or equal toquery_frequency, otherwise the suppression has no actual effect since no query will happen during the suppression duration.- suppression
Enabled Boolean - Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to
false. - tactics List<String>
- A list of categories of attacks by which to classify the rule. Possible values are
Collection,CommandAndControl,CredentialAccess,DefenseEvasion,Discovery,Execution,Exfiltration,ImpairProcessControl,InhibitResponseFunction,Impact,InitialAccess,LateralMovement,Persistence,PrivilegeEscalation,PreAttack,ReconnaissanceandResourceDevelopment. - techniques List<String>
- A list of techniques of attacks by which to classify the rule.
- trigger
Operator String - The alert trigger operator, combined with
trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areEqual,GreaterThan,LessThan,NotEqual. Defaults toGreaterThan. - trigger
Threshold Integer - The baseline number of query results generated, combined with
trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0.
- alert
Details AlertOverrides Rule Scheduled Alert Details Override[] - An
alert_details_overrideblock as defined below. - alert
Rule stringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- alert
Rule stringTemplate Version - The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule.
- custom
Details {[key: string]: string} - A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description string
- The description of this Sentinel Scheduled Alert Rule.
- display
Name string - The friendly name of this Sentinel Scheduled Alert Rule.
- enabled boolean
- Should the Sentinel Scheduled Alert Rule be enabled? Defaults to
true. - entity
Mappings AlertRule Scheduled Entity Mapping[] - A list of
entity_mappingblocks as defined below. - event
Grouping AlertRule Scheduled Event Grouping - A
event_groupingblock as defined below. - incident
Alert
Rule Scheduled Incident - A
incidentblock as defined below. - log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- name string
- The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- query string
- The query of this Sentinel Scheduled Alert Rule.
- query
Frequency string - The ISO 8601 timespan duration between two consecutive queries. Defaults to
PT5H. - query
Period string The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to
PT5H.NOTE
query_periodmust larger than or equal toquery_frequency, which ensures there is no gaps in the overall query coverage.- sentinel
Entity AlertMappings Rule Scheduled Sentinel Entity Mapping[] A list of
sentinel_entity_mappingblocks as defined below.NOTE:
entity_mappingandsentinel_entity_mappingtogether can't exceed 5.- severity string
- The alert severity of this Sentinel Scheduled Alert Rule. Possible values are
High,Medium,LowandInformational. - suppression
Duration string If
suppression_enabledistrue, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H.NOTE
suppression_durationmust larger than or equal toquery_frequency, otherwise the suppression has no actual effect since no query will happen during the suppression duration.- suppression
Enabled boolean - Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to
false. - tactics string[]
- A list of categories of attacks by which to classify the rule. Possible values are
Collection,CommandAndControl,CredentialAccess,DefenseEvasion,Discovery,Execution,Exfiltration,ImpairProcessControl,InhibitResponseFunction,Impact,InitialAccess,LateralMovement,Persistence,PrivilegeEscalation,PreAttack,ReconnaissanceandResourceDevelopment. - techniques string[]
- A list of techniques of attacks by which to classify the rule.
- trigger
Operator string - The alert trigger operator, combined with
trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areEqual,GreaterThan,LessThan,NotEqual. Defaults toGreaterThan. - trigger
Threshold number - The baseline number of query results generated, combined with
trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0.
- alert_
details_ Sequence[Alertoverrides Rule Scheduled Alert Details Override Args] - An
alert_details_overrideblock as defined below. - alert_
rule_ strtemplate_ guid - The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- alert_
rule_ strtemplate_ version - The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule.
- custom_
details Mapping[str, str] - A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description str
- The description of this Sentinel Scheduled Alert Rule.
- display_
name str - The friendly name of this Sentinel Scheduled Alert Rule.
- enabled bool
- Should the Sentinel Scheduled Alert Rule be enabled? Defaults to
true. - entity_
mappings Sequence[AlertRule Scheduled Entity Mapping Args] - A list of
entity_mappingblocks as defined below. - event_
grouping AlertRule Scheduled Event Grouping Args - A
event_groupingblock as defined below. - incident
Alert
Rule Scheduled Incident Args - A
incidentblock as defined below. - log_
analytics_ strworkspace_ id - The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- name str
- The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- query str
- The query of this Sentinel Scheduled Alert Rule.
