Docs
PackagesWe recommend using Azure Native.
Azure Classic v5.81.0 published on Monday, Jun 24, 2024 by Pulumi
azure.sentinel.AuthomationRule
Explore with Pulumi AI
Deprecated: azure.sentinel.AuthomationRule has been deprecated in favor of azure.sentinel.AutomationRule
Manages a Sentinel Automation Rule.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", {
name: "example-rg",
location: "west europe",
});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", {
name: "example-workspace",
location: example.location,
resourceGroupName: example.name,
sku: "PerGB2018",
});
const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", {workspaceId: exampleAnalyticsWorkspace.id});
const exampleAutomationRule = new azure.sentinel.AutomationRule("example", {
name: "56094f72-ac3f-40e7-a0c0-47bd95f70336",
logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId,
displayName: "automation_rule1",
order: 1,
actionIncidents: [{
order: 1,
status: "Active",
}],
});
import pulumi
import pulumi_azure as azure
example = azure.core.ResourceGroup("example",
name="example-rg",
location="west europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("example",
name="example-workspace",
location=example.location,
resource_group_name=example.name,
sku="PerGB2018")
example_log_analytics_workspace_onboarding = azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", workspace_id=example_analytics_workspace.id)
example_automation_rule = azure.sentinel.AutomationRule("example",
name="56094f72-ac3f-40e7-a0c0-47bd95f70336",
log_analytics_workspace_id=example_log_analytics_workspace_onboarding.workspace_id,
display_name="automation_rule1",
order=1,
action_incidents=[azure.sentinel.AutomationRuleActionIncidentArgs(
order=1,
status="Active",
)])
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/operationalinsights"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/sentinel"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-rg"),
Location: pulumi.String("west europe"),
})
if err != nil {
return err
}
exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "example", &operationalinsights.AnalyticsWorkspaceArgs{
Name: pulumi.String("example-workspace"),
Location: example.Location,
ResourceGroupName: example.Name,
Sku: pulumi.String("PerGB2018"),
})
if err != nil {
return err
}
exampleLogAnalyticsWorkspaceOnboarding, err := sentinel.NewLogAnalyticsWorkspaceOnboarding(ctx, "example", &sentinel.LogAnalyticsWorkspaceOnboardingArgs{
WorkspaceId: exampleAnalyticsWorkspace.ID(),
})
if err != nil {
return err
}
_, err = sentinel.NewAutomationRule(ctx, "example", &sentinel.AutomationRuleArgs{
Name: pulumi.String("56094f72-ac3f-40e7-a0c0-47bd95f70336"),
LogAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
DisplayName: pulumi.String("automation_rule1"),
Order: pulumi.Int(1),
ActionIncidents: sentinel.AutomationRuleActionIncidentArray{
&sentinel.AutomationRuleActionIncidentArgs{
Order: pulumi.Int(1),
Status: pulumi.String("Active"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-rg",
Location = "west europe",
});
var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("example", new()
{
Name = "example-workspace",
Location = example.Location,
ResourceGroupName = example.Name,
Sku = "PerGB2018",
});
var exampleLogAnalyticsWorkspaceOnboarding = new Azure.Sentinel.LogAnalyticsWorkspaceOnboarding("example", new()
{
WorkspaceId = exampleAnalyticsWorkspace.Id,
});
var exampleAutomationRule = new Azure.Sentinel.AutomationRule("example", new()
{
Name = "56094f72-ac3f-40e7-a0c0-47bd95f70336",
LogAnalyticsWorkspaceId = exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
DisplayName = "automation_rule1",
Order = 1,
ActionIncidents = new[]
{
new Azure.Sentinel.Inputs.AutomationRuleActionIncidentArgs
{
Order = 1,
Status = "Active",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
import com.pulumi.azure.sentinel.AutomationRule;
import com.pulumi.azure.sentinel.AutomationRuleArgs;
import com.pulumi.azure.sentinel.inputs.AutomationRuleActionIncidentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-rg")
.location("west europe")
.build());
var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()
.name("example-workspace")
.location(example.location())
.resourceGroupName(example.name())
.sku("PerGB2018")
.build());
var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()
.workspaceId(exampleAnalyticsWorkspace.id())
.build());
var exampleAutomationRule = new AutomationRule("exampleAutomationRule", AutomationRuleArgs.builder()
.name("56094f72-ac3f-40e7-a0c0-47bd95f70336")
.logAnalyticsWorkspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
.displayName("automation_rule1")
.order(1)
.actionIncidents(AutomationRuleActionIncidentArgs.builder()
.order(1)
.status("Active")
.build())
.build());
}
}
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-rg
location: west europe
exampleAnalyticsWorkspace:
type: azure:operationalinsights:AnalyticsWorkspace
name: example
properties:
name: example-workspace
location: ${example.location}
resourceGroupName: ${example.name}
sku: PerGB2018
exampleLogAnalyticsWorkspaceOnboarding:
type: azure:sentinel:LogAnalyticsWorkspaceOnboarding
name: example
properties:
workspaceId: ${exampleAnalyticsWorkspace.id}
exampleAutomationRule:
type: azure:sentinel:AutomationRule
name: example
properties:
name: 56094f72-ac3f-40e7-a0c0-47bd95f70336
logAnalyticsWorkspaceId: ${exampleLogAnalyticsWorkspaceOnboarding.workspaceId}
