Datadog v4.28.1, Jun 24 24

Datadog v4.28.1 published on Monday, Jun 24, 2024 by Pulumi

datadog.SecurityMonitoringRule

Explore with Pulumi AI

Datadog v4.28.1 published on Monday, Jun 24, 2024 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as datadog from "@pulumi/datadog";

const myrule = new datadog.SecurityMonitoringRule("myrule", {
    name: "My rule",
    message: "The rule has triggered.",
    enabled: true,
    queries: [
        {
            name: "errors",
            query: "status:error",
            aggregation: "count",
            groupByFields: ["host"],
        },
        {
            name: "warnings",
            query: "status:warning",
            aggregation: "count",
            groupByFields: ["host"],
        },
    ],
    cases: [{
        status: "high",
        condition: "errors > 3 && warnings > 10",
        notifications: ["@user"],
    }],
    options: {
        evaluationWindow: 300,
        keepAlive: 600,
        maxSignalDuration: 900,
    },
    tags: ["type:dos"],
});

import pulumi
import pulumi_datadog as datadog

myrule = datadog.SecurityMonitoringRule("myrule",
    name="My rule",
    message="The rule has triggered.",
    enabled=True,
    queries=[
        datadog.SecurityMonitoringRuleQueryArgs(
            name="errors",
            query="status:error",
            aggregation="count",
            group_by_fields=["host"],
        ),
        datadog.SecurityMonitoringRuleQueryArgs(
            name="warnings",
            query="status:warning",
            aggregation="count",
            group_by_fields=["host"],
        ),
    ],
    cases=[datadog.SecurityMonitoringRuleCaseArgs(
        status="high",
        condition="errors > 3 && warnings > 10",
        notifications=["@user"],
    )],
    options=datadog.SecurityMonitoringRuleOptionsArgs(
        evaluation_window=300,
        keep_alive=600,
        max_signal_duration=900,
    ),
    tags=["type:dos"])

package main

import (
	"github.com/pulumi/pulumi-datadog/sdk/v4/go/datadog"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := datadog.NewSecurityMonitoringRule(ctx, "myrule", &datadog.SecurityMonitoringRuleArgs{
			Name:    pulumi.String("My rule"),
			Message: pulumi.String("The rule has triggered."),
			Enabled: pulumi.Bool(true),
			Queries: datadog.SecurityMonitoringRuleQueryArray{
				&datadog.SecurityMonitoringRuleQueryArgs{
					Name:        pulumi.String("errors"),
					Query:       pulumi.String("status:error"),
					Aggregation: pulumi.String("count"),
					GroupByFields: pulumi.StringArray{
						pulumi.String("host"),
					},
				},
				&datadog.SecurityMonitoringRuleQueryArgs{
					Name:        pulumi.String("warnings"),
					Query:       pulumi.String("status:warning"),
					Aggregation: pulumi.String("count"),
					GroupByFields: pulumi.StringArray{
						pulumi.String("host"),
					},
				},
			},
			Cases: datadog.SecurityMonitoringRuleCaseArray{
				&datadog.SecurityMonitoringRuleCaseArgs{
					Status:    pulumi.String("high"),
					Condition: pulumi.String("errors > 3 && warnings > 10"),
					Notifications: pulumi.StringArray{
						pulumi.String("@user"),
					},
				},
			},
			Options: &datadog.SecurityMonitoringRuleOptionsArgs{
				EvaluationWindow:  pulumi.Int(300),
				KeepAlive:         pulumi.Int(600),
				MaxSignalDuration: pulumi.Int(900),
			},
			Tags: pulumi.StringArray{
				pulumi.String("type:dos"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Datadog = Pulumi.Datadog;

return await Deployment.RunAsync(() => 
{
    var myrule = new Datadog.SecurityMonitoringRule("myrule", new()
    {
        Name = "My rule",
        Message = "The rule has triggered.",
        Enabled = true,
        Queries = new[]
        {
            new Datadog.Inputs.SecurityMonitoringRuleQueryArgs
            {
                Name = "errors",
                Query = "status:error",
                Aggregation = "count",
                GroupByFields = new[]
                {
                    "host",
                },
            },
            new Datadog.Inputs.SecurityMonitoringRuleQueryArgs
            {
                Name = "warnings",
                Query = "status:warning",
                Aggregation = "count",
                GroupByFields = new[]
                {
                    "host",
                },
            },
        },
        Cases = new[]
        {
            new Datadog.Inputs.SecurityMonitoringRuleCaseArgs
            {
                Status = "high",
                Condition = "errors > 3 && warnings > 10",
                Notifications = new[]
                {
                    "@user",
                },
            },
        },
        Options = new Datadog.Inputs.SecurityMonitoringRuleOptionsArgs
        {
            EvaluationWindow = 300,
            KeepAlive = 600,
            MaxSignalDuration = 900,
        },
        Tags = new[]
        {
            "type:dos",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.datadog.SecurityMonitoringRule;
import com.pulumi.datadog.SecurityMonitoringRuleArgs;
import com.pulumi.datadog.inputs.SecurityMonitoringRuleQueryArgs;
import com.pulumi.datadog.inputs.SecurityMonitoringRuleCaseArgs;
import com.pulumi.datadog.inputs.SecurityMonitoringRuleOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var myrule = new SecurityMonitoringRule("myrule", SecurityMonitoringRuleArgs.builder()
            .name("My rule")
            .message("The rule has triggered.")
            .enabled(true)
            .queries(            
                SecurityMonitoringRuleQueryArgs.builder()
                    .name("errors")
                    .query("status:error")
                    .aggregation("count")
                    .groupByFields("host")
                    .build(),
                SecurityMonitoringRuleQueryArgs.builder()
                    .name("warnings")
                    .query("status:warning")
                    .aggregation("count")
                    .groupByFields("host")
                    .build())
            .cases(SecurityMonitoringRuleCaseArgs.builder()
                .status("high")
                .condition("errors > 3 && warnings > 10")
                .notifications("@user")
                .build())
            .options(SecurityMonitoringRuleOptionsArgs.builder()
                .evaluationWindow(300)
                .keepAlive(600)
                .maxSignalDuration(900)
                .build())
            .tags("type:dos")
            .build());