- query_
frequency str - The ISO 8601 timespan duration between two consecutive queries. Defaults to
PT5H. - query_
period str The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to
PT5H.NOTE
query_periodmust larger than or equal toquery_frequency, which ensures there is no gaps in the overall query coverage.- sentinel_
entity_ Sequence[Alertmappings Rule Scheduled Sentinel Entity Mapping Args] A list of
sentinel_entity_mappingblocks as defined below.NOTE:
entity_mappingandsentinel_entity_mappingtogether can't exceed 5.- severity str
- The alert severity of this Sentinel Scheduled Alert Rule. Possible values are
High,Medium,LowandInformational. - suppression_
duration str If
suppression_enabledistrue, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H.NOTE
suppression_durationmust larger than or equal toquery_frequency, otherwise the suppression has no actual effect since no query will happen during the suppression duration.- suppression_
enabled bool - Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to
false. - tactics Sequence[str]
- A list of categories of attacks by which to classify the rule. Possible values are
Collection,CommandAndControl,CredentialAccess,DefenseEvasion,Discovery,Execution,Exfiltration,ImpairProcessControl,InhibitResponseFunction,Impact,InitialAccess,LateralMovement,Persistence,PrivilegeEscalation,PreAttack,ReconnaissanceandResourceDevelopment. - techniques Sequence[str]
- A list of techniques of attacks by which to classify the rule.
- trigger_
operator str - The alert trigger operator, combined with
trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areEqual,GreaterThan,LessThan,NotEqual. Defaults toGreaterThan. - trigger_
threshold int - The baseline number of query results generated, combined with
trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0.
- alert
Details List<Property Map>Overrides - An
alert_details_overrideblock as defined below. - alert
Rule StringTemplate Guid - The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- alert
Rule StringTemplate Version - The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule.
- custom
Details Map<String> - A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
- description String
- The description of this Sentinel Scheduled Alert Rule.
- display
Name String - The friendly name of this Sentinel Scheduled Alert Rule.
- enabled Boolean
- Should the Sentinel Scheduled Alert Rule be enabled? Defaults to
true. - entity
Mappings List<Property Map> - A list of
entity_mappingblocks as defined below. - event
Grouping Property Map - A
event_groupingblock as defined below. - incident Property Map
- A
incidentblock as defined below. - log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- name String
- The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
- query String
- The query of this Sentinel Scheduled Alert Rule.
- query
Frequency String - The ISO 8601 timespan duration between two consecutive queries. Defaults to
PT5H. - query
Period String The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to
PT5H.NOTE
query_periodmust larger than or equal toquery_frequency, which ensures there is no gaps in the overall query coverage.- sentinel
Entity List<Property Map>Mappings A list of
sentinel_entity_mappingblocks as defined below.NOTE:
entity_mappingandsentinel_entity_mappingtogether can't exceed 5.- severity String
- The alert severity of this Sentinel Scheduled Alert Rule. Possible values are
High,Medium,LowandInformational. - suppression
Duration String If
suppression_enabledistrue, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults toPT5H.NOTE
suppression_durationmust larger than or equal toquery_frequency, otherwise the suppression has no actual effect since no query will happen during the suppression duration.- suppression
Enabled Boolean - Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to
false. - tactics List<String>
- A list of categories of attacks by which to classify the rule. Possible values are
Collection,CommandAndControl,CredentialAccess,DefenseEvasion,Discovery,Execution,Exfiltration,ImpairProcessControl,InhibitResponseFunction,Impact,InitialAccess,LateralMovement,Persistence,PrivilegeEscalation,PreAttack,ReconnaissanceandResourceDevelopment. - techniques List<String>
- A list of techniques of attacks by which to classify the rule.
- trigger
Operator String - The alert trigger operator, combined with
trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values areEqual,GreaterThan,LessThan,NotEqual. Defaults toGreaterThan. - trigger
Threshold Number - The baseline number of query results generated, combined with
trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to0.