displayName: automation_rule1
order: 1
actionIncidents:
- order: 1
status: Active
Create AuthomationRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AuthomationRule(name: string, args: AuthomationRuleArgs, opts?: CustomResourceOptions);@overload
def AuthomationRule(resource_name: str,
args: AuthomationRuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def AuthomationRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
action_incidents: Optional[Sequence[AuthomationRuleActionIncidentArgs]] = None,
action_playbooks: Optional[Sequence[AuthomationRuleActionPlaybookArgs]] = None,
condition_json: Optional[str] = None,
conditions: Optional[Sequence[AuthomationRuleConditionArgs]] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
expiration: Optional[str] = None,
log_analytics_workspace_id: Optional[str] = None,
name: Optional[str] = None,
order: Optional[int] = None,
triggers_on: Optional[str] = None,
triggers_when: Optional[str] = None)func NewAuthomationRule(ctx *Context, name string, args AuthomationRuleArgs, opts ...ResourceOption) (*AuthomationRule, error)public AuthomationRule(string name, AuthomationRuleArgs args, CustomResourceOptions? opts = null)
public AuthomationRule(String name, AuthomationRuleArgs args)
public AuthomationRule(String name, AuthomationRuleArgs args, CustomResourceOptions options)
type: azure:sentinel:AuthomationRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AuthomationRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AuthomationRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AuthomationRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AuthomationRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AuthomationRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
AuthomationRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The AuthomationRule resource accepts the following input properties:
- Display
Name string - The display name which should be used for this Sentinel Automation Rule.
- Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
- Order int
- The order of this Sentinel Automation Rule. Possible values varies between
1and1000. - Action
Incidents List<AuthomationRule Action Incident> - One or more
action_incidentblocks as defined below. - Action
Playbooks List<AuthomationRule Action Playbook> One or more
action_playbookblocks as defined below.Note: Either one
action_incidentblock oraction_playbookblock has to be specified.- Condition
Json string - A JSON array of one or more condition JSON objects as is defined here.
- Conditions
List<Authomation
Rule Condition> One or more
conditionblocks as defined below.Note:
conditiononly supports thePropertycondition type. Please usecondition_jsonif you want other condition types.- Enabled bool
- Whether this Sentinel Automation Rule is enabled? Defaults to
true. - Expiration string
- The time in RFC3339 format of kind
UTCthat determines when this Automation Rule should expire and be disabled. - Name string
- The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
- Triggers
On string - Specifies what triggers this automation rule. Possible values are
AlertsandIncidents. Defaults toIncidents. - Triggers
When string - Specifies when will this automation rule be triggered. Possible values are
CreatedandUpdated. Defaults toCreated.
- Display
Name string - The display name which should be used for this Sentinel Automation Rule.
- Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
- Order int
- The order of this Sentinel Automation Rule. Possible values varies between
1and1000. - Action
Incidents []AuthomationRule Action Incident Args - One or more
action_incidentblocks as defined below. - Action
Playbooks []AuthomationRule Action Playbook Args One or more
action_playbookblocks as defined below.Note: Either one
action_incidentblock oraction_playbookblock has to be specified.- Condition
Json string - A JSON array of one or more condition JSON objects as is defined here.
- Conditions
[]Authomation
Rule Condition Args One or more
conditionblocks as defined below.Note:
conditiononly supports thePropertycondition type. Please usecondition_jsonif you want other condition types.- Enabled bool
- Whether this Sentinel Automation Rule is enabled? Defaults to
true. - Expiration string
- The time in RFC3339 format of kind
UTCthat determines when this Automation Rule should expire and be disabled. - Name string
- The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
- Triggers
On string - Specifies what triggers this automation rule. Possible values are
AlertsandIncidents. Defaults toIncidents. - Triggers
When string - Specifies when will this automation rule be triggered. Possible values are
CreatedandUpdated. Defaults toCreated.
- display
Name String - The display name which should be used for this Sentinel Automation Rule.
- log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
- order Integer
- The order of this Sentinel Automation Rule. Possible values varies between
1and1000. - action
Incidents List<AuthomationRule Action Incident> - One or more
action_incidentblocks as defined below. - action
Playbooks List<AuthomationRule Action Playbook> One or more
action_playbookblocks as defined below.Note: Either one
action_incidentblock oraction_playbookblock has to be specified.- condition
Json String - A JSON array of one or more condition JSON objects as is defined here.
- conditions
List<Authomation
Rule Condition> One or more
conditionblocks as defined below.Note:
conditiononly supports thePropertycondition type. Please usecondition_jsonif you want other condition types.- enabled Boolean
- Whether this Sentinel Automation Rule is enabled? Defaults to
true. - expiration String
- The time in RFC3339 format of kind
UTCthat determines when this Automation Rule should expire and be disabled. - name String
- The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
- triggers
On String - Specifies what triggers this automation rule. Possible values are
AlertsandIncidents. Defaults toIncidents. - triggers
When String - Specifies when will this automation rule be triggered. Possible values are
CreatedandUpdated. Defaults toCreated.
- display
Name string - The display name which should be used for this Sentinel Automation Rule.
- log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
- order number
- The order of this Sentinel Automation Rule. Possible values varies between
1and1000. - action
Incidents AuthomationRule Action Incident[] - One or more
action_incidentblocks as defined below. - action
Playbooks AuthomationRule Action Playbook[] One or more
action_playbookblocks as defined below.Note: Either one
action_incidentblock oraction_playbookblock has to be specified.- condition
Json string - A JSON array of one or more condition JSON objects as is defined here.
- conditions
Authomation
Rule Condition[] One or more
conditionblocks as defined below.Note:
conditiononly supports thePropertycondition type. Please usecondition_jsonif you want other condition types.- enabled boolean
- Whether this Sentinel Automation Rule is enabled? Defaults to
true. - expiration string
- The time in RFC3339 format of kind
UTCthat determines when this Automation Rule should expire and be disabled. - name string
- The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
- triggers
On string - Specifies what triggers this automation rule. Possible values are
AlertsandIncidents. Defaults toIncidents. - triggers
When string - Specifies when will this automation rule be triggered. Possible values are
CreatedandUpdated. Defaults toCreated.
- display_
name str - The display name which should be used for this Sentinel Automation Rule.
- log_
analytics_ strworkspace_ id - The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
- order int
- The order of this Sentinel Automation Rule. Possible values varies between
1and1000. - action_
incidents Sequence[AuthomationRule Action Incident Args] - One or more
action_incidentblocks as defined below. - action_
playbooks Sequence[AuthomationRule Action Playbook Args] One or more
action_playbookblocks as defined below.Note: Either one
action_incidentblock oraction_playbookblock has to be specified.- condition_
json str - A JSON array of one or more condition JSON objects as is defined here.
- conditions
Sequence[Authomation
Rule Condition Args] One or more
conditionblocks as defined below.Note:
conditiononly supports thePropertycondition type. Please usecondition_jsonif you want other condition types.- enabled bool
- Whether this Sentinel Automation Rule is enabled? Defaults to
true. - expiration str
- The time in RFC3339 format of kind
UTCthat determines when this Automation Rule should expire and be disabled. - name str
- The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
- triggers_
on str - Specifies what triggers this automation rule. Possible values are
AlertsandIncidents. Defaults toIncidents. - triggers_
when str - Specifies when will this automation rule be triggered. Possible values are
CreatedandUpdated. Defaults toCreated.
- display
Name String - The display name which should be used for this Sentinel Automation Rule.
- log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
- order Number
- The order of this Sentinel Automation Rule. Possible values varies between
1and1000. - action
Incidents List<Property Map> - One or more
action_incidentblocks as defined below. - action
Playbooks List<Property Map> One or more
action_playbookblocks as defined below.Note: Either one
action_incidentblock oraction_playbookblock has to be specified.- condition
Json String - A JSON array of one or more condition JSON objects as is defined here.
- conditions List<Property Map>
One or more
conditionblocks as defined below.Note:
conditiononly supports thePropertycondition type. Please usecondition_jsonif you want other condition types.- enabled Boolean
- Whether this Sentinel Automation Rule is enabled? Defaults to
true. - expiration String
- The time in RFC3339 format of kind
UTCthat determines when this Automation Rule should expire and be disabled. - name String
- The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
- triggers
On String - Specifies what triggers this automation rule. Possible values are
AlertsandIncidents. Defaults toIncidents. - triggers
When String - Specifies when will this automation rule be triggered. Possible values are
CreatedandUpdated. Defaults toCreated.
Outputs
All input properties are implicitly available as output properties. Additionally, the AuthomationRule resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing AuthomationRule Resource
Get an existing AuthomationRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AuthomationRuleState, opts?: CustomResourceOptions): AuthomationRule@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
action_incidents: Optional[Sequence[AuthomationRuleActionIncidentArgs]] = None,
action_playbooks: Optional[Sequence[AuthomationRuleActionPlaybookArgs]] = None,
condition_json: Optional[str] = None,
conditions: Optional[Sequence[AuthomationRuleConditionArgs]] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
expiration: Optional[str] = None,
log_analytics_workspace_id: Optional[str] = None,
name: Optional[str] = None,
order: Optional[int] = None,
triggers_on: Optional[str] = None,
triggers_when: Optional[str] = None) -> AuthomationRulefunc GetAuthomationRule(ctx *Context, name string, id IDInput, state *AuthomationRuleState, opts ...ResourceOption) (*AuthomationRule, error)public static AuthomationRule Get(string name, Input<string> id, AuthomationRuleState? state, CustomResourceOptions? opts = null)public static AuthomationRule get(String name, Output<String> id, AuthomationRuleState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Action
Incidents List<AuthomationRule Action Incident> - One or more
action_incidentblocks as defined below. - Action
Playbooks List<AuthomationRule Action Playbook> One or more
action_playbookblocks as defined below.Note: Either one
action_incidentblock oraction_playbookblock has to be specified.- Condition
Json string - A JSON array of one or more condition JSON objects as is defined here.
- Conditions
List<Authomation
Rule Condition> One or more
conditionblocks as defined below.Note:
conditiononly supports thePropertycondition type. Please usecondition_jsonif you want other condition types.- Display
Name string - The display name which should be used for this Sentinel Automation Rule.
- Enabled bool
- Whether this Sentinel Automation Rule is enabled? Defaults to
true. - Expiration string
- The time in RFC3339 format of kind
UTCthat determines when this Automation Rule should expire and be disabled. - Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
- Name string
- The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
- Order int
- The order of this Sentinel Automation Rule. Possible values varies between
1and1000. - Triggers
On string - Specifies what triggers this automation rule. Possible values are
AlertsandIncidents. Defaults toIncidents. - Triggers
When string - Specifies when will this automation rule be triggered. Possible values are
CreatedandUpdated. Defaults toCreated.
- Action
Incidents []AuthomationRule Action Incident Args - One or more
action_incidentblocks as defined below. - Action
Playbooks []AuthomationRule Action Playbook Args One or more
action_playbookblocks as defined below.Note: Either one
action_incidentblock oraction_playbookblock has to be specified.- Condition
Json string - A JSON array of one or more condition JSON objects as is defined here.
- Conditions
[]Authomation
Rule Condition Args One or more
conditionblocks as defined below.Note:
conditiononly supports thePropertycondition type. Please usecondition_jsonif you want other condition types.- Display
Name string - The display name which should be used for this Sentinel Automation Rule.
- Enabled bool
- Whether this Sentinel Automation Rule is enabled? Defaults to
true. - Expiration string
- The time in RFC3339 format of kind
UTCthat determines when this Automation Rule should expire and be disabled. - Log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
- Name string
- The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
- Order int
- The order of this Sentinel Automation Rule. Possible values varies between
1and1000. - Triggers
On string - Specifies what triggers this automation rule. Possible values are
AlertsandIncidents. Defaults toIncidents. - Triggers
When string - Specifies when will this automation rule be triggered. Possible values are
CreatedandUpdated. Defaults toCreated.
- action
Incidents List<AuthomationRule Action Incident> - One or more
action_incidentblocks as defined below. - action
Playbooks List<AuthomationRule Action Playbook> One or more
action_playbookblocks as defined below.Note: Either one
action_incidentblock oraction_playbookblock has to be specified.- condition
Json String - A JSON array of one or more condition JSON objects as is defined here.
- conditions
List<Authomation
Rule Condition> One or more
conditionblocks as defined below.Note:
conditiononly supports thePropertycondition type. Please usecondition_jsonif you want other condition types.- display
Name String - The display name which should be used for this Sentinel Automation Rule.
- enabled Boolean
- Whether this Sentinel Automation Rule is enabled? Defaults to
true. - expiration String
- The time in RFC3339 format of kind
UTCthat determines when this Automation Rule should expire and be disabled. - log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
- name String
- The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
- order Integer
- The order of this Sentinel Automation Rule. Possible values varies between
1and1000. - triggers
On String - Specifies what triggers this automation rule. Possible values are
AlertsandIncidents. Defaults toIncidents. - triggers
When String - Specifies when will this automation rule be triggered. Possible values are
CreatedandUpdated. Defaults toCreated.
- action
Incidents AuthomationRule Action Incident[] - One or more
action_incidentblocks as defined below. - action
Playbooks AuthomationRule Action Playbook[] One or more
action_playbookblocks as defined below.Note: Either one
action_incidentblock oraction_playbookblock has to be specified.- condition
Json string - A JSON array of one or more condition JSON objects as is defined here.
- conditions
Authomation
Rule Condition[] One or more
conditionblocks as defined below.Note:
conditiononly supports thePropertycondition type. Please usecondition_jsonif you want other condition types.- display
Name string - The display name which should be used for this Sentinel Automation Rule.
- enabled boolean
- Whether this Sentinel Automation Rule is enabled? Defaults to
true. - expiration string
- The time in RFC3339 format of kind
UTCthat determines when this Automation Rule should expire and be disabled. - log
Analytics stringWorkspace Id - The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
- name string
- The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
- order number
- The order of this Sentinel Automation Rule. Possible values varies between
1and1000. - triggers
On string - Specifies what triggers this automation rule. Possible values are
AlertsandIncidents. Defaults toIncidents. - triggers
When string - Specifies when will this automation rule be triggered. Possible values are
CreatedandUpdated. Defaults toCreated.
- action_
incidents Sequence[AuthomationRule Action Incident Args] - One or more
action_incidentblocks as defined below. - action_
playbooks Sequence[AuthomationRule Action Playbook Args] One or more
action_playbookblocks as defined below.Note: Either one
action_incidentblock oraction_playbookblock has to be specified.- condition_
json str - A JSON array of one or more condition JSON objects as is defined here.
- conditions
Sequence[Authomation
Rule Condition Args] One or more
conditionblocks as defined below.Note:
conditiononly supports thePropertycondition type. Please usecondition_jsonif you want other condition types.- display_
name str - The display name which should be used for this Sentinel Automation Rule.
- enabled bool
- Whether this Sentinel Automation Rule is enabled? Defaults to
true. - expiration str
- The time in RFC3339 format of kind
UTCthat determines when this Automation Rule should expire and be disabled. - log_
analytics_ strworkspace_ id - The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
- name str
- The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
- order int
- The order of this Sentinel Automation Rule. Possible values varies between
1and1000. - triggers_
on str - Specifies what triggers this automation rule. Possible values are
AlertsandIncidents. Defaults toIncidents. - triggers_
when str - Specifies when will this automation rule be triggered. Possible values are
CreatedandUpdated. Defaults toCreated.
- action
Incidents List<Property Map> - One or more
action_incidentblocks as defined below. - action
Playbooks List<Property Map> One or more
action_playbookblocks as defined below.Note: Either one
action_incidentblock oraction_playbookblock has to be specified.- condition
Json String - A JSON array of one or more condition JSON objects as is defined here.
- conditions List<Property Map>
One or more
conditionblocks as defined below.Note:
conditiononly supports thePropertycondition type. Please usecondition_jsonif you want other condition types.- display
Name String - The display name which should be used for this Sentinel Automation Rule.
- enabled Boolean
- Whether this Sentinel Automation Rule is enabled? Defaults to
true. - expiration String
- The time in RFC3339 format of kind
UTCthat determines when this Automation Rule should expire and be disabled. - log
Analytics StringWorkspace Id - The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
- name String
- The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
- order Number
- The order of this Sentinel Automation Rule. Possible values varies between
1and1000. - triggers
On String - Specifies what triggers this automation rule. Possible values are
AlertsandIncidents. Defaults toIncidents. - triggers
When String - Specifies when will this automation rule be triggered. Possible values are
CreatedandUpdated. Defaults toCreated.
Supporting Types
AuthomationRuleActionIncident, AuthomationRuleActionIncidentArgs
- Order int
- The execution order of this action.
- Classification string
The classification of the incident, when closing it. Possible values are:
BenignPositive_SuspiciousButExpected,FalsePositive_InaccurateData,FalsePositive_IncorrectAlertLogic,TruePositive_SuspiciousActivityandUndetermined.Note: The
classificationis required whenstatusisClosed.- Classification
Comment string The comment why the incident is to be closed.
Note: The
classification_commentis allowed to set only whenstatusisClosed.- Labels List<string>
- Specifies a list of labels to add to the incident.
- Owner
Id string - The object ID of the entity this incident is assigned to.
- Severity string
The severity to add to the incident. Possible values are
High,Informational,LowandMedium.Note:: At least one of
status,labels,owner_idandseverityhas to be set.- Status string
- The status to set to the incident. Possible values are:
Active,Closed,New.
- Order int
- The execution order of this action.
- Classification string
The classification of the incident, when closing it. Possible values are:
BenignPositive_SuspiciousButExpected,FalsePositive_InaccurateData,FalsePositive_IncorrectAlertLogic,TruePositive_SuspiciousActivityandUndetermined.Note: The
classificationis required whenstatusisClosed.- Classification
Comment string The comment why the incident is to be closed.
Note: The
classification_commentis allowed to set only whenstatusisClosed.- Labels []string
- Specifies a list of labels to add to the incident.
- Owner
Id string - The object ID of the entity this incident is assigned to.
- Severity string
The severity to add to the incident. Possible values are
High,Informational,LowandMedium.Note:: At least one of
status,labels,owner_idandseverityhas to be set.- Status string
- The status to set to the incident. Possible values are:
Active,Closed,New.
- order Integer
- The execution order of this action.
- classification String
The classification of the incident, when closing it. Possible values are:
BenignPositive_SuspiciousButExpected,FalsePositive_InaccurateData,FalsePositive_IncorrectAlertLogic,TruePositive_SuspiciousActivityandUndetermined.Note: The
classificationis required whenstatusisClosed.- classification
Comment String The comment why the incident is to be closed.
Note: The
classification_commentis allowed to set only whenstatusisClosed.- labels List<String>
- Specifies a list of labels to add to the incident.
- owner
Id String - The object ID of the entity this incident is assigned to.
- severity String
The severity to add to the incident. Possible values are
High,Informational,LowandMedium.Note:: At least one of
status,labels,owner_idandseverityhas to be set.- status String
- The status to set to the incident. Possible values are:
Active,Closed,New.
- order number
- The execution order of this action.
- classification string
The classification of the incident, when closing it. Possible values are:
BenignPositive_SuspiciousButExpected,FalsePositive_InaccurateData,FalsePositive_IncorrectAlertLogic,TruePositive_SuspiciousActivityandUndetermined.Note: The
classificationis required whenstatusisClosed.- classification
Comment string The comment why the incident is to be closed.
Note: The
classification_commentis allowed to set only whenstatusisClosed.- labels string[]
- Specifies a list of labels to add to the incident.
- owner
Id string - The object ID of the entity this incident is assigned to.
- severity string
The severity to add to the incident. Possible values are
High,Informational,LowandMedium.Note:: At least one of
status,labels,owner_idandseverityhas to be set.- status string
- The status to set to the incident. Possible values are:
Active,Closed,New.
- order int
- The execution order of this action.
- classification str
The classification of the incident, when closing it. Possible values are:
BenignPositive_SuspiciousButExpected,FalsePositive_InaccurateData,FalsePositive_IncorrectAlertLogic,TruePositive_SuspiciousActivityandUndetermined.Note: The
classificationis required whenstatusisClosed.- classification_
comment str The comment why the incident is to be closed.
Note: The
classification_commentis allowed to set only whenstatusisClosed.- labels Sequence[str]
- Specifies a list of labels to add to the incident.
- owner_
id str - The object ID of the entity this incident is assigned to.
- severity str
The severity to add to the incident. Possible values are
High,Informational,LowandMedium.Note:: At least one of
status,labels,owner_idandseverityhas to be set.- status str
- The status to set to the incident. Possible values are:
Active,Closed,New.
- order Number
- The execution order of this action.
- classification String
The classification of the incident, when closing it. Possible values are:
BenignPositive_SuspiciousButExpected,FalsePositive_InaccurateData,FalsePositive_IncorrectAlertLogic,TruePositive_SuspiciousActivityandUndetermined.Note: The
classificationis required whenstatusisClosed.- classification
Comment String The comment why the incident is to be closed.
Note: The
classification_commentis allowed to set only whenstatusisClosed.- labels List<String>
- Specifies a list of labels to add to the incident.
- owner
Id String - The object ID of the entity this incident is assigned to.
- severity String
The severity to add to the incident. Possible values are
High,Informational,LowandMedium.Note:: At least one of
status,labels,owner_idandseverityhas to be set.- status String
- The status to set to the incident. Possible values are:
Active,Closed,New.
AuthomationRuleActionPlaybook, AuthomationRuleActionPlaybookArgs
- Logic
App stringId - The ID of the Logic App that defines the playbook's logic.
- Order int
- The execution order of this action.
- Tenant
Id string - The ID of the Tenant that owns the playbook.
- Logic
App stringId - The ID of the Logic App that defines the playbook's logic.
- Order int
- The execution order of this action.
- Tenant
Id string - The ID of the Tenant that owns the playbook.
- logic
App StringId - The ID of the Logic App that defines the playbook's logic.
- order Integer
- The execution order of this action.
- tenant
Id String - The ID of the Tenant that owns the playbook.
- logic
App stringId - The ID of the Logic App that defines the playbook's logic.
- order number
- The execution order of this action.
- tenant
Id string - The ID of the Tenant that owns the playbook.
- logic_
app_ strid - The ID of the Logic App that defines the playbook's logic.
- order int
- The execution order of this action.
- tenant_
id str - The ID of the Tenant that owns the playbook.
- logic
App StringId - The ID of the Logic App that defines the playbook's logic.
- order Number
- The execution order of this action.
- tenant
Id String - The ID of the Tenant that owns the playbook.
AuthomationRuleCondition, AuthomationRuleConditionArgs
- Operator string
- The operator to use for evaluate the condition. Possible values include:
Equals,NotEquals,Contains,NotContains,StartsWith,NotStartsWith,EndsWith,NotEndsWith. - Property string
- The property to use for evaluate the condition. Possible values are
AccountAadTenantId,AccountAadUserId,AccountNTDomain,AccountName,AccountObjectGuid,AccountPUID,AccountSid,AccountUPNSuffix,AlertAnalyticRuleIds,AlertProductNames,AzureResourceResourceId,AzureResourceSubscriptionId,CloudApplicationAppId,CloudApplicationAppName,DNSDomainName,FileDirectory,FileHashValue,FileName,HostAzureID,HostNTDomain,HostName,HostNetBiosName,HostOSVersion,IPAddress,IncidentCustomDetailsKey,IncidentCustomDetailsValue,IncidentDescription,IncidentLabel,IncidentProviderName,IncidentRelatedAnalyticRuleIds,IncidentSeverity,IncidentStatus,IncidentTactics,IncidentTitle,IncidentUpdatedBySource,IoTDeviceId,IoTDeviceModel,IoTDeviceName,IoTDeviceOperatingSystem,IoTDeviceType,IoTDeviceVendor,MailMessageDeliveryAction,MailMessageDeliveryLocation,MailMessageP1Sender,MailMessageP2Sender,MailMessageRecipient,MailMessageSenderIP,MailMessageSubject,MailboxDisplayName,MailboxPrimaryAddress,MailboxUPN,MalwareCategory,MalwareName,ProcessCommandLine,ProcessId,RegistryKey,RegistryValueDataandUrl. - Values List<string>
- Specifies a list of values to use for evaluate the condition.
- Operator string
- The operator to use for evaluate the condition. Possible values include:
Equals,NotEquals,Contains,NotContains,StartsWith,NotStartsWith,EndsWith,NotEndsWith. - Property string
- The property to use for evaluate the condition. Possible values are
AccountAadTenantId,AccountAadUserId,AccountNTDomain,AccountName,AccountObjectGuid,AccountPUID,AccountSid,AccountUPNSuffix,AlertAnalyticRuleIds,AlertProductNames,AzureResourceResourceId,AzureResourceSubscriptionId,CloudApplicationAppId,CloudApplicationAppName,DNSDomainName,FileDirectory,FileHashValue,FileName,HostAzureID,HostNTDomain,HostName,HostNetBiosName,HostOSVersion,IPAddress,IncidentCustomDetailsKey,IncidentCustomDetailsValue,IncidentDescription,IncidentLabel,IncidentProviderName,IncidentRelatedAnalyticRuleIds,IncidentSeverity,IncidentStatus,IncidentTactics,IncidentTitle,IncidentUpdatedBySource,IoTDeviceId,IoTDeviceModel,IoTDeviceName,IoTDeviceOperatingSystem,IoTDeviceType,IoTDeviceVendor,MailMessageDeliveryAction,MailMessageDeliveryLocation,MailMessageP1Sender,MailMessageP2Sender,MailMessageRecipient,MailMessageSenderIP,MailMessageSubject,MailboxDisplayName,MailboxPrimaryAddress,MailboxUPN,MalwareCategory,MalwareName,ProcessCommandLine,ProcessId,RegistryKey,RegistryValueDataandUrl. - Values []string
- Specifies a list of values to use for evaluate the condition.
- operator String
- The operator to use for evaluate the condition. Possible values include:
Equals,NotEquals,Contains,NotContains,StartsWith,NotStartsWith,EndsWith,NotEndsWith. - property String
- The property to use for evaluate the condition. Possible values are
AccountAadTenantId,AccountAadUserId,AccountNTDomain,AccountName,AccountObjectGuid,AccountPUID,AccountSid,AccountUPNSuffix,AlertAnalyticRuleIds,AlertProductNames,AzureResourceResourceId,AzureResourceSubscriptionId,CloudApplicationAppId,CloudApplicationAppName,DNSDomainName,FileDirectory,FileHashValue,FileName,HostAzureID,HostNTDomain,HostName,HostNetBiosName,HostOSVersion,IPAddress,IncidentCustomDetailsKey,IncidentCustomDetailsValue,IncidentDescription,IncidentLabel,IncidentProviderName,IncidentRelatedAnalyticRuleIds,IncidentSeverity,IncidentStatus,IncidentTactics,IncidentTitle,IncidentUpdatedBySource,IoTDeviceId,IoTDeviceModel,IoTDeviceName,IoTDeviceOperatingSystem,IoTDeviceType,IoTDeviceVendor,MailMessageDeliveryAction,MailMessageDeliveryLocation,MailMessageP1Sender,MailMessageP2Sender,MailMessageRecipient,MailMessageSenderIP,MailMessageSubject,MailboxDisplayName,MailboxPrimaryAddress,MailboxUPN,MalwareCategory,MalwareName,ProcessCommandLine,ProcessId,RegistryKey,RegistryValueDataandUrl. - values List<String>
- Specifies a list of values to use for evaluate the condition.
- operator string
- The operator to use for evaluate the condition. Possible values include:
Equals,NotEquals,Contains,NotContains,StartsWith,NotStartsWith,EndsWith,NotEndsWith. - property string
- The property to use for evaluate the condition. Possible values are
AccountAadTenantId,AccountAadUserId,AccountNTDomain,AccountName,AccountObjectGuid,AccountPUID,AccountSid,AccountUPNSuffix,AlertAnalyticRuleIds,AlertProductNames,AzureResourceResourceId,AzureResourceSubscriptionId,CloudApplicationAppId,CloudApplicationAppName,DNSDomainName,FileDirectory,FileHashValue,FileName,HostAzureID,HostNTDomain,HostName,HostNetBiosName,HostOSVersion,IPAddress,IncidentCustomDetailsKey,IncidentCustomDetailsValue,IncidentDescription,IncidentLabel,IncidentProviderName,IncidentRelatedAnalyticRuleIds,IncidentSeverity,IncidentStatus,IncidentTactics,IncidentTitle,IncidentUpdatedBySource,IoTDeviceId,IoTDeviceModel,IoTDeviceName,IoTDeviceOperatingSystem,IoTDeviceType,IoTDeviceVendor,MailMessageDeliveryAction,MailMessageDeliveryLocation,MailMessageP1Sender,MailMessageP2Sender,MailMessageRecipient,MailMessageSenderIP,MailMessageSubject,MailboxDisplayName,MailboxPrimaryAddress,MailboxUPN,MalwareCategory,MalwareName,ProcessCommandLine,ProcessId,RegistryKey,RegistryValueDataandUrl. - values string[]
- Specifies a list of values to use for evaluate the condition.
- operator str
- The operator to use for evaluate the condition. Possible values include:
Equals,NotEquals,Contains,NotContains,StartsWith,NotStartsWith,EndsWith,NotEndsWith. - property str
- The property to use for evaluate the condition. Possible values are
AccountAadTenantId,AccountAadUserId,AccountNTDomain,AccountName,AccountObjectGuid,AccountPUID,AccountSid,AccountUPNSuffix,AlertAnalyticRuleIds,AlertProductNames,AzureResourceResourceId,AzureResourceSubscriptionId,CloudApplicationAppId,CloudApplicationAppName,DNSDomainName,FileDirectory,FileHashValue,FileName,HostAzureID,HostNTDomain,HostName,HostNetBiosName,HostOSVersion,IPAddress,IncidentCustomDetailsKey,IncidentCustomDetailsValue,IncidentDescription,IncidentLabel,IncidentProviderName,IncidentRelatedAnalyticRuleIds,IncidentSeverity,IncidentStatus,IncidentTactics,IncidentTitle,IncidentUpdatedBySource,IoTDeviceId,IoTDeviceModel,IoTDeviceName,IoTDeviceOperatingSystem,IoTDeviceType,IoTDeviceVendor,MailMessageDeliveryAction,MailMessageDeliveryLocation,MailMessageP1Sender,MailMessageP2Sender,MailMessageRecipient,MailMessageSenderIP,MailMessageSubject,MailboxDisplayName,MailboxPrimaryAddress,MailboxUPN,MalwareCategory,MalwareName,ProcessCommandLine,ProcessId,RegistryKey,RegistryValueDataandUrl. - values Sequence[str]
- Specifies a list of values to use for evaluate the condition.
- operator String
- The operator to use for evaluate the condition. Possible values include:
Equals,NotEquals,Contains,NotContains,StartsWith,NotStartsWith,EndsWith,NotEndsWith. - property String
- The property to use for evaluate the condition. Possible values are
AccountAadTenantId,AccountAadUserId,AccountNTDomain,AccountName,AccountObjectGuid,AccountPUID,AccountSid,AccountUPNSuffix,AlertAnalyticRuleIds,AlertProductNames,AzureResourceResourceId,AzureResourceSubscriptionId,CloudApplicationAppId,CloudApplicationAppName,DNSDomainName,FileDirectory,FileHashValue,FileName,HostAzureID,HostNTDomain,HostName,HostNetBiosName,HostOSVersion,IPAddress,IncidentCustomDetailsKey,IncidentCustomDetailsValue,IncidentDescription,IncidentLabel,IncidentProviderName,IncidentRelatedAnalyticRuleIds,IncidentSeverity,IncidentStatus,IncidentTactics,IncidentTitle,IncidentUpdatedBySource,IoTDeviceId,IoTDeviceModel,IoTDeviceName,IoTDeviceOperatingSystem,IoTDeviceType,IoTDeviceVendor,MailMessageDeliveryAction,MailMessageDeliveryLocation,MailMessageP1Sender,MailMessageP2Sender,MailMessageRecipient,MailMessageSenderIP,MailMessageSubject,MailboxDisplayName,MailboxPrimaryAddress,MailboxUPN,MalwareCategory,MalwareName,ProcessCommandLine,ProcessId,RegistryKey,RegistryValueDataandUrl. - values List<String>
- Specifies a list of values to use for evaluate the condition.
Import
Sentinel Automation Rules can be imported using the resource id, e.g.
$ pulumi import azure:sentinel/authomationRule:AuthomationRule example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/automationRules/rule1
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azurermTerraform Provider.