AlertRuleScheduled

Manages a Sentinel Scheduled Alert Rule.

Example Usage

using Pulumi;
using Azure = Pulumi.Azure;

class MyStack : Stack
{
    public MyStack()
    {
        var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new Azure.Core.ResourceGroupArgs
        {
            Location = "West Europe",
        });
        var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", new Azure.OperationalInsights.AnalyticsWorkspaceArgs
        {
            Location = exampleResourceGroup.Location,
            ResourceGroupName = exampleResourceGroup.Name,
            Sku = "pergb2018",
        });
        var exampleAlertRuleScheduled = new Azure.Sentinel.AlertRuleScheduled("exampleAlertRuleScheduled", new Azure.Sentinel.AlertRuleScheduledArgs
        {
            LogAnalyticsWorkspaceId = exampleAnalyticsWorkspace.Id,
            DisplayName = "example",
            Severity = "High",
            Query = @"AzureActivity |
  where OperationName == ""Create or Update Virtual Machine"" or OperationName ==""Create Deployment"" |
  where ActivityStatus == ""Succeeded"" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
",
        });
    }

}

package main

import (
    "fmt"

    "github.com/pulumi/pulumi-azure/sdk/v3/go/azure/core"
    "github.com/pulumi/pulumi-azure/sdk/v3/go/azure/operationalinsights"
    "github.com/pulumi/pulumi-azure/sdk/v3/go/azure/sentinel"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
            Location: pulumi.String("West Europe"),
        })
        if err != nil {
            return err
        }
        exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "exampleAnalyticsWorkspace", &operationalinsights.AnalyticsWorkspaceArgs{
            Location:          exampleResourceGroup.Location,
            ResourceGroupName: exampleResourceGroup.Name,
            Sku:               pulumi.String("pergb2018"),
        })
        if err != nil {
            return err
        }
        _, err = sentinel.NewAlertRuleScheduled(ctx, "exampleAlertRuleScheduled", &sentinel.AlertRuleScheduledArgs{
            LogAnalyticsWorkspaceId: exampleAnalyticsWorkspace.ID(),
            DisplayName:             pulumi.String("example"),
            Severity:                pulumi.String("High"),
            Query:                   pulumi.String(fmt.Sprintf("%v%v%v%v", "AzureActivity |\n", "  where OperationName == \"Create or Update Virtual Machine\" or OperationName ==\"Create Deployment\" |\n", "  where ActivityStatus == \"Succeeded\" |\n", "  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n")),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_azure as azure

example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    sku="pergb2018")
example_alert_rule_scheduled = azure.sentinel.AlertRuleScheduled("exampleAlertRuleScheduled",
    log_analytics_workspace_id=example_analytics_workspace.id,
    display_name="example",
    severity="High",
    query="""AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    sku: "pergb2018",
});
const exampleAlertRuleScheduled = new azure.sentinel.AlertRuleScheduled("exampleAlertRuleScheduled", {
    logAnalyticsWorkspaceId: exampleAnalyticsWorkspace.id,
    displayName: "example",
    severity: "High",
    query: `AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
`,
});

Create a AlertRuleScheduled Resource

new AlertRuleScheduled(name: string, args: AlertRuleScheduledArgs, opts?: CustomResourceOptions);

def AlertRuleScheduled(resource_name, opts=None, description=None, display_name=None, enabled=None, log_analytics_workspace_id=None, name=None, query=None, query_frequency=None, query_period=None, severity=None, suppression_duration=None, suppression_enabled=None, tactics=None, trigger_operator=None, trigger_threshold=None, __props__=None);

func NewAlertRuleScheduled(ctx *Context, name string, args AlertRuleScheduledArgs, opts ...ResourceOption) (*AlertRuleScheduled, error)

public AlertRuleScheduled(string name, AlertRuleScheduledArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args AlertRuleScheduledArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AlertRuleScheduledArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AlertRuleScheduledArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

AlertRuleScheduled Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The AlertRuleScheduled resource accepts the following input properties:

DisplayName string: The friendly name of this Sentinel Scheduled Alert Rule.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Query string: The query of this Sentinel Scheduled Alert Rule.
Severity string: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
Description string: The description of this Sentinel Scheduled Alert Rule.
Enabled bool: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
Name string: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
QueryFrequency string: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
QueryPeriod string: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics List<string>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
TriggerOperator string: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
TriggerThreshold int: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

DisplayName string: The friendly name of this Sentinel Scheduled Alert Rule.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Query string: The query of this Sentinel Scheduled Alert Rule.
Severity string: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
Description string: The description of this Sentinel Scheduled Alert Rule.
Enabled bool: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
Name string: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
QueryFrequency string: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
QueryPeriod string: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics []string: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
TriggerOperator string: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
TriggerThreshold int: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

displayName string: The friendly name of this Sentinel Scheduled Alert Rule.
logAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query string: The query of this Sentinel Scheduled Alert Rule.
severity string: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
description string: The description of this Sentinel Scheduled Alert Rule.
enabled boolean: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
name string: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
queryFrequency string: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
queryPeriod string: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
suppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled boolean: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
tactics string[]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
triggerOperator string: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
triggerThreshold number: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

display_name str: The friendly name of this Sentinel Scheduled Alert Rule.
log_analytics_workspace_id str: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query str: The query of this Sentinel Scheduled Alert Rule.
severity str: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
description str: The description of this Sentinel Scheduled Alert Rule.
enabled bool: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
name str: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query_frequency str: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
query_period str: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
suppression_duration str: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppression_enabled bool: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List[str]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
trigger_operator str: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
trigger_threshold float: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

Outputs

All input properties are implicitly available as output properties. Additionally, the AlertRuleScheduled resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

Look up an Existing AlertRuleScheduled Resource

Get an existing AlertRuleScheduled resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AlertRuleScheduledState, opts?: CustomResourceOptions): AlertRuleScheduled

static get(resource_name, id, opts=None, description=None, display_name=None, enabled=None, log_analytics_workspace_id=None, name=None, query=None, query_frequency=None, query_period=None, severity=None, suppression_duration=None, suppression_enabled=None, tactics=None, trigger_operator=None, trigger_threshold=None, __props__=None);

func GetAlertRuleScheduled(ctx *Context, name string, id IDInput, state *AlertRuleScheduledState, opts ...ResourceOption) (*AlertRuleScheduled, error)

public static AlertRuleScheduled Get(string name, Input<string> id, AlertRuleScheduledState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Description string: The description of this Sentinel Scheduled Alert Rule.
DisplayName string: The friendly name of this Sentinel Scheduled Alert Rule.
Enabled bool: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Name string: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Query string: The query of this Sentinel Scheduled Alert Rule.
QueryFrequency string: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
QueryPeriod string: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
Severity string: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics List<string>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
TriggerOperator string: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
TriggerThreshold int: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

Description string: The description of this Sentinel Scheduled Alert Rule.
DisplayName string: The friendly name of this Sentinel Scheduled Alert Rule.
Enabled bool: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Name string: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
Query string: The query of this Sentinel Scheduled Alert Rule.
QueryFrequency string: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
QueryPeriod string: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
Severity string: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics []string: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
TriggerOperator string: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
TriggerThreshold int: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

description string: The description of this Sentinel Scheduled Alert Rule.
displayName string: The friendly name of this Sentinel Scheduled Alert Rule.
enabled boolean: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
logAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
name string: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query string: The query of this Sentinel Scheduled Alert Rule.
queryFrequency string: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
queryPeriod string: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
severity string: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
suppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled boolean: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
tactics string[]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
triggerOperator string: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
triggerThreshold number: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

description str: The description of this Sentinel Scheduled Alert Rule.
display_name str: The friendly name of this Sentinel Scheduled Alert Rule.
enabled bool: Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.
log_analytics_workspace_id str: The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
name str: The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.
query str: The query of this Sentinel Scheduled Alert Rule.
query_frequency str: The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.
query_period str: The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.
severity str: The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.
suppression_duration str: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppression_enabled bool: Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List[str]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.
trigger_operator str: The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.
trigger_threshold float: The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

Package Details

Repository: https://github.com/pulumi/pulumi-azure
License: Apache-2.0
Notes: This Pulumi package is based on the azurerm Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud