1. Docs
  2. Reference
  3. API
  4. @pulumi/azure
  5. sentinel

Module sentinel

This page documents the language specification for the azure package. If you're looking for help working with the inputs, outputs, or functions of azure resources in a Pulumi program, please see the resource documentation for examples and API reference.

Resources

Functions

Others

Resources

Resource AlertRuleMsSecurityIncident

class AlertRuleMsSecurityIncident extends CustomResource

Manages a Sentinel MS Security Incident Alert Rule.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    sku: "pergb2018",
});
const exampleAlertRuleMsSecurityIncident = new azure.sentinel.AlertRuleMsSecurityIncident("exampleAlertRuleMsSecurityIncident", {
    logAnalyticsWorkspaceId: exampleAnalyticsWorkspace.id,
    productFilter: "Microsoft Cloud App Security",
    displayName: "example rule",
    severityFilters: ["High"],
});

constructor

new AlertRuleMsSecurityIncident(name: string, args: AlertRuleMsSecurityIncidentArgs, opts?: pulumi.CustomResourceOptions)

Create a AlertRuleMsSecurityIncident resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AlertRuleMsSecurityIncidentState, opts?: pulumi.CustomResourceOptions): AlertRuleMsSecurityIncident

Get an existing AlertRuleMsSecurityIncident resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AlertRuleMsSecurityIncident

Returns true if the given object is an instance of AlertRuleMsSecurityIncident. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property description

public description: pulumi.Output<string | undefined>;

The description of this Sentinel MS Security Incident Alert Rule.

property displayName

public displayName: pulumi.Output<string>;

The friendly name of this Sentinel MS Security Incident Alert Rule.

property enabled

public enabled: pulumi.Output<boolean | undefined>;

Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to true.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property logAnalyticsWorkspaceId

public logAnalyticsWorkspaceId: pulumi.Output<string>;

The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

property name

public name: pulumi.Output<string>;

The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

property productFilter

public productFilter: pulumi.Output<string>;

The Microsoft Security Service from where the alert will be generated. Possible values are Azure Active Directory Identity Protection, Azure Advanced Threat Protection, Azure Security Center, Azure Security Center for IoT and Microsoft Cloud App Security.

property severityFilters

public severityFilters: pulumi.Output<string[]>;

Only create incidents from alerts when alert severity level is contained in this list. Possible values are High, Medium, Low and Informational.

property textWhitelists

public textWhitelists: pulumi.Output<string[] | undefined>;

Only create incidents from alerts when alert name contain text in this list. No filter will happen if this field is absent.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AlertRuleScheduled

class AlertRuleScheduled extends CustomResource

Manages a Sentinel Scheduled Alert Rule.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    sku: "pergb2018",
});
const exampleAlertRuleScheduled = new azure.sentinel.AlertRuleScheduled("exampleAlertRuleScheduled", {
    logAnalyticsWorkspaceId: exampleAnalyticsWorkspace.id,
    displayName: "example",
    severity: "High",
    query: `AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
`,
});

constructor

new AlertRuleScheduled(name: string, args: AlertRuleScheduledArgs, opts?: pulumi.CustomResourceOptions)

Create a AlertRuleScheduled resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AlertRuleScheduledState, opts?: pulumi.CustomResourceOptions): AlertRuleScheduled

Get an existing AlertRuleScheduled resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AlertRuleScheduled

Returns true if the given object is an instance of AlertRuleScheduled. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property description

public description: pulumi.Output<string | undefined>;

The description of this Sentinel Scheduled Alert Rule.

property displayName

public displayName: pulumi.Output<string>;

The friendly name of this Sentinel Scheduled Alert Rule.

property enabled

public enabled: pulumi.Output<boolean | undefined>;

Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property logAnalyticsWorkspaceId

public logAnalyticsWorkspaceId: pulumi.Output<string>;

The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

property name

public name: pulumi.Output<string>;

The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

property query

public query: pulumi.Output<string>;