    }
}

resources:
  myrule:
    type: datadog:SecurityMonitoringRule
    properties:
      name: My rule
      message: The rule has triggered.
      enabled: true
      queries:
        - name: errors
          query: status:error
          aggregation: count
          groupByFields:
            - host
        - name: warnings
          query: status:warning
          aggregation: count
          groupByFields:
            - host
      cases:
        - status: high
          condition: errors > 3 && warnings > 10
          notifications:
            - '@user'
      options:
        evaluationWindow: 300
        keepAlive: 600
        maxSignalDuration: 900
      tags:
        - type:dos

Create SecurityMonitoringRule Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecurityMonitoringRule(name: string, args: SecurityMonitoringRuleArgs, opts?: CustomResourceOptions);

@overload
def SecurityMonitoringRule(resource_name: str,
                           args: SecurityMonitoringRuleArgs,
                           opts: Optional[ResourceOptions] = None)

@overload
def SecurityMonitoringRule(resource_name: str,
                           opts: Optional[ResourceOptions] = None,
                           message: Optional[str] = None,
                           name: Optional[str] = None,
                           cases: Optional[Sequence[SecurityMonitoringRuleCaseArgs]] = None,
                           enabled: Optional[bool] = None,
                           filters: Optional[Sequence[SecurityMonitoringRuleFilterArgs]] = None,
                           has_extended_title: Optional[bool] = None,
                           options: Optional[SecurityMonitoringRuleOptionsArgs] = None,
                           queries: Optional[Sequence[SecurityMonitoringRuleQueryArgs]] = None,
                           signal_queries: Optional[Sequence[SecurityMonitoringRuleSignalQueryArgs]] = None,
                           tags: Optional[Sequence[str]] = None,
                           third_party_cases: Optional[Sequence[SecurityMonitoringRuleThirdPartyCaseArgs]] = None,
                           type: Optional[str] = None)

func NewSecurityMonitoringRule(ctx *Context, name string, args SecurityMonitoringRuleArgs, opts ...ResourceOption) (*SecurityMonitoringRule, error)

public SecurityMonitoringRule(string name, SecurityMonitoringRuleArgs args, CustomResourceOptions? opts = null)

public SecurityMonitoringRule(String name, SecurityMonitoringRuleArgs args)
public SecurityMonitoringRule(String name, SecurityMonitoringRuleArgs args, CustomResourceOptions options)

type: datadog:SecurityMonitoringRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecurityMonitoringRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecurityMonitoringRuleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecurityMonitoringRuleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecurityMonitoringRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecurityMonitoringRuleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var securityMonitoringRuleResource = new Datadog.SecurityMonitoringRule("securityMonitoringRuleResource", new()
{
    Message = "string",
    Name = "string",
    Cases = new[]
    {
        new Datadog.Inputs.SecurityMonitoringRuleCaseArgs
        {
            Status = "string",
            Condition = "string",
            Name = "string",
            Notifications = new[]
            {
                "string",
            },
        },
    },
    Enabled = false,
    Filters = new[]
    {
        new Datadog.Inputs.SecurityMonitoringRuleFilterArgs
        {
            Action = "string",
            Query = "string",
        },
    },
    HasExtendedTitle = false,
    Options = new Datadog.Inputs.SecurityMonitoringRuleOptionsArgs
    {
        DecreaseCriticalityBasedOnEnv = false,
        DetectionMethod = "string",
        EvaluationWindow = 0,
        ImpossibleTravelOptions = new Datadog.Inputs.SecurityMonitoringRuleOptionsImpossibleTravelOptionsArgs
        {
            BaselineUserLocations = false,
        },
        KeepAlive = 0,
        MaxSignalDuration = 0,
        NewValueOptions = new Datadog.Inputs.SecurityMonitoringRuleOptionsNewValueOptionsArgs
        {
            ForgetAfter = 0,
            LearningDuration = 0,
            LearningMethod = "string",
            LearningThreshold = 0,
        },
        ThirdPartyRuleOptions = new Datadog.Inputs.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsArgs
        {
            DefaultStatus = "string",
            RootQueries = new[]
            {
                new Datadog.Inputs.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArgs
                {
                    Query = "string",
                    GroupByFields = new[]
                    {
                        "string",
                    },
                },
            },
            DefaultNotifications = new[]
            {
                "string",
            },
            SignalTitleTemplate = "string",
        },
    },
    Queries = new[]
    {
        new Datadog.Inputs.SecurityMonitoringRuleQueryArgs
        {
            Query = "string",
            Aggregation = "string",
            DistinctFields = new[]
            {
                "string",
            },
            GroupByFields = new[]
            {
                "string",
            },
            Metrics = new[]
            {
                "string",
            },
            Name = "string",
        },
    },
    SignalQueries = new[]
    {
        new Datadog.Inputs.SecurityMonitoringRuleSignalQueryArgs
        {
            RuleId = "string",
            Aggregation = "string",
            CorrelatedByFields = new[]
            {
                "string",
            },
            CorrelatedQueryIndex = "string",
            DefaultRuleId = "string",
            Name = "string",
        },
    },
    Tags = new[]
    {
        "string",
    },
    ThirdPartyCases = new[]
    {
        new Datadog.Inputs.SecurityMonitoringRuleThirdPartyCaseArgs
        {
            Status = "string",
            Name = "string",
            Notifications = new[]
            {
                "string",
            },
            Query = "string",
        },
    },
    Type = "string",
});

example, err := datadog.NewSecurityMonitoringRule(ctx, "securityMonitoringRuleResource", &datadog.SecurityMonitoringRuleArgs{
	Message: pulumi.String("string"),
	Name:    pulumi.String("string"),
	Cases: datadog.SecurityMonitoringRuleCaseArray{
		&datadog.SecurityMonitoringRuleCaseArgs{
			Status:    pulumi.String("string"),
			Condition: pulumi.String("string"),
			Name:      pulumi.String("string"),
			Notifications: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	Enabled: pulumi.Bool(false),
	Filters: datadog.SecurityMonitoringRuleFilterArray{
		&datadog.SecurityMonitoringRuleFilterArgs{
			Action: pulumi.String("string"),
			Query:  pulumi.String("string"),
		},
	},
	HasExtendedTitle: pulumi.Bool(false),
	Options: &datadog.SecurityMonitoringRuleOptionsArgs{
		DecreaseCriticalityBasedOnEnv: pulumi.Bool(false),
		DetectionMethod:               pulumi.String("string"),
		EvaluationWindow:              pulumi.Int(0),
		ImpossibleTravelOptions: &datadog.SecurityMonitoringRuleOptionsImpossibleTravelOptionsArgs{
			BaselineUserLocations: pulumi.Bool(false),
		},
		KeepAlive:         pulumi.Int(0),
		MaxSignalDuration: pulumi.Int(0),
		NewValueOptions: &datadog.SecurityMonitoringRuleOptionsNewValueOptionsArgs{
			ForgetAfter:       pulumi.Int(0),
			LearningDuration:  pulumi.Int(0),
			LearningMethod:    pulumi.String("string"),
			LearningThreshold: pulumi.Int(0),
		},
		ThirdPartyRuleOptions: &datadog.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsArgs{
			DefaultStatus: pulumi.String("string"),
			RootQueries: datadog.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArray{
				&datadog.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArgs{
					Query: pulumi.String("string"),
					GroupByFields: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
			DefaultNotifications: pulumi.StringArray{
				pulumi.String("string"),
			},
			SignalTitleTemplate: pulumi.String("string"),
		},
	},
	Queries: datadog.SecurityMonitoringRuleQueryArray{
		&datadog.SecurityMonitoringRuleQueryArgs{
			Query:       pulumi.String("string"),
			Aggregation: pulumi.String("string"),
			DistinctFields: pulumi.StringArray{
				pulumi.String("string"),
			},
			GroupByFields: pulumi.StringArray{
				pulumi.String("string"),
			},
			Metrics: pulumi.StringArray{
				pulumi.String("string"),
			},
			Name: pulumi.String("string"),
		},
	},
	SignalQueries: datadog.SecurityMonitoringRuleSignalQueryArray{
		&datadog.SecurityMonitoringRuleSignalQueryArgs{
			RuleId:      pulumi.String("string"),
			Aggregation: pulumi.String("string"),
			CorrelatedByFields: pulumi.StringArray{
				pulumi.String("string"),
			},
			CorrelatedQueryIndex: pulumi.String("string"),
			DefaultRuleId:        pulumi.String("string"),
			Name:                 pulumi.String("string"),
		},
	},
	Tags: pulumi.StringArray{
		pulumi.String("string"),
	},
	ThirdPartyCases: datadog.SecurityMonitoringRuleThirdPartyCaseArray{
		&datadog.SecurityMonitoringRuleThirdPartyCaseArgs{
			Status: pulumi.String("string"),
			Name:   pulumi.String("string"),
			Notifications: pulumi.StringArray{
				pulumi.String("string"),
			},
			Query: pulumi.String("string"),
		},
	},
	Type: pulumi.String("string"),
})

var securityMonitoringRuleResource = new SecurityMonitoringRule("securityMonitoringRuleResource", SecurityMonitoringRuleArgs.builder()
    .message("string")
    .name("string")
    .cases(SecurityMonitoringRuleCaseArgs.builder()
        .status("string")
        .condition("string")
        .name("string")
        .notifications("string")
        .build())
    .enabled(false)
    .filters(SecurityMonitoringRuleFilterArgs.builder()
        .action("string")
        .query("string")
        .build())
    .hasExtendedTitle(false)
    .options(SecurityMonitoringRuleOptionsArgs.builder()
        .decreaseCriticalityBasedOnEnv(false)
        .detectionMethod("string")
        .evaluationWindow(0)
        .impossibleTravelOptions(SecurityMonitoringRuleOptionsImpossibleTravelOptionsArgs.builder()
            .baselineUserLocations(false)
            .build())
        .keepAlive(0)
        .maxSignalDuration(0)
        .newValueOptions(SecurityMonitoringRuleOptionsNewValueOptionsArgs.builder()
            .forgetAfter(0)
            .learningDuration(0)
            .learningMethod("string")
            .learningThreshold(0)
            .build())
        .thirdPartyRuleOptions(SecurityMonitoringRuleOptionsThirdPartyRuleOptionsArgs.builder()
            .defaultStatus("string")
            .rootQueries(SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArgs.builder()
                .query("string")
                .groupByFields("string")
                .build())
            .defaultNotifications("string")
            .signalTitleTemplate("string")
            .build())
        .build())
    .queries(SecurityMonitoringRuleQueryArgs.builder()
        .query("string")
        .aggregation("string")
        .distinctFields("string")
        .groupByFields("string")
        .metrics("string")
        .name("string")
        .build())
    .signalQueries(SecurityMonitoringRuleSignalQueryArgs.builder()
        .ruleId("string")
        .aggregation("string")
        .correlatedByFields("string")
        .correlatedQueryIndex("string")
        .defaultRuleId("string")
        .name("string")
        .build())
    .tags("string")
    .thirdPartyCases(SecurityMonitoringRuleThirdPartyCaseArgs.builder()
        .status("string")
        .name("string")
        .notifications("string")
        .query("string")
        .build())
    .type("string")
    .build());

security_monitoring_rule_resource = datadog.SecurityMonitoringRule("securityMonitoringRuleResource",
    message="string",
    name="string",
    cases=[datadog.SecurityMonitoringRuleCaseArgs(
        status="string",
        condition="string",
        name="string",
        notifications=["string"],
    )],
    enabled=False,
    filters=[datadog.SecurityMonitoringRuleFilterArgs(
        action="string",
        query="string",
    )],
    has_extended_title=False,
    options=datadog.SecurityMonitoringRuleOptionsArgs(
        decrease_criticality_based_on_env=False,
        detection_method="string",
        evaluation_window=0,
        impossible_travel_options=datadog.SecurityMonitoringRuleOptionsImpossibleTravelOptionsArgs(
            baseline_user_locations=False,
        ),
        keep_alive=0,
        max_signal_duration=0,
        new_value_options=datadog.SecurityMonitoringRuleOptionsNewValueOptionsArgs(
            forget_after=0,
            learning_duration=0,
            learning_method="string",
            learning_threshold=0,
        ),
        third_party_rule_options=datadog.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsArgs(
            default_status="string",
            root_queries=[datadog.SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArgs(
                query="string",
                group_by_fields=["string"],
            )],
            default_notifications=["string"],
            signal_title_template="string",
        ),
    ),
    queries=[datadog.SecurityMonitoringRuleQueryArgs(
        query="string",
        aggregation="string",
        distinct_fields=["string"],
        group_by_fields=["string"],
        metrics=["string"],
        name="string",
    )],
    signal_queries=[datadog.SecurityMonitoringRuleSignalQueryArgs(
        rule_id="string",
        aggregation="string",
        correlated_by_fields=["string"],
        correlated_query_index="string",
        default_rule_id="string",
        name="string",
    )],
    tags=["string"],
    third_party_cases=[datadog.SecurityMonitoringRuleThirdPartyCaseArgs(
        status="string",
        name="string",
        notifications=["string"],
        query="string",
    )],
    type="string")

const securityMonitoringRuleResource = new datadog.SecurityMonitoringRule("securityMonitoringRuleResource", {
    message: "string",
    name: "string",
    cases: [{
        status: "string",
        condition: "string",
        name: "string",
        notifications: ["string"],
    }],
    enabled: false,
    filters: [{
        action: "string",
        query: "string",
    }],
    hasExtendedTitle: false,
    options: {
        decreaseCriticalityBasedOnEnv: false,
        detectionMethod: "string",
        evaluationWindow: 0,
        impossibleTravelOptions: {
            baselineUserLocations: false,
        },
        keepAlive: 0,
        maxSignalDuration: 0,
        newValueOptions: {
            forgetAfter: 0,
            learningDuration: 0,
            learningMethod: "string",
            learningThreshold: 0,
        },
        thirdPartyRuleOptions: {
            defaultStatus: "string",
            rootQueries: [{
                query: "string",
                groupByFields: ["string"],
            }],
            defaultNotifications: ["string"],
            signalTitleTemplate: "string",
        },
    },
    queries: [{
        query: "string",
        aggregation: "string",
        distinctFields: ["string"],
        groupByFields: ["string"],
        metrics: ["string"],
        name: "string",
    }],
    signalQueries: [{
        ruleId: "string",
        aggregation: "string",
        correlatedByFields: ["string"],
        correlatedQueryIndex: "string",
        defaultRuleId: "string",
        name: "string",
    }],
    tags: ["string"],
    thirdPartyCases: [{
        status: "string",
        name: "string",
        notifications: ["string"],
        query: "string",
    }],
    type: "string",
});

type: datadog:SecurityMonitoringRule
properties:
    cases:
        - condition: string
          name: string
          notifications:
            - string
          status: string
    enabled: false
    filters:
        - action: string
          query: string
    hasExtendedTitle: false
    message: string
    name: string
    options:
        decreaseCriticalityBasedOnEnv: false
        detectionMethod: string
        evaluationWindow: 0
        impossibleTravelOptions:
            baselineUserLocations: false
        keepAlive: 0
        maxSignalDuration: 0
        newValueOptions:
            forgetAfter: 0
            learningDuration: 0
            learningMethod: string
            learningThreshold: 0
        thirdPartyRuleOptions:
            defaultNotifications:
                - string
            defaultStatus: string
            rootQueries:
                - groupByFields:
                    - string
                  query: string
            signalTitleTemplate: string
    queries:
        - aggregation: string
          distinctFields:
            - string
          groupByFields:
            - string
          metrics:
            - string
          name: string
          query: string
    signalQueries:
        - aggregation: string
          correlatedByFields:
            - string
          correlatedQueryIndex: string
          defaultRuleId: string
          name: string
          ruleId: string
    tags:
        - string
    thirdPartyCases:
        - name: string
          notifications:
            - string
          query: string
          status: string
    type: string

SecurityMonitoringRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The SecurityMonitoringRule resource accepts the following input properties:

Message string: Message for generated signals.
Name string: The name of the rule.
Cases List<SecurityMonitoringRuleCase>: Cases for generating signals.
Enabled bool: Whether the rule is enabled. Defaults to true.
Filters List<SecurityMonitoringRuleFilter>: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
HasExtendedTitle bool: Whether the notifications include the triggering group-by values in their title. Defaults to false.
Options SecurityMonitoringRuleOptions: Options on rules.
Queries List<SecurityMonitoringRuleQuery>: Queries for selecting logs which are part of the rule.
SignalQueries List<SecurityMonitoringRuleSignalQuery>: Queries for selecting logs which are part of the rule.
Tags List<string>: Tags for generated signals.
ThirdPartyCases List<SecurityMonitoringRuleThirdPartyCase>: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
Type string: The rule type. Valid values are application_security, log_detection, workload_security, signal_correlation. Defaults to "log_detection".

