import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Manages a Sentinel Scheduled Alert Rule. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", { * name: "example-workspace", * location: example.location, * resourceGroupName: example.name, * sku: "PerGB2018", * }); * const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", {workspaceId: exampleAnalyticsWorkspace.id}); * const exampleAlertRuleScheduled = new azure.sentinel.AlertRuleScheduled("example", { * name: "example", * logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId, * displayName: "example", * severity: "High", * query: `AzureActivity | * where OperationName == \\"Create or Update Virtual Machine\\" or OperationName ==\\"Create Deployment\\" | * where ActivityStatus == \\"Succeeded\\" | * make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller * `, * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.OperationalInsights` - 2023-12-01-preview * * ## Import * * Sentinel Scheduled Alert Rules can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:sentinel/alertRuleScheduled:AlertRuleScheduled example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1 * ``` */ export declare class AlertRuleScheduled extends pulumi.CustomResource { /** * Get an existing AlertRuleScheduled resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: AlertRuleScheduledState, opts?: pulumi.CustomResourceOptions): AlertRuleScheduled; /** * Returns true if the given object is an instance of AlertRuleScheduled. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is AlertRuleScheduled; /** * An `alertDetailsOverride` block as defined below. */ readonly alertDetailsOverrides: pulumi.Output; /** * The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created. */ readonly alertRuleTemplateGuid: pulumi.Output; /** * The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule. */ readonly alertRuleTemplateVersion: pulumi.Output; /** * A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts. */ readonly customDetails: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The description of this Sentinel Scheduled Alert Rule. */ readonly description: pulumi.Output; /** * The friendly name of this Sentinel Scheduled Alert Rule. */ readonly displayName: pulumi.Output; /** * Should the Sentinel Scheduled Alert Rule be enabled? Defaults to `true`. */ readonly enabled: pulumi.Output; /** * A list of `entityMapping` blocks as defined below. */ readonly entityMappings: pulumi.Output; /** * A `eventGrouping` block as defined below. */ readonly eventGrouping: pulumi.Output; /** * A `incident` block as defined below. */ readonly incident: pulumi.Output; /** * The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created. */ readonly logAnalyticsWorkspaceId: pulumi.Output; /** * The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created. */ readonly name: pulumi.Output; /** * The query of this Sentinel Scheduled Alert Rule. */ readonly query: pulumi.Output; /** * The ISO 8601 timespan duration between two consecutive queries. Defaults to `PT5H`. */ readonly queryFrequency: pulumi.Output; /** * The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to `PT5H`. * * > **Note:** `queryPeriod` must larger than or equal to `queryFrequency`, which ensures there is no gaps in the overall query coverage. */ readonly queryPeriod: pulumi.Output; /** * A list of `sentinelEntityMapping` blocks as defined below. * * > **Note:** `entityMapping` and `sentinelEntityMapping` together can't exceed 10. */ readonly sentinelEntityMappings: pulumi.Output; /** * The alert severity of this Sentinel Scheduled Alert Rule. Possible values are `High`, `Medium`, `Low` and `Informational`. */ readonly severity: pulumi.Output; /** * If `suppressionEnabled` is `true`, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to `PT5H`. * * > **Note:** `suppressionDuration` must larger than or equal to `queryFrequency`, otherwise the suppression has no actual effect since no query will happen during the suppression duration. */ readonly suppressionDuration: pulumi.Output; /** * Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to `false`. */ readonly suppressionEnabled: pulumi.Output; /** * A list of categories of attacks by which to classify the rule. Possible values are `Collection`, `CommandAndControl`, `CredentialAccess`, `DefenseEvasion`, `Discovery`, `Execution`, `Exfiltration`, `ImpairProcessControl`, `InhibitResponseFunction`, `Impact`, `InitialAccess`, `LateralMovement`, `Persistence`, `PrivilegeEscalation`, `PreAttack`, `Reconnaissance` and `ResourceDevelopment`. */ readonly tactics: pulumi.Output; /** * A list of techniques of attacks by which to classify the rule. */ readonly techniques: pulumi.Output; /** * The alert trigger operator, combined with `triggerThreshold`, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are `Equal`, `GreaterThan`, `LessThan`, `NotEqual`. Defaults to `GreaterThan`. */ readonly triggerOperator: pulumi.Output; /** * The baseline number of query results generated, combined with `triggerOperator`, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to `0`. */ readonly triggerThreshold: pulumi.Output; /** * Create a AlertRuleScheduled resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AlertRuleScheduledArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering AlertRuleScheduled resources. */ export interface AlertRuleScheduledState { /** * An `alertDetailsOverride` block as defined below. */ alertDetailsOverrides?: pulumi.Input[]>; /** * The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created. */ alertRuleTemplateGuid?: pulumi.Input; /** * The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule. */ alertRuleTemplateVersion?: pulumi.Input; /** * A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts. */ customDetails?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The description of this Sentinel Scheduled Alert Rule. */ description?: pulumi.Input; /** * The friendly name of this Sentinel Scheduled Alert Rule. */ displayName?: pulumi.Input; /** * Should the Sentinel Scheduled Alert Rule be enabled? Defaults to `true`. */ enabled?: pulumi.Input; /** * A list of `entityMapping` blocks as defined below. */ entityMappings?: pulumi.Input[]>; /** * A `eventGrouping` block as defined below. */ eventGrouping?: pulumi.Input; /** * A `incident` block as defined below. */ incident?: pulumi.Input; /** * The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created. */ logAnalyticsWorkspaceId?: pulumi.Input; /** * The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created. */ name?: pulumi.Input; /** * The query of this Sentinel Scheduled Alert Rule. */ query?: pulumi.Input; /** * The ISO 8601 timespan duration between two consecutive queries. Defaults to `PT5H`. */ queryFrequency?: pulumi.Input; /** * The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to `PT5H`. * * > **Note:** `queryPeriod` must larger than or equal to `queryFrequency`, which ensures there is no gaps in the overall query coverage. */ queryPeriod?: pulumi.Input; /** * A list of `sentinelEntityMapping` blocks as defined below. * * > **Note:** `entityMapping` and `sentinelEntityMapping` together can't exceed 10. */ sentinelEntityMappings?: pulumi.Input[]>; /** * The alert severity of this Sentinel Scheduled Alert Rule. Possible values are `High`, `Medium`, `Low` and `Informational`. */ severity?: pulumi.Input; /** * If `suppressionEnabled` is `true`, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to `PT5H`. * * > **Note:** `suppressionDuration` must larger than or equal to `queryFrequency`, otherwise the suppression has no actual effect since no query will happen during the suppression duration. */ suppressionDuration?: pulumi.Input; /** * Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to `false`. */ suppressionEnabled?: pulumi.Input; /** * A list of categories of attacks by which to classify the rule. Possible values are `Collection`, `CommandAndControl`, `CredentialAccess`, `DefenseEvasion`, `Discovery`, `Execution`, `Exfiltration`, `ImpairProcessControl`, `InhibitResponseFunction`, `Impact`, `InitialAccess`, `LateralMovement`, `Persistence`, `PrivilegeEscalation`, `PreAttack`, `Reconnaissance` and `ResourceDevelopment`. */ tactics?: pulumi.Input[]>; /** * A list of techniques of attacks by which to classify the rule. */ techniques?: pulumi.Input[]>; /** * The alert trigger operator, combined with `triggerThreshold`, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are `Equal`, `GreaterThan`, `LessThan`, `NotEqual`. Defaults to `GreaterThan`. */ triggerOperator?: pulumi.Input; /** * The baseline number of query results generated, combined with `triggerOperator`, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to `0`. */ triggerThreshold?: pulumi.Input; } /** * The set of arguments for constructing a AlertRuleScheduled resource. */ export interface AlertRuleScheduledArgs { /** * An `alertDetailsOverride` block as defined below. */ alertDetailsOverrides?: pulumi.Input[]>; /** * The GUID of the alert rule template which is used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created. */ alertRuleTemplateGuid?: pulumi.Input; /** * The version of the alert rule template which is used for this Sentinel Scheduled Alert Rule. */ alertRuleTemplateVersion?: pulumi.Input; /** * A map of string key-value pairs of columns to be attached to this Sentinel Scheduled Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts. */ customDetails?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The description of this Sentinel Scheduled Alert Rule. */ description?: pulumi.Input; /** * The friendly name of this Sentinel Scheduled Alert Rule. */ displayName: pulumi.Input; /** * Should the Sentinel Scheduled Alert Rule be enabled? Defaults to `true`. */ enabled?: pulumi.Input; /** * A list of `entityMapping` blocks as defined below. */ entityMappings?: pulumi.Input[]>; /** * A `eventGrouping` block as defined below. */ eventGrouping?: pulumi.Input; /** * A `incident` block as defined below. */ incident?: pulumi.Input; /** * The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created. */ logAnalyticsWorkspaceId: pulumi.Input; /** * The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created. */ name?: pulumi.Input; /** * The query of this Sentinel Scheduled Alert Rule. */ query: pulumi.Input; /** * The ISO 8601 timespan duration between two consecutive queries. Defaults to `PT5H`. */ queryFrequency?: pulumi.Input; /** * The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to `PT5H`. * * > **Note:** `queryPeriod` must larger than or equal to `queryFrequency`, which ensures there is no gaps in the overall query coverage. */ queryPeriod?: pulumi.Input; /** * A list of `sentinelEntityMapping` blocks as defined below. * * > **Note:** `entityMapping` and `sentinelEntityMapping` together can't exceed 10. */ sentinelEntityMappings?: pulumi.Input[]>; /** * The alert severity of this Sentinel Scheduled Alert Rule. Possible values are `High`, `Medium`, `Low` and `Informational`. */ severity: pulumi.Input; /** * If `suppressionEnabled` is `true`, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to `PT5H`. * * > **Note:** `suppressionDuration` must larger than or equal to `queryFrequency`, otherwise the suppression has no actual effect since no query will happen during the suppression duration. */ suppressionDuration?: pulumi.Input; /** * Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to `false`. */ suppressionEnabled?: pulumi.Input; /** * A list of categories of attacks by which to classify the rule. Possible values are `Collection`, `CommandAndControl`, `CredentialAccess`, `DefenseEvasion`, `Discovery`, `Execution`, `Exfiltration`, `ImpairProcessControl`, `InhibitResponseFunction`, `Impact`, `InitialAccess`, `LateralMovement`, `Persistence`, `PrivilegeEscalation`, `PreAttack`, `Reconnaissance` and `ResourceDevelopment`. */ tactics?: pulumi.Input[]>; /** * A list of techniques of attacks by which to classify the rule. */ techniques?: pulumi.Input[]>; /** * The alert trigger operator, combined with `triggerThreshold`, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are `Equal`, `GreaterThan`, `LessThan`, `NotEqual`. Defaults to `GreaterThan`. */ triggerOperator?: pulumi.Input; /** * The baseline number of query results generated, combined with `triggerOperator`, setting alert threshold of this Sentinel Scheduled Alert Rule. Defaults to `0`. */ triggerThreshold?: pulumi.Input; }