The query of this Sentinel Scheduled Alert Rule.

property queryFrequency

public queryFrequency: pulumi.Output<string | undefined>;

The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.

property queryPeriod

public queryPeriod: pulumi.Output<string | undefined>;

The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.

property severity

public severity: pulumi.Output<string>;

The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.

property suppressionDuration

public suppressionDuration: pulumi.Output<string | undefined>;

If suppressionEnabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

property suppressionEnabled

public suppressionEnabled: pulumi.Output<boolean | undefined>;

Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.

property tactics

public tactics: pulumi.Output<string[] | undefined>;

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.

property triggerOperator

public triggerOperator: pulumi.Output<string | undefined>;

The alert trigger operator, combined with triggerThreshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.

property triggerThreshold

public triggerThreshold: pulumi.Output<number | undefined>;

The baseline number of query results generated, combined with triggerOperator, setting alert threshold of this Sentinel Scheduled Alert Rule.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Functions

Function getAlertRule

getAlertRule(args: GetAlertRuleArgs, opts?: pulumi.InvokeOptions): Promise<GetAlertRuleResult>

Use this data source to access information about an existing Sentinel Alert Rule.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const exampleAnalyticsWorkspace = azure.operationalinsights.getAnalyticsWorkspace({
    name: "example",
    resourceGroupName: "example-resources",
});
const exampleAlertRule = exampleAnalyticsWorkspace.then(exampleAnalyticsWorkspace => azure.sentinel.getAlertRule({
    name: "existing",
    logAnalyticsWorkspaceId: exampleAnalyticsWorkspace.id,
}));
export const id = exampleAlertRule.then(exampleAlertRule => exampleAlertRule.id);

Others

interface AlertRuleMsSecurityIncidentArgs

interface AlertRuleMsSecurityIncidentArgs

The set of arguments for constructing a AlertRuleMsSecurityIncident resource.

property description

description?: pulumi.Input<string>;

The description of this Sentinel MS Security Incident Alert Rule.

property displayName

displayName: pulumi.Input<string>;

The friendly name of this Sentinel MS Security Incident Alert Rule.

property enabled

enabled?: pulumi.Input<boolean>;

Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to true.

property logAnalyticsWorkspaceId

logAnalyticsWorkspaceId: pulumi.Input<string>;

The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

property name

name?: pulumi.Input<string>;

The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

property productFilter

productFilter: pulumi.Input<string>;

The Microsoft Security Service from where the alert will be generated. Possible values are Azure Active Directory Identity Protection, Azure Advanced Threat Protection, Azure Security Center, Azure Security Center for IoT and Microsoft Cloud App Security.

property severityFilters

severityFilters: pulumi.Input<pulumi.Input<string>[]>;

Only create incidents from alerts when alert severity level is contained in this list. Possible values are High, Medium, Low and Informational.

property textWhitelists

textWhitelists?: pulumi.Input<pulumi.Input<string>[]>;

Only create incidents from alerts when alert name contain text in this list. No filter will happen if this field is absent.

interface AlertRuleMsSecurityIncidentState

interface AlertRuleMsSecurityIncidentState

Input properties used for looking up and filtering AlertRuleMsSecurityIncident resources.

property description

description?: pulumi.Input<string>;

The description of this Sentinel MS Security Incident Alert Rule.

property displayName

displayName?: pulumi.Input<string>;

The friendly name of this Sentinel MS Security Incident Alert Rule.

property enabled

enabled?: pulumi.Input<boolean>;

Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to true.

property logAnalyticsWorkspaceId

logAnalyticsWorkspaceId?: pulumi.Input<string>;

The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

property name

name?: pulumi.Input<string>;

The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

property productFilter

productFilter?: pulumi.Input<string>;

The Microsoft Security Service from where the alert will be generated. Possible values are Azure Active Directory Identity Protection, Azure Advanced Threat Protection, Azure Security Center, Azure Security Center for IoT and Microsoft Cloud App Security.

property severityFilters

severityFilters?: pulumi.Input<pulumi.Input<string>[]>;

Only create incidents from alerts when alert severity level is contained in this list. Possible values are High, Medium, Low and Informational.

property textWhitelists

textWhitelists?: pulumi.Input<pulumi.Input<string>[]>;

Only create incidents from alerts when alert name contain text in this list. No filter will happen if this field is absent.

interface AlertRuleScheduledArgs

interface AlertRuleScheduledArgs

The set of arguments for constructing a AlertRuleScheduled resource.

property description

description?: pulumi.Input<string>;

The description of this Sentinel Scheduled Alert Rule.

property displayName

displayName: pulumi.Input<string>;

The friendly name of this Sentinel Scheduled Alert Rule.

property enabled

enabled?: pulumi.Input<boolean>;

Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.

property logAnalyticsWorkspaceId

logAnalyticsWorkspaceId: pulumi.Input<string>;

The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

property name

name?: pulumi.Input<string>;

The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

property query

query: pulumi.Input<string>;

The query of this Sentinel Scheduled Alert Rule.

property queryFrequency

queryFrequency?: pulumi.Input<string>;

The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.

property queryPeriod

queryPeriod?: pulumi.Input<string>;

The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.

property severity

severity: pulumi.Input<string>;

The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.

property suppressionDuration

suppressionDuration?: pulumi.Input<string>;

If suppressionEnabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

property suppressionEnabled

suppressionEnabled?: pulumi.Input<boolean>;

Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.

property tactics

tactics?: pulumi.Input<pulumi.Input<string>[]>;

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.

property triggerOperator

triggerOperator?: pulumi.Input<string>;

The alert trigger operator, combined with triggerThreshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.

property triggerThreshold

triggerThreshold?: pulumi.Input<number>;

The baseline number of query results generated, combined with triggerOperator, setting alert threshold of this Sentinel Scheduled Alert Rule.

interface AlertRuleScheduledState

interface AlertRuleScheduledState

Input properties used for looking up and filtering AlertRuleScheduled resources.

property description

description?: pulumi.Input<string>;

The description of this Sentinel Scheduled Alert Rule.

property displayName

displayName?: pulumi.Input<string>;

The friendly name of this Sentinel Scheduled Alert Rule.

property enabled

enabled?: pulumi.Input<boolean>;

Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.

property logAnalyticsWorkspaceId

logAnalyticsWorkspaceId?: pulumi.Input<string>;

The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

property name

name?: pulumi.Input<string>;

The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

property query

query?: pulumi.Input<string>;

The query of this Sentinel Scheduled Alert Rule.

property queryFrequency

queryFrequency?: pulumi.Input<string>;

The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.

property queryPeriod

queryPeriod?: pulumi.Input<string>;

The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.

property severity

severity?: pulumi.Input<string>;

The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.

property suppressionDuration

suppressionDuration?: pulumi.Input<string>;

If suppressionEnabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

property suppressionEnabled

suppressionEnabled?: pulumi.Input<boolean>;

Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.

property tactics

tactics?: pulumi.Input<pulumi.Input<string>[]>;

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.

property triggerOperator

triggerOperator?: pulumi.Input<string>;

The alert trigger operator, combined with triggerThreshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.

property triggerThreshold

triggerThreshold?: pulumi.Input<number>;

The baseline number of query results generated, combined with triggerOperator, setting alert threshold of this Sentinel Scheduled Alert Rule.

interface GetAlertRuleArgs

interface GetAlertRuleArgs

A collection of arguments for invoking getAlertRule.

property logAnalyticsWorkspaceId

logAnalyticsWorkspaceId: string;

The ID of the Log Analytics Workspace this Sentinel Alert Rule belongs to.

property name

name: string;

The name which should be used for this Sentinel Alert Rule.

interface GetAlertRuleResult

interface GetAlertRuleResult

A collection of values returned by getAlertRule.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property logAnalyticsWorkspaceId

logAnalyticsWorkspaceId: string;

property name

name: string;