Message string: Message for generated signals.
Name string: The name of the rule.
Cases []SecurityMonitoringRuleCaseArgs: Cases for generating signals.
Enabled bool: Whether the rule is enabled. Defaults to true.
Filters []SecurityMonitoringRuleFilterArgs: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
HasExtendedTitle bool: Whether the notifications include the triggering group-by values in their title. Defaults to false.
Options SecurityMonitoringRuleOptionsArgs: Options on rules.
Queries []SecurityMonitoringRuleQueryArgs: Queries for selecting logs which are part of the rule.
SignalQueries []SecurityMonitoringRuleSignalQueryArgs: Queries for selecting logs which are part of the rule.
Tags []string: Tags for generated signals.
ThirdPartyCases []SecurityMonitoringRuleThirdPartyCaseArgs: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
Type string: The rule type. Valid values are application_security, log_detection, workload_security, signal_correlation. Defaults to "log_detection".

message String: Message for generated signals.
name String: The name of the rule.
cases List<SecurityMonitoringRuleCase>: Cases for generating signals.
enabled Boolean: Whether the rule is enabled. Defaults to true.
filters List<SecurityMonitoringRuleFilter>: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
hasExtendedTitle Boolean: Whether the notifications include the triggering group-by values in their title. Defaults to false.
options SecurityMonitoringRuleOptions: Options on rules.
queries List<SecurityMonitoringRuleQuery>: Queries for selecting logs which are part of the rule.
signalQueries List<SecurityMonitoringRuleSignalQuery>: Queries for selecting logs which are part of the rule.
tags List<String>: Tags for generated signals.
thirdPartyCases List<SecurityMonitoringRuleThirdPartyCase>: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
type String: The rule type. Valid values are application_security, log_detection, workload_security, signal_correlation. Defaults to "log_detection".

message string: Message for generated signals.
name string: The name of the rule.
cases SecurityMonitoringRuleCase[]: Cases for generating signals.
enabled boolean: Whether the rule is enabled. Defaults to true.
filters SecurityMonitoringRuleFilter[]: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
hasExtendedTitle boolean: Whether the notifications include the triggering group-by values in their title. Defaults to false.
options SecurityMonitoringRuleOptions: Options on rules.
queries SecurityMonitoringRuleQuery[]: Queries for selecting logs which are part of the rule.
signalQueries SecurityMonitoringRuleSignalQuery[]: Queries for selecting logs which are part of the rule.
tags string[]: Tags for generated signals.
thirdPartyCases SecurityMonitoringRuleThirdPartyCase[]: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
type string: The rule type. Valid values are application_security, log_detection, workload_security, signal_correlation. Defaults to "log_detection".

message str: Message for generated signals.
name str: The name of the rule.
cases Sequence[SecurityMonitoringRuleCaseArgs]: Cases for generating signals.
enabled bool: Whether the rule is enabled. Defaults to true.
filters Sequence[SecurityMonitoringRuleFilterArgs]: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
has_extended_title bool: Whether the notifications include the triggering group-by values in their title. Defaults to false.
options SecurityMonitoringRuleOptionsArgs: Options on rules.
queries Sequence[SecurityMonitoringRuleQueryArgs]: Queries for selecting logs which are part of the rule.
signal_queries Sequence[SecurityMonitoringRuleSignalQueryArgs]: Queries for selecting logs which are part of the rule.
tags Sequence[str]: Tags for generated signals.
third_party_cases Sequence[SecurityMonitoringRuleThirdPartyCaseArgs]: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
type str: The rule type. Valid values are application_security, log_detection, workload_security, signal_correlation. Defaults to "log_detection".

message String: Message for generated signals.
name String: The name of the rule.
cases List<Property Map>: Cases for generating signals.
enabled Boolean: Whether the rule is enabled. Defaults to true.
filters List<Property Map>: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
hasExtendedTitle Boolean: Whether the notifications include the triggering group-by values in their title. Defaults to false.
options Property Map: Options on rules.
queries List<Property Map>: Queries for selecting logs which are part of the rule.
signalQueries List<Property Map>: Queries for selecting logs which are part of the rule.
tags List<String>: Tags for generated signals.
thirdPartyCases List<Property Map>: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
type String: The rule type. Valid values are application_security, log_detection, workload_security, signal_correlation. Defaults to "log_detection".

