1. Docs
  2. Reference
  3. API
  4. pulumi_azure
  5. sentinel

This page documents the language specification for the azure package. If you're looking for help working with the inputs, outputs, or functions of azure resources in a Pulumi program, please see the resource documentation for examples and API reference.

sentinel

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-azure repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-azurerm repo.

class pulumi_azure.sentinel.AlertRuleMsSecurityIncident(resource_name, opts=None, description=None, display_name=None, enabled=None, log_analytics_workspace_id=None, name=None, product_filter=None, severity_filters=None, text_whitelists=None, __props__=None, __name__=None, __opts__=None)

Manages a Sentinel MS Security Incident Alert Rule.

import pulumi
import pulumi_azure as azure

example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    sku="pergb2018")
example_alert_rule_ms_security_incident = azure.sentinel.AlertRuleMsSecurityIncident("exampleAlertRuleMsSecurityIncident",
    log_analytics_workspace_id=example_analytics_workspace.id,
    product_filter="Microsoft Cloud App Security",
    display_name="example rule",
    severity_filters=["High"])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – The description of this Sentinel MS Security Incident Alert Rule.

  • display_name (pulumi.Input[str]) – The friendly name of this Sentinel MS Security Incident Alert Rule.

  • enabled (pulumi.Input[bool]) – Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to true.

  • log_analytics_workspace_id (pulumi.Input[str]) – The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

  • name (pulumi.Input[str]) – The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

  • product_filter (pulumi.Input[str]) – The Microsoft Security Service from where the alert will be generated. Possible values are Azure Active Directory Identity Protection, Azure Advanced Threat Protection, Azure Security Center, Azure Security Center for IoT and Microsoft Cloud App Security.

  • severity_filters (pulumi.Input[list]) – Only create incidents from alerts when alert severity level is contained in this list. Possible values are High, Medium, Low and Informational.

  • text_whitelists (pulumi.Input[list]) – Only create incidents from alerts when alert name contain text in this list. No filter will happen if this field is absent.

description: pulumi.Output[str] = None

The description of this Sentinel MS Security Incident Alert Rule.

display_name: pulumi.Output[str] = None

The friendly name of this Sentinel MS Security Incident Alert Rule.

enabled: pulumi.Output[bool] = None

Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to true.

log_analytics_workspace_id: pulumi.Output[str] = None

The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

name: pulumi.Output[str] = None

The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

product_filter: pulumi.Output[str] = None

The Microsoft Security Service from where the alert will be generated. Possible values are Azure Active Directory Identity Protection, Azure Advanced Threat Protection, Azure Security Center, Azure Security Center for IoT and Microsoft Cloud App Security.

severity_filters: pulumi.Output[list] = None

Only create incidents from alerts when alert severity level is contained in this list. Possible values are High, Medium, Low and Informational.

text_whitelists: pulumi.Output[list] = None

Only create incidents from alerts when alert name contain text in this list. No filter will happen if this field is absent.

static get(resource_name, id, opts=None, description=None, display_name=None, enabled=None, log_analytics_workspace_id=None, name=None, product_filter=None, severity_filters=None, text_whitelists=None)

Get an existing AlertRuleMsSecurityIncident resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – The description of this Sentinel MS Security Incident Alert Rule.

  • display_name (pulumi.Input[str]) – The friendly name of this Sentinel MS Security Incident Alert Rule.

  • enabled (pulumi.Input[bool]) – Should this Sentinel MS Security Incident Alert Rule be enabled? Defaults to true.

  • log_analytics_workspace_id (pulumi.Input[str]) – The ID of the Log Analytics Workspace this Sentinel MS Security Incident Alert Rule belongs to. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

  • name (pulumi.Input[str]) – The name which should be used for this Sentinel MS Security Incident Alert Rule. Changing this forces a new Sentinel MS Security Incident Alert Rule to be created.

  • product_filter (pulumi.Input[str]) – The Microsoft Security Service from where the alert will be generated. Possible values are Azure Active Directory Identity Protection, Azure Advanced Threat Protection, Azure Security Center, Azure Security Center for IoT and Microsoft Cloud App Security.

  • severity_filters (pulumi.Input[list]) – Only create incidents from alerts when alert severity level is contained in this list. Possible values are High, Medium, Low and Informational.

  • text_whitelists (pulumi.Input[list]) – Only create incidents from alerts when alert name contain text in this list. No filter will happen if this field is absent.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.sentinel.AlertRuleScheduled(resource_name, opts=None, description=None, display_name=None, enabled=None, log_analytics_workspace_id=None, name=None, query=None, query_frequency=None, query_period=None, severity=None, suppression_duration=None, suppression_enabled=None, tactics=None, trigger_operator=None, trigger_threshold=None, __props__=None, __name__=None, __opts__=None)

Manages a Sentinel Scheduled Alert Rule.

import pulumi
import pulumi_azure as azure

example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("exampleAnalyticsWorkspace",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    sku="pergb2018")
example_alert_rule_scheduled = azure.sentinel.AlertRuleScheduled("exampleAlertRuleScheduled",
    log_analytics_workspace_id=example_analytics_workspace.id,
    display_name="example",
    severity="High",
    query="""AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – The description of this Sentinel Scheduled Alert Rule.

  • display_name (pulumi.Input[str]) – The friendly name of this Sentinel Scheduled Alert Rule.

  • enabled (pulumi.Input[bool]) – Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.

  • log_analytics_workspace_id (pulumi.Input[str]) – The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

  • name (pulumi.Input[str]) – The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

  • query (pulumi.Input[str]) – The query of this Sentinel Scheduled Alert Rule.

  • query_frequency (pulumi.Input[str]) – The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.

  • query_period (pulumi.Input[str]) – The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.

  • severity (pulumi.Input[str]) – The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.

  • suppression_duration (pulumi.Input[str]) – If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

  • suppression_enabled (pulumi.Input[bool]) – Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.

  • tactics (pulumi.Input[list]) – A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.

  • trigger_operator (pulumi.Input[str]) – The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.

  • trigger_threshold (pulumi.Input[float]) – The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

description: pulumi.Output[str] = None

The description of this Sentinel Scheduled Alert Rule.

display_name: pulumi.Output[str] = None

The friendly name of this Sentinel Scheduled Alert Rule.

enabled: pulumi.Output[bool] = None

Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.

log_analytics_workspace_id: pulumi.Output[str] = None

The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

name: pulumi.Output[str] = None

The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

query: pulumi.Output[str] = None

The query of this Sentinel Scheduled Alert Rule.

query_frequency: pulumi.Output[str] = None

The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.

query_period: pulumi.Output[str] = None

The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.

severity: pulumi.Output[str] = None

The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.

suppression_duration: pulumi.Output[str] = None

If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

suppression_enabled: pulumi.Output[bool] = None

Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.

tactics: pulumi.Output[list] = None

A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.

trigger_operator: pulumi.Output[str] = None

The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.

trigger_threshold: pulumi.Output[float] = None

The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

static get(resource_name, id, opts=None, description=None, display_name=None, enabled=None, log_analytics_workspace_id=None, name=None, query=None, query_frequency=None, query_period=None, severity=None, suppression_duration=None, suppression_enabled=None, tactics=None, trigger_operator=None, trigger_threshold=None)

Get an existing AlertRuleScheduled resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – The description of this Sentinel Scheduled Alert Rule.

  • display_name (pulumi.Input[str]) – The friendly name of this Sentinel Scheduled Alert Rule.

  • enabled (pulumi.Input[bool]) – Should the Sentinel Scheduled Alert Rule be enabled? Defaults to true.

  • log_analytics_workspace_id (pulumi.Input[str]) – The ID of the Log Analytics Workspace this Sentinel Scheduled Alert Rule belongs to. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

  • name (pulumi.Input[str]) – The name which should be used for this Sentinel Scheduled Alert Rule. Changing this forces a new Sentinel Scheduled Alert Rule to be created.

  • query (pulumi.Input[str]) – The query of this Sentinel Scheduled Alert Rule.

  • query_frequency (pulumi.Input[str]) – The ISO 8601 timespan duration between two consecutive queries. Defaults to PT5H.

  • query_period (pulumi.Input[str]) – The ISO 8601 timespan duration, which determine the time period of the data covered by the query. For example, it can query the past 10 minutes of data, or the past 6 hours of data. Defaults to PT5H.

  • severity (pulumi.Input[str]) – The alert severity of this Sentinel Scheduled Alert Rule. Possible values are High, Medium, Low and Informational.

  • suppression_duration (pulumi.Input[str]) – If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.

  • suppression_enabled (pulumi.Input[bool]) – Should the Sentinel Scheduled Alert Rulea stop running query after alert is generated? Defaults to false.

  • tactics (pulumi.Input[list]) – A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.

  • trigger_operator (pulumi.Input[str]) – The alert trigger operator, combined with trigger_threshold, setting alert threshold of this Sentinel Scheduled Alert Rule. Possible values are Equal, GreaterThan, LessThan, NotEqual.

  • trigger_threshold (pulumi.Input[float]) – The baseline number of query results generated, combined with trigger_operator, setting alert threshold of this Sentinel Scheduled Alert Rule.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.sentinel.AwaitableGetAlertRuleResult(id=None, log_analytics_workspace_id=None, name=None)
class pulumi_azure.sentinel.GetAlertRuleResult(id=None, log_analytics_workspace_id=None, name=None)

A collection of values returned by getAlertRule.

id = None

The provider-assigned unique ID for this managed resource.

pulumi_azure.sentinel.get_alert_rule(log_analytics_workspace_id=None, name=None, opts=None)

Use this data source to access information about an existing Sentinel Alert Rule.

import pulumi
import pulumi_azure as azure

example_analytics_workspace = azure.operationalinsights.get_analytics_workspace(name="example",
    resource_group_name="example-resources")
example_alert_rule = azure.sentinel.get_alert_rule(name="existing",
    log_analytics_workspace_id=example_analytics_workspace.id)
pulumi.export("id", example_alert_rule.id)
Parameters

  • log_analytics_workspace_id (str) – The ID of the Log Analytics Workspace this Sentinel Alert Rule belongs to.

  • name (str) – The name which should be used for this Sentinel Alert Rule.