import * as pulumi from "@pulumi/pulumi"; /** * Manages a Sentinel MS Security Incident Alert Rule. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", { * name: "example-workspace", * location: example.location, * resourceGroupName: example.name, * sku: "PerGB2018", * }); * const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", {workspaceId: exampleAnalyticsWorkspace.id}); * const exampleAlertRuleMsSecurityIncident = new azure.sentinel.AlertRuleMsSecurityIncident("example", { * name: "example-ms-security-incident-alert-rule", * logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId, * productFilter: "Microsoft Cloud App Security", * displayName: "example rule", * severityFilters: ["High"], * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.OperationalInsights` - 2023-12-01-preview * * ## Import * * Sentinel MS Security Incident Alert Rules can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:sentinel/alertRuleMsSecurityIncident:AlertRuleMsSecurityIncident example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1 * ``` */ export declare class AlertRuleMsSecurityIncident extends pulumi.CustomResource { /** * Get an existing AlertRuleMsSecurityIncident resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: AlertRuleMsSecurityIncidentState, opts?: pulumi.CustomResourceOptions): AlertRuleMsSecurityIncident; /** * Returns true if the given object is an instance of AlertRuleMsSecurityIncident. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is AlertRuleMsSecurityIncident; /** * The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. */ readonly alertRuleTemplateGuid: pulumi.Output; /** * The description of this Sentinel MS Security Incident Alert Rule. */ readonly description: pulumi.Output; /** * The friendly name of this Sentinel MS Security Incident Alert Rule. */ readonly displayName: pulumi.Output; /** * Only create incidents when the alert display name doesn't contain text from this list. */ readonly displayNameExcludeFilters: pulumi.Output; /** * Only create incidents when the alert display name contain text from this list, leave empty to apply no filter. */ readonly displayNameFilters: pulumi.Output; /** * Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to `true`. */ readonly enabled: pulumi.Output; /** * The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. */ readonly logAnalyticsWorkspaceId: pulumi.Output; /** * The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. */ readonly name: pulumi.Output; /** * The Microsoft Security Service from where the alert will be generated. Possible values are `Azure Active Directory Identity Protection`, `Azure Advanced Threat Protection`, `Azure Security Center`, `Azure Security Center for IoT`, `Microsoft Cloud App Security`, `Microsoft Defender Advanced Threat Protection` and `Office 365 Advanced Threat Protection`. */ readonly productFilter: pulumi.Output; /** * Only create incidents from alerts when alert severity level is contained in this list. Possible values are `High`, `Medium`, `Low` and `Informational`. * * > **Note:** At least one of the severity filters need to be set. */ readonly severityFilters: pulumi.Output; /** * Create a AlertRuleMsSecurityIncident resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AlertRuleMsSecurityIncidentArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering AlertRuleMsSecurityIncident resources. */ export interface AlertRuleMsSecurityIncidentState { /** * The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. */ alertRuleTemplateGuid?: pulumi.Input; /** * The description of this Sentinel MS Security Incident Alert Rule. */ description?: pulumi.Input; /** * The friendly name of this Sentinel MS Security Incident Alert Rule. */ displayName?: pulumi.Input; /** * Only create incidents when the alert display name doesn't contain text from this list. */ displayNameExcludeFilters?: pulumi.Input[]>; /** * Only create incidents when the alert display name contain text from this list, leave empty to apply no filter. */ displayNameFilters?: pulumi.Input[]>; /** * Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to `true`. */ enabled?: pulumi.Input; /** * The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. */ logAnalyticsWorkspaceId?: pulumi.Input; /** * The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. */ name?: pulumi.Input; /** * The Microsoft Security Service from where the alert will be generated. Possible values are `Azure Active Directory Identity Protection`, `Azure Advanced Threat Protection`, `Azure Security Center`, `Azure Security Center for IoT`, `Microsoft Cloud App Security`, `Microsoft Defender Advanced Threat Protection` and `Office 365 Advanced Threat Protection`. */ productFilter?: pulumi.Input; /** * Only create incidents from alerts when alert severity level is contained in this list. Possible values are `High`, `Medium`, `Low` and `Informational`. * * > **Note:** At least one of the severity filters need to be set. */ severityFilters?: pulumi.Input[]>; } /** * The set of arguments for constructing a AlertRuleMsSecurityIncident resource. */ export interface AlertRuleMsSecurityIncidentArgs { /** * The GUID of the alert rule template which is used to create this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. */ alertRuleTemplateGuid?: pulumi.Input; /** * The description of this Sentinel MS Security Incident Alert Rule. */ description?: pulumi.Input; /** * The friendly name of this Sentinel MS Security Incident Alert Rule. */ displayName: pulumi.Input; /** * Only create incidents when the alert display name doesn't contain text from this list. */ displayNameExcludeFilters?: pulumi.Input[]>; /** * Only create incidents when the alert display name contain text from this list, leave empty to apply no filter. */ displayNameFilters?: pulumi.Input[]>; /** * Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to `true`. */ enabled?: pulumi.Input; /** * The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. */ logAnalyticsWorkspaceId: pulumi.Input; /** * The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created. */ name?: pulumi.Input; /** * The Microsoft Security Service from where the alert will be generated. Possible values are `Azure Active Directory Identity Protection`, `Azure Advanced Threat Protection`, `Azure Security Center`, `Azure Security Center for IoT`, `Microsoft Cloud App Security`, `Microsoft Defender Advanced Threat Protection` and `Office 365 Advanced Threat Protection`. */ productFilter: pulumi.Input; /** * Only create incidents from alerts when alert severity level is contained in this list. Possible values are `High`, `Medium`, `Low` and `Informational`. * * > **Note:** At least one of the severity filters need to be set. */ severityFilters: pulumi.Input[]>; }