Supporting Types
AlertRuleScheduledAlertDetailsOverride, AlertRuleScheduledAlertDetailsOverrideArgs
- Description
Format string - The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- Display
Name stringFormat - The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- Dynamic
Properties List<AlertRule Scheduled Alert Details Override Dynamic Property> - A list of
dynamic_propertyblocks as defined below. - Severity
Column stringName - The column name to take the alert severity from.
- Tactics
Column stringName - The column name to take the alert tactics from.
- Description
Format string - The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- Display
Name stringFormat - The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- Dynamic
Properties []AlertRule Scheduled Alert Details Override Dynamic Property - A list of
dynamic_propertyblocks as defined below. - Severity
Column stringName - The column name to take the alert severity from.
- Tactics
Column stringName - The column name to take the alert tactics from.
- description
Format String - The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- display
Name StringFormat - The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- dynamic
Properties List<AlertRule Scheduled Alert Details Override Dynamic Property> - A list of
dynamic_propertyblocks as defined below. - severity
Column StringName - The column name to take the alert severity from.
- tactics
Column StringName - The column name to take the alert tactics from.
- description
Format string - The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- display
Name stringFormat - The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- dynamic
Properties AlertRule Scheduled Alert Details Override Dynamic Property[] - A list of
dynamic_propertyblocks as defined below. - severity
Column stringName - The column name to take the alert severity from.
- tactics
Column stringName - The column name to take the alert tactics from.
- description_
format str - The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- display_
name_ strformat - The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- dynamic_
properties Sequence[AlertRule Scheduled Alert Details Override Dynamic Property] - A list of
dynamic_propertyblocks as defined below. - severity_
column_ strname - The column name to take the alert severity from.
- tactics_
column_ strname - The column name to take the alert tactics from.
- description
Format String - The format containing columns name(s) to override the description of this Sentinel Alert Rule.
- display
Name StringFormat - The format containing columns name(s) to override the name of this Sentinel Alert Rule.
- dynamic
Properties List<Property Map> - A list of
dynamic_propertyblocks as defined below. - severity
Column StringName - The column name to take the alert severity from.
- tactics
Column StringName - The column name to take the alert tactics from.
AlertRuleScheduledAlertDetailsOverrideDynamicProperty, AlertRuleScheduledAlertDetailsOverrideDynamicPropertyArgs
- Name string
- The name of the dynamic property. Possible Values are
AlertLink,ConfidenceLevel,ConfidenceScore,ExtendedLinks,ProductComponentName,ProductName,ProviderName,RemediationStepsandTechniques. - Value string
- The value of the dynamic property. Pssible Values are
Caller,dcount_ResourceIdandEventSubmissionTimestamp.
- Name string
- The name of the dynamic property. Possible Values are
AlertLink,ConfidenceLevel,ConfidenceScore,ExtendedLinks,ProductComponentName,ProductName,ProviderName,RemediationStepsandTechniques. - Value string
- The value of the dynamic property. Pssible Values are
Caller,dcount_ResourceIdandEventSubmissionTimestamp.
- name String
- The name of the dynamic property. Possible Values are
AlertLink,ConfidenceLevel,ConfidenceScore,ExtendedLinks,ProductComponentName,ProductName,ProviderName,RemediationStepsandTechniques. - value String
- The value of the dynamic property. Pssible Values are
Caller,dcount_ResourceIdandEventSubmissionTimestamp.
- name string
- The name of the dynamic property. Possible Values are
AlertLink,ConfidenceLevel,ConfidenceScore,ExtendedLinks,ProductComponentName,ProductName,ProviderName,RemediationStepsandTechniques. - value string
- The value of the dynamic property. Pssible Values are
Caller,dcount_ResourceIdandEventSubmissionTimestamp.
- name str
- The name of the dynamic property. Possible Values are
AlertLink,ConfidenceLevel,ConfidenceScore,ExtendedLinks,ProductComponentName,ProductName,ProviderName,RemediationStepsandTechniques. - value str
- The value of the dynamic property. Pssible Values are
Caller,dcount_ResourceIdandEventSubmissionTimestamp.
- name String
- The name of the dynamic property. Possible Values are
AlertLink,ConfidenceLevel,ConfidenceScore,ExtendedLinks,ProductComponentName,ProductName,ProviderName,RemediationStepsandTechniques. - value String
- The value of the dynamic property. Pssible Values are
Caller,dcount_ResourceIdandEventSubmissionTimestamp.
AlertRuleScheduledEntityMapping, AlertRuleScheduledEntityMappingArgs
- Entity
Type string - The type of the entity. Possible values are
Account,AzureResource,CloudApplication,DNS,File,FileHash,Host,IP,Mailbox,MailCluster,MailMessage,Malware,Process,RegistryKey,RegistryValue,SecurityGroup,SubmissionMail,URL. - Field
Mappings List<AlertRule Scheduled Entity Mapping Field Mapping> - A list of
field_mappingblocks as defined below.
- Entity
Type string - The type of the entity. Possible values are
Account,AzureResource,CloudApplication,DNS,File,FileHash,Host,IP,Mailbox,MailCluster,MailMessage,Malware,Process,RegistryKey,RegistryValue,SecurityGroup,SubmissionMail,URL. - Field
Mappings []AlertRule Scheduled Entity Mapping Field Mapping - A list of
field_mappingblocks as defined below.
- entity
Type String - The type of the entity. Possible values are
Account,AzureResource,CloudApplication,DNS,File,FileHash,Host,IP,Mailbox,MailCluster,MailMessage,Malware,Process,RegistryKey,RegistryValue,SecurityGroup,SubmissionMail,URL. - field
Mappings List<AlertRule Scheduled Entity Mapping Field Mapping> - A list of
field_mappingblocks as defined below.
- entity
Type string - The type of the entity. Possible values are
Account,AzureResource,CloudApplication,DNS,File,FileHash,Host,IP,Mailbox,MailCluster,MailMessage,Malware,Process,RegistryKey,RegistryValue,SecurityGroup,SubmissionMail,URL. - field
Mappings AlertRule Scheduled Entity Mapping Field Mapping[] - A list of
field_mappingblocks as defined below.
- entity_
type str - The type of the entity. Possible values are
Account,AzureResource,CloudApplication,DNS,File,FileHash,Host,IP,Mailbox,MailCluster,MailMessage,Malware,Process,RegistryKey,RegistryValue,SecurityGroup,SubmissionMail,URL. - field_
mappings Sequence[AlertRule Scheduled Entity Mapping Field Mapping] - A list of
field_mappingblocks as defined below.
- entity
Type String - The type of the entity. Possible values are
Account,AzureResource,CloudApplication,DNS,File,FileHash,Host,IP,Mailbox,MailCluster,MailMessage,Malware,Process,RegistryKey,RegistryValue,SecurityGroup,SubmissionMail,URL. - field
Mappings List<Property Map> - A list of
field_mappingblocks as defined below.
AlertRuleScheduledEntityMappingFieldMapping, AlertRuleScheduledEntityMappingFieldMappingArgs
- Column
Name string - The column name to be mapped to the identifier.
- Identifier string
- The identifier of the entity.
- Column
Name string - The column name to be mapped to the identifier.
- Identifier string
- The identifier of the entity.
- column
Name String - The column name to be mapped to the identifier.
- identifier String
- The identifier of the entity.
- column
Name string - The column name to be mapped to the identifier.
- identifier string
- The identifier of the entity.
- column_
name str - The column name to be mapped to the identifier.
- identifier str
- The identifier of the entity.
- column
Name String - The column name to be mapped to the identifier.
- identifier String
- The identifier of the entity.
AlertRuleScheduledEventGrouping, AlertRuleScheduledEventGroupingArgs
- Aggregation
Method string - The aggregation type of grouping the events. Possible values are
AlertPerResultandSingleAlert.
- Aggregation
Method string - The aggregation type of grouping the events. Possible values are
AlertPerResultandSingleAlert.
- aggregation
Method String - The aggregation type of grouping the events. Possible values are
AlertPerResultandSingleAlert.
- aggregation
Method string - The aggregation type of grouping the events. Possible values are
AlertPerResultandSingleAlert.
- aggregation_
method str - The aggregation type of grouping the events. Possible values are
AlertPerResultandSingleAlert.
- aggregation
Method String - The aggregation type of grouping the events. Possible values are
AlertPerResultandSingleAlert.
AlertRuleScheduledIncident, AlertRuleScheduledIncidentArgs
- Create
Incident boolEnabled - Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule?
- Grouping
Alert
Rule Scheduled Incident Grouping - A
groupingblock as defined below.
- Create
Incident boolEnabled - Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule?
- Grouping
Alert
Rule Scheduled Incident Grouping - A
groupingblock as defined below.
- create
Incident BooleanEnabled - Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule?
- grouping
Alert
Rule Scheduled Incident Grouping - A
groupingblock as defined below.
- create
Incident booleanEnabled - Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule?
- grouping
Alert
Rule Scheduled Incident Grouping - A
groupingblock as defined below.
- create_
incident_ boolenabled - Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule?
- grouping
Alert
Rule Scheduled Incident Grouping - A
groupingblock as defined below.
- create
Incident BooleanEnabled - Whether to create an incident from alerts triggered by this Sentinel Scheduled Alert Rule?
- grouping Property Map
- A
groupingblock as defined below.
AlertRuleScheduledIncidentGrouping, AlertRuleScheduledIncidentGroupingArgs
- By
Alert List<string>Details - A list of alert details to group by, only when the
entity_matching_methodisSelected. Possible values areDisplayNameandSeverity. - By
Custom List<string>Details - A list of custom details keys to group by, only when the
entity_matching_methodisSelected. Only keys defined in thecustom_detailsmay be used. - By
Entities List<string> - A list of entity types to group by, only when the
entity_matching_methodisSelected. Possible values areAccount,AzureResource,CloudApplication,DNS,File,FileHash,Host,IP,Mailbox,MailCluster,MailMessage,Malware,Process,RegistryKey,RegistryValue,SecurityGroup,SubmissionMail,URL. - Enabled bool
- Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults to
true. - Entity
Matching stringMethod - The method used to group incidents. Possible values are
AnyAlert,SelectedandAllEntities. Defaults toAnyAlert. - Lookback
Duration string - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M. - Reopen
Closed boolIncidents - Whether to re-open closed matching incidents? Defaults to
false.
- By
Alert []stringDetails - A list of alert details to group by, only when the
entity_matching_methodisSelected. Possible values areDisplayNameandSeverity. - By
Custom []stringDetails - A list of custom details keys to group by, only when the
entity_matching_methodisSelected. Only keys defined in thecustom_detailsmay be used. - By
Entities []string - A list of entity types to group by, only when the
entity_matching_methodisSelected. Possible values areAccount,AzureResource,CloudApplication,DNS,File,FileHash,Host,IP,Mailbox,MailCluster,MailMessage,Malware,Process,RegistryKey,RegistryValue,SecurityGroup,SubmissionMail,URL. - Enabled bool
- Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults to
true. - Entity
Matching stringMethod - The method used to group incidents. Possible values are
AnyAlert,SelectedandAllEntities. Defaults toAnyAlert. - Lookback
Duration string - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M. - Reopen
Closed boolIncidents - Whether to re-open closed matching incidents? Defaults to
false.
- by
Alert List<String>Details - A list of alert details to group by, only when the
entity_matching_methodisSelected. Possible values areDisplayNameandSeverity. - by
Custom List<String>Details - A list of custom details keys to group by, only when the
entity_matching_methodisSelected. Only keys defined in thecustom_detailsmay be used. - by
Entities List<String> - A list of entity types to group by, only when the
entity_matching_methodisSelected. Possible values areAccount,AzureResource,CloudApplication,DNS,File,FileHash,Host,IP,Mailbox,MailCluster,MailMessage,Malware,Process,RegistryKey,RegistryValue,SecurityGroup,SubmissionMail,URL. - enabled Boolean
- Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults to
true. - entity
Matching StringMethod - The method used to group incidents. Possible values are
AnyAlert,SelectedandAllEntities. Defaults toAnyAlert. - lookback
Duration String - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M. - reopen
Closed BooleanIncidents - Whether to re-open closed matching incidents? Defaults to
false.
- by
Alert string[]Details - A list of alert details to group by, only when the
entity_matching_methodisSelected. Possible values areDisplayNameandSeverity. - by
Custom string[]Details - A list of custom details keys to group by, only when the
entity_matching_methodisSelected. Only keys defined in thecustom_detailsmay be used. - by
Entities string[] - A list of entity types to group by, only when the
entity_matching_methodisSelected. Possible values areAccount,AzureResource,CloudApplication,DNS,File,FileHash,Host,IP,Mailbox,MailCluster,MailMessage,Malware,Process,RegistryKey,RegistryValue,SecurityGroup,SubmissionMail,URL. - enabled boolean
- Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults to
true. - entity
Matching stringMethod - The method used to group incidents. Possible values are
AnyAlert,SelectedandAllEntities. Defaults toAnyAlert. - lookback
Duration string - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M. - reopen
Closed booleanIncidents - Whether to re-open closed matching incidents? Defaults to
false.
- by_
alert_ Sequence[str]details - A list of alert details to group by, only when the
entity_matching_methodisSelected. Possible values areDisplayNameandSeverity. - by_
custom_ Sequence[str]details - A list of custom details keys to group by, only when the
entity_matching_methodisSelected. Only keys defined in thecustom_detailsmay be used. - by_
entities Sequence[str] - A list of entity types to group by, only when the
entity_matching_methodisSelected. Possible values areAccount,AzureResource,CloudApplication,DNS,File,FileHash,Host,IP,Mailbox,MailCluster,MailMessage,Malware,Process,RegistryKey,RegistryValue,SecurityGroup,SubmissionMail,URL. - enabled bool
- Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults to
true. - entity_
matching_ strmethod - The method used to group incidents. Possible values are
AnyAlert,SelectedandAllEntities. Defaults toAnyAlert. - lookback_
duration str - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M. - reopen_
closed_ boolincidents - Whether to re-open closed matching incidents? Defaults to
false.
- by
Alert List<String>Details - A list of alert details to group by, only when the
entity_matching_methodisSelected. Possible values areDisplayNameandSeverity. - by
Custom List<String>Details - A list of custom details keys to group by, only when the
entity_matching_methodisSelected. Only keys defined in thecustom_detailsmay be used. - by
Entities List<String> - A list of entity types to group by, only when the
entity_matching_methodisSelected. Possible values areAccount,AzureResource,CloudApplication,DNS,File,FileHash,Host,IP,Mailbox,MailCluster,MailMessage,Malware,Process,RegistryKey,RegistryValue,SecurityGroup,SubmissionMail,URL. - enabled Boolean
- Enable grouping incidents created from alerts triggered by this Sentinel Scheduled Alert Rule. Defaults to
true. - entity
Matching StringMethod - The method used to group incidents. Possible values are
AnyAlert,SelectedandAllEntities. Defaults toAnyAlert. - lookback
Duration String - Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to
PT5M. - reopen
Closed BooleanIncidents - Whether to re-open closed matching incidents? Defaults to
false.
AlertRuleScheduledSentinelEntityMapping, AlertRuleScheduledSentinelEntityMappingArgs
- Column
Name string - The column name to be mapped to the identifier.
- Column
Name string - The column name to be mapped to the identifier.
- column
Name String - The column name to be mapped to the identifier.
- column
Name string - The column name to be mapped to the identifier.
- column_
name str - The column name to be mapped to the identifier.
- column
Name String - The column name to be mapped to the identifier.
Import
Sentinel Scheduled Alert Rules can be imported using the resource id, e.g.
$ pulumi import azure:sentinel/alertRuleScheduled:AlertRuleScheduled example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azurermTerraform Provider.