Outputs

All input properties are implicitly available as output properties. Additionally, the SecurityMonitoringRule resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing SecurityMonitoringRule Resource

Get an existing SecurityMonitoringRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecurityMonitoringRuleState, opts?: CustomResourceOptions): SecurityMonitoringRule

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        cases: Optional[Sequence[SecurityMonitoringRuleCaseArgs]] = None,
        enabled: Optional[bool] = None,
        filters: Optional[Sequence[SecurityMonitoringRuleFilterArgs]] = None,
        has_extended_title: Optional[bool] = None,
        message: Optional[str] = None,
        name: Optional[str] = None,
        options: Optional[SecurityMonitoringRuleOptionsArgs] = None,
        queries: Optional[Sequence[SecurityMonitoringRuleQueryArgs]] = None,
        signal_queries: Optional[Sequence[SecurityMonitoringRuleSignalQueryArgs]] = None,
        tags: Optional[Sequence[str]] = None,
        third_party_cases: Optional[Sequence[SecurityMonitoringRuleThirdPartyCaseArgs]] = None,
        type: Optional[str] = None) -> SecurityMonitoringRule

func GetSecurityMonitoringRule(ctx *Context, name string, id IDInput, state *SecurityMonitoringRuleState, opts ...ResourceOption) (*SecurityMonitoringRule, error)

public static SecurityMonitoringRule Get(string name, Input<string> id, SecurityMonitoringRuleState? state, CustomResourceOptions? opts = null)

public static SecurityMonitoringRule get(String name, Output<String> id, SecurityMonitoringRuleState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Cases List<SecurityMonitoringRuleCase>: Cases for generating signals.
Enabled bool: Whether the rule is enabled. Defaults to true.
Filters List<SecurityMonitoringRuleFilter>: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
HasExtendedTitle bool: Whether the notifications include the triggering group-by values in their title. Defaults to false.
Message string: Message for generated signals.
Name string: The name of the rule.
Options SecurityMonitoringRuleOptions: Options on rules.
Queries List<SecurityMonitoringRuleQuery>: Queries for selecting logs which are part of the rule.
SignalQueries List<SecurityMonitoringRuleSignalQuery>: Queries for selecting logs which are part of the rule.
Tags List<string>: Tags for generated signals.
ThirdPartyCases List<SecurityMonitoringRuleThirdPartyCase>: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
Type string: The rule type. Valid values are application_security, log_detection, workload_security, signal_correlation. Defaults to "log_detection".

Cases []SecurityMonitoringRuleCaseArgs: Cases for generating signals.
Enabled bool: Whether the rule is enabled. Defaults to true.
Filters []SecurityMonitoringRuleFilterArgs: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
HasExtendedTitle bool: Whether the notifications include the triggering group-by values in their title. Defaults to false.
Message string: Message for generated signals.
Name string: The name of the rule.
Options SecurityMonitoringRuleOptionsArgs: Options on rules.
Queries []SecurityMonitoringRuleQueryArgs: Queries for selecting logs which are part of the rule.
SignalQueries []SecurityMonitoringRuleSignalQueryArgs: Queries for selecting logs which are part of the rule.
Tags []string: Tags for generated signals.
ThirdPartyCases []SecurityMonitoringRuleThirdPartyCaseArgs: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
Type string: The rule type. Valid values are application_security, log_detection, workload_security, signal_correlation. Defaults to "log_detection".

cases List<SecurityMonitoringRuleCase>: Cases for generating signals.
enabled Boolean: Whether the rule is enabled. Defaults to true.
filters List<SecurityMonitoringRuleFilter>: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
hasExtendedTitle Boolean: Whether the notifications include the triggering group-by values in their title. Defaults to false.
message String: Message for generated signals.
name String: The name of the rule.
options SecurityMonitoringRuleOptions: Options on rules.
queries List<SecurityMonitoringRuleQuery>: Queries for selecting logs which are part of the rule.
signalQueries List<SecurityMonitoringRuleSignalQuery>: Queries for selecting logs which are part of the rule.
tags List<String>: Tags for generated signals.
thirdPartyCases List<SecurityMonitoringRuleThirdPartyCase>: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
type String: The rule type. Valid values are application_security, log_detection, workload_security, signal_correlation. Defaults to "log_detection".

cases SecurityMonitoringRuleCase[]: Cases for generating signals.
enabled boolean: Whether the rule is enabled. Defaults to true.
filters SecurityMonitoringRuleFilter[]: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
hasExtendedTitle boolean: Whether the notifications include the triggering group-by values in their title. Defaults to false.
message string: Message for generated signals.
name string: The name of the rule.
options SecurityMonitoringRuleOptions: Options on rules.
queries SecurityMonitoringRuleQuery[]: Queries for selecting logs which are part of the rule.
signalQueries SecurityMonitoringRuleSignalQuery[]: Queries for selecting logs which are part of the rule.
tags string[]: Tags for generated signals.
thirdPartyCases SecurityMonitoringRuleThirdPartyCase[]: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
type string: The rule type. Valid values are application_security, log_detection, workload_security, signal_correlation. Defaults to "log_detection".

cases Sequence[SecurityMonitoringRuleCaseArgs]: Cases for generating signals.
enabled bool: Whether the rule is enabled. Defaults to true.
filters Sequence[SecurityMonitoringRuleFilterArgs]: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
has_extended_title bool: Whether the notifications include the triggering group-by values in their title. Defaults to false.
message str: Message for generated signals.
name str: The name of the rule.
options SecurityMonitoringRuleOptionsArgs: Options on rules.
queries Sequence[SecurityMonitoringRuleQueryArgs]: Queries for selecting logs which are part of the rule.
signal_queries Sequence[SecurityMonitoringRuleSignalQueryArgs]: Queries for selecting logs which are part of the rule.
tags Sequence[str]: Tags for generated signals.
third_party_cases Sequence[SecurityMonitoringRuleThirdPartyCaseArgs]: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
type str: The rule type. Valid values are application_security, log_detection, workload_security, signal_correlation. Defaults to "log_detection".

cases List<Property Map>: Cases for generating signals.
enabled Boolean: Whether the rule is enabled. Defaults to true.
filters List<Property Map>: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
hasExtendedTitle Boolean: Whether the notifications include the triggering group-by values in their title. Defaults to false.
message String: Message for generated signals.
name String: The name of the rule.
options Property Map: Options on rules.
queries List<Property Map>: Queries for selecting logs which are part of the rule.
signalQueries List<Property Map>: Queries for selecting logs which are part of the rule.
tags List<String>: Tags for generated signals.
thirdPartyCases List<Property Map>: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
type String: The rule type. Valid values are application_security, log_detection, workload_security, signal_correlation. Defaults to "log_detection".

Supporting Types

SecurityMonitoringRuleCase, SecurityMonitoringRuleCaseArgs

Status string: Severity of the Security Signal. Valid values are info, low, medium, high, critical.
Condition string: A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.
Name string: Name of the case.
Notifications List<string>: Notification targets for each rule case.

Status string: Severity of the Security Signal. Valid values are info, low, medium, high, critical.
Condition string: A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.
Name string: Name of the case.
Notifications []string: Notification targets for each rule case.

status String: Severity of the Security Signal. Valid values are info, low, medium, high, critical.
condition String: A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.
name String: Name of the case.
notifications List<String>: Notification targets for each rule case.

status string: Severity of the Security Signal. Valid values are info, low, medium, high, critical.
condition string: A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.
name string: Name of the case.
notifications string[]: Notification targets for each rule case.

status str: Severity of the Security Signal. Valid values are info, low, medium, high, critical.
condition str: A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.
name str: Name of the case.
notifications Sequence[str]: Notification targets for each rule case.

status String: Severity of the Security Signal. Valid values are info, low, medium, high, critical.
condition String: A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.
name String: Name of the case.
notifications List<String>: Notification targets for each rule case.

SecurityMonitoringRuleFilter, SecurityMonitoringRuleFilterArgs

Action string: The type of filtering action. Valid values are require, suppress.
Query string: Query for selecting logs to apply the filtering action.

Action string: The type of filtering action. Valid values are require, suppress.
Query string: Query for selecting logs to apply the filtering action.

action String: The type of filtering action. Valid values are require, suppress.
query String: Query for selecting logs to apply the filtering action.

action string: The type of filtering action. Valid values are require, suppress.
query string: Query for selecting logs to apply the filtering action.

action str: The type of filtering action. Valid values are require, suppress.
query str: Query for selecting logs to apply the filtering action.

action String: The type of filtering action. Valid values are require, suppress.
query String: Query for selecting logs to apply the filtering action.

SecurityMonitoringRuleOptions, SecurityMonitoringRuleOptionsArgs

DecreaseCriticalityBasedOnEnv bool: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection. Defaults to false.
DetectionMethod string: The detection method. Valid values are threshold, new_value, anomaly_detection, impossible_travel, hardcoded, third_party. Defaults to "threshold".
EvaluationWindow int: A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200.
ImpossibleTravelOptions SecurityMonitoringRuleOptionsImpossibleTravelOptions: Options for rules using the impossible travel detection method.
KeepAlive int: Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600.
MaxSignalDuration int: A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600, 43200, 86400.
NewValueOptions SecurityMonitoringRuleOptionsNewValueOptions: New value rules specific options.
ThirdPartyRuleOptions SecurityMonitoringRuleOptionsThirdPartyRuleOptions: Options for rules using the third-party detection method.

DecreaseCriticalityBasedOnEnv bool: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection. Defaults to false.
DetectionMethod string: The detection method. Valid values are threshold, new_value, anomaly_detection, impossible_travel, hardcoded, third_party. Defaults to "threshold".
EvaluationWindow int: A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200.
ImpossibleTravelOptions SecurityMonitoringRuleOptionsImpossibleTravelOptions: Options for rules using the impossible travel detection method.
KeepAlive int: Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600.
MaxSignalDuration int: A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600, 43200, 86400.
NewValueOptions SecurityMonitoringRuleOptionsNewValueOptions: New value rules specific options.
ThirdPartyRuleOptions SecurityMonitoringRuleOptionsThirdPartyRuleOptions: Options for rules using the third-party detection method.

decreaseCriticalityBasedOnEnv Boolean: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection. Defaults to false.
detectionMethod String: The detection method. Valid values are threshold, new_value, anomaly_detection, impossible_travel, hardcoded, third_party. Defaults to "threshold".
evaluationWindow Integer: A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200.
impossibleTravelOptions SecurityMonitoringRuleOptionsImpossibleTravelOptions: Options for rules using the impossible travel detection method.
keepAlive Integer: Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600.
maxSignalDuration Integer: A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600, 43200, 86400.
newValueOptions SecurityMonitoringRuleOptionsNewValueOptions: New value rules specific options.
thirdPartyRuleOptions SecurityMonitoringRuleOptionsThirdPartyRuleOptions: Options for rules using the third-party detection method.

decreaseCriticalityBasedOnEnv boolean: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection. Defaults to false.
detectionMethod string: The detection method. Valid values are threshold, new_value, anomaly_detection, impossible_travel, hardcoded, third_party. Defaults to "threshold".
evaluationWindow number: A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200.
impossibleTravelOptions SecurityMonitoringRuleOptionsImpossibleTravelOptions: Options for rules using the impossible travel detection method.
keepAlive number: Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600.
maxSignalDuration number: A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600, 43200, 86400.
newValueOptions SecurityMonitoringRuleOptionsNewValueOptions: New value rules specific options.
thirdPartyRuleOptions SecurityMonitoringRuleOptionsThirdPartyRuleOptions: Options for rules using the third-party detection method.

decrease_criticality_based_on_env bool: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection. Defaults to false.
detection_method str: The detection method. Valid values are threshold, new_value, anomaly_detection, impossible_travel, hardcoded, third_party. Defaults to "threshold".
evaluation_window int: A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200.
impossible_travel_options SecurityMonitoringRuleOptionsImpossibleTravelOptions: Options for rules using the impossible travel detection method.
keep_alive int: Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600.
max_signal_duration int: A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600, 43200, 86400.
new_value_options SecurityMonitoringRuleOptionsNewValueOptions: New value rules specific options.
third_party_rule_options SecurityMonitoringRuleOptionsThirdPartyRuleOptions: Options for rules using the third-party detection method.

decreaseCriticalityBasedOnEnv Boolean: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection. Defaults to false.
detectionMethod String: The detection method. Valid values are threshold, new_value, anomaly_detection, impossible_travel, hardcoded, third_party. Defaults to "threshold".
evaluationWindow Number: A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200.
impossibleTravelOptions Property Map: Options for rules using the impossible travel detection method.
keepAlive Number: Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600.
maxSignalDuration Number: A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600, 43200, 86400.
newValueOptions Property Map: New value rules specific options.
thirdPartyRuleOptions Property Map: Options for rules using the third-party detection method.

SecurityMonitoringRuleOptionsImpossibleTravelOptions, SecurityMonitoringRuleOptionsImpossibleTravelOptionsArgs

BaselineUserLocations bool: If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to false.

BaselineUserLocations bool: If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to false.

baselineUserLocations Boolean: If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to false.

baselineUserLocations boolean: If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to false.

baseline_user_locations bool: If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to false.

baselineUserLocations Boolean: If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to false.

SecurityMonitoringRuleOptionsNewValueOptions, SecurityMonitoringRuleOptionsNewValueOptionsArgs

ForgetAfter int: The duration in days after which a learned value is forgotten. Valid values are 1, 2, 7, 14, 21, 28.
LearningDuration int: The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are 0, 1, 7. Defaults to 1.
LearningMethod string: The learning method used to determine when signals should be generated for values that weren't learned. Valid values are duration, threshold. Defaults to "duration".
LearningThreshold int: A number of occurrences after which signals are generated for values that weren't learned. Valid values are 0, 1. Defaults to 0.

ForgetAfter int: The duration in days after which a learned value is forgotten. Valid values are 1, 2, 7, 14, 21, 28.
LearningDuration int: The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are 0, 1, 7. Defaults to 1.
LearningMethod string: The learning method used to determine when signals should be generated for values that weren't learned. Valid values are duration, threshold. Defaults to "duration".
LearningThreshold int: A number of occurrences after which signals are generated for values that weren't learned. Valid values are 0, 1. Defaults to 0.

forgetAfter Integer: The duration in days after which a learned value is forgotten. Valid values are 1, 2, 7, 14, 21, 28.
learningDuration Integer: The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are 0, 1, 7. Defaults to 1.
learningMethod String: The learning method used to determine when signals should be generated for values that weren't learned. Valid values are duration, threshold. Defaults to "duration".
learningThreshold Integer: A number of occurrences after which signals are generated for values that weren't learned. Valid values are 0, 1. Defaults to 0.

forgetAfter number: The duration in days after which a learned value is forgotten. Valid values are 1, 2, 7, 14, 21, 28.
learningDuration number: The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are 0, 1, 7. Defaults to 1.
learningMethod string: The learning method used to determine when signals should be generated for values that weren't learned. Valid values are duration, threshold. Defaults to "duration".
learningThreshold number: A number of occurrences after which signals are generated for values that weren't learned. Valid values are 0, 1. Defaults to 0.

forget_after int: The duration in days after which a learned value is forgotten. Valid values are 1, 2, 7, 14, 21, 28.
learning_duration int: The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are 0, 1, 7. Defaults to 1.
learning_method str: The learning method used to determine when signals should be generated for values that weren't learned. Valid values are duration, threshold. Defaults to "duration".
learning_threshold int: A number of occurrences after which signals are generated for values that weren't learned. Valid values are 0, 1. Defaults to 0.

forgetAfter Number: The duration in days after which a learned value is forgotten. Valid values are 1, 2, 7, 14, 21, 28.
learningDuration Number: The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are 0, 1, 7. Defaults to 1.
learningMethod String: The learning method used to determine when signals should be generated for values that weren't learned. Valid values are duration, threshold. Defaults to "duration".
learningThreshold Number: A number of occurrences after which signals are generated for values that weren't learned. Valid values are 0, 1. Defaults to 0.

SecurityMonitoringRuleOptionsThirdPartyRuleOptions, SecurityMonitoringRuleOptionsThirdPartyRuleOptionsArgs

DefaultStatus string: Severity of the default rule case, when none of the third-party cases match. Valid values are info, low, medium, high, critical.
RootQueries List<SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQuery>: Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
DefaultNotifications List<string>: Notification targets for the default rule case, when none of the third-party cases match.
SignalTitleTemplate string: A template for the signal title; if omitted, the title is generated based on the case name.

DefaultStatus string: Severity of the default rule case, when none of the third-party cases match. Valid values are info, low, medium, high, critical.
RootQueries []SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQuery: Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
DefaultNotifications []string: Notification targets for the default rule case, when none of the third-party cases match.
SignalTitleTemplate string: A template for the signal title; if omitted, the title is generated based on the case name.

defaultStatus String: Severity of the default rule case, when none of the third-party cases match. Valid values are info, low, medium, high, critical.
rootQueries List<SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQuery>: Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
defaultNotifications List<String>: Notification targets for the default rule case, when none of the third-party cases match.
signalTitleTemplate String: A template for the signal title; if omitted, the title is generated based on the case name.

defaultStatus string: Severity of the default rule case, when none of the third-party cases match. Valid values are info, low, medium, high, critical.
rootQueries SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQuery[]: