import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Manages a Sentinel NRT Alert Rule. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", { * name: "example-workspace", * location: example.location, * resourceGroupName: example.name, * sku: "pergb2018", * }); * const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", {workspaceId: exampleAnalyticsWorkspace.id}); * const exampleAlertRuleNrt = new azure.sentinel.AlertRuleNrt("example", { * name: "example", * logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId, * displayName: "example", * severity: "High", * query: `AzureActivity | * where OperationName == \\"Create or Update Virtual Machine\\" or OperationName ==\\"Create Deployment\\" | * where ActivityStatus == \\"Succeeded\\" | * make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller * `, * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.OperationalInsights` - 2023-12-01-preview * * ## Import * * Sentinel NRT Alert Rules can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:sentinel/alertRuleNrt:AlertRuleNrt example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1 * ``` */ export declare class AlertRuleNrt extends pulumi.CustomResource { /** * Get an existing AlertRuleNrt resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: AlertRuleNrtState, opts?: pulumi.CustomResourceOptions): AlertRuleNrt; /** * Returns true if the given object is an instance of AlertRuleNrt. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is AlertRuleNrt; /** * An `alertDetailsOverride` block as defined below. */ readonly alertDetailsOverrides: pulumi.Output; /** * The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created. */ readonly alertRuleTemplateGuid: pulumi.Output; /** * The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created. */ readonly alertRuleTemplateVersion: pulumi.Output; /** * A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts. */ readonly customDetails: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The description of this Sentinel NRT Alert Rule. */ readonly description: pulumi.Output; /** * The friendly name of this Sentinel NRT Alert Rule. */ readonly displayName: pulumi.Output; /** * Should the Sentinel NRT Alert Rule be enabled? Defaults to `true`. */ readonly enabled: pulumi.Output; /** * A list of `entityMapping` blocks as defined below. */ readonly entityMappings: pulumi.Output; /** * A `eventGrouping` block as defined below. */ readonly eventGrouping: pulumi.Output; /** * A `incident` block as defined below. */ readonly incident: pulumi.Output; /** * The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created. */ readonly logAnalyticsWorkspaceId: pulumi.Output; /** * The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created. */ readonly name: pulumi.Output; /** * The query of this Sentinel NRT Alert Rule. */ readonly query: pulumi.Output; /** * A list of `sentinelEntityMapping` blocks as defined below. * * > **Note:** `entityMapping` and `sentinelEntityMapping` together can't exceed 5. */ readonly sentinelEntityMappings: pulumi.Output; /** * The alert severity of this Sentinel NRT Alert Rule. Possible values are `High`, `Medium`, `Low` and `Informational`. */ readonly severity: pulumi.Output; /** * If `suppressionEnabled` is `true`, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to `PT5H`. */ readonly suppressionDuration: pulumi.Output; /** * Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to `false`. */ readonly suppressionEnabled: pulumi.Output; /** * A list of categories of attacks by which to classify the rule. Possible values are `Collection`, `CommandAndControl`, `CredentialAccess`, `DefenseEvasion`, `Discovery`, `Execution`, `Exfiltration`, `Impact`, `ImpairProcessControl`, `InhibitResponseFunction`, `InitialAccess`, `LateralMovement`, `Persistence`, `PreAttack`, `PrivilegeEscalation`, `Reconnaissance` and `ResourceDevelopment`. */ readonly tactics: pulumi.Output; /** * A list of techniques of attacks by which to classify the rule. */ readonly techniques: pulumi.Output; /** * Create a AlertRuleNrt resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AlertRuleNrtArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering AlertRuleNrt resources. */ export interface AlertRuleNrtState { /** * An `alertDetailsOverride` block as defined below. */ alertDetailsOverrides?: pulumi.Input[]>; /** * The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created. */ alertRuleTemplateGuid?: pulumi.Input; /** * The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created. */ alertRuleTemplateVersion?: pulumi.Input; /** * A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts. */ customDetails?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The description of this Sentinel NRT Alert Rule. */ description?: pulumi.Input; /** * The friendly name of this Sentinel NRT Alert Rule. */ displayName?: pulumi.Input; /** * Should the Sentinel NRT Alert Rule be enabled? Defaults to `true`. */ enabled?: pulumi.Input; /** * A list of `entityMapping` blocks as defined below. */ entityMappings?: pulumi.Input[]>; /** * A `eventGrouping` block as defined below. */ eventGrouping?: pulumi.Input; /** * A `incident` block as defined below. */ incident?: pulumi.Input; /** * The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created. */ logAnalyticsWorkspaceId?: pulumi.Input; /** * The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created. */ name?: pulumi.Input; /** * The query of this Sentinel NRT Alert Rule. */ query?: pulumi.Input; /** * A list of `sentinelEntityMapping` blocks as defined below. * * > **Note:** `entityMapping` and `sentinelEntityMapping` together can't exceed 5. */ sentinelEntityMappings?: pulumi.Input[]>; /** * The alert severity of this Sentinel NRT Alert Rule. Possible values are `High`, `Medium`, `Low` and `Informational`. */ severity?: pulumi.Input; /** * If `suppressionEnabled` is `true`, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to `PT5H`. */ suppressionDuration?: pulumi.Input; /** * Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to `false`. */ suppressionEnabled?: pulumi.Input; /** * A list of categories of attacks by which to classify the rule. Possible values are `Collection`, `CommandAndControl`, `CredentialAccess`, `DefenseEvasion`, `Discovery`, `Execution`, `Exfiltration`, `Impact`, `ImpairProcessControl`, `InhibitResponseFunction`, `InitialAccess`, `LateralMovement`, `Persistence`, `PreAttack`, `PrivilegeEscalation`, `Reconnaissance` and `ResourceDevelopment`. */ tactics?: pulumi.Input[]>; /** * A list of techniques of attacks by which to classify the rule. */ techniques?: pulumi.Input[]>; } /** * The set of arguments for constructing a AlertRuleNrt resource. */ export interface AlertRuleNrtArgs { /** * An `alertDetailsOverride` block as defined below. */ alertDetailsOverrides?: pulumi.Input[]>; /** * The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created. */ alertRuleTemplateGuid?: pulumi.Input; /** * The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created. */ alertRuleTemplateVersion?: pulumi.Input; /** * A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts. */ customDetails?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The description of this Sentinel NRT Alert Rule. */ description?: pulumi.Input; /** * The friendly name of this Sentinel NRT Alert Rule. */ displayName: pulumi.Input; /** * Should the Sentinel NRT Alert Rule be enabled? Defaults to `true`. */ enabled?: pulumi.Input; /** * A list of `entityMapping` blocks as defined below. */ entityMappings?: pulumi.Input[]>; /** * A `eventGrouping` block as defined below. */ eventGrouping: pulumi.Input; /** * A `incident` block as defined below. */ incident?: pulumi.Input; /** * The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created. */ logAnalyticsWorkspaceId: pulumi.Input; /** * The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created. */ name?: pulumi.Input; /** * The query of this Sentinel NRT Alert Rule. */ query: pulumi.Input; /** * A list of `sentinelEntityMapping` blocks as defined below. * * > **Note:** `entityMapping` and `sentinelEntityMapping` together can't exceed 5. */ sentinelEntityMappings?: pulumi.Input[]>; /** * The alert severity of this Sentinel NRT Alert Rule. Possible values are `High`, `Medium`, `Low` and `Informational`. */ severity: pulumi.Input; /** * If `suppressionEnabled` is `true`, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to `PT5H`. */ suppressionDuration?: pulumi.Input; /** * Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to `false`. */ suppressionEnabled?: pulumi.Input; /** * A list of categories of attacks by which to classify the rule. Possible values are `Collection`, `CommandAndControl`, `CredentialAccess`, `DefenseEvasion`, `Discovery`, `Execution`, `Exfiltration`, `Impact`, `ImpairProcessControl`, `InhibitResponseFunction`, `InitialAccess`, `LateralMovement`, `Persistence`, `PreAttack`, `PrivilegeEscalation`, `Reconnaissance` and `ResourceDevelopment`. */ tactics?: pulumi.Input[]>; /** * A list of techniques of attacks by which to classify the rule. */ techniques?: pulumi.Input[]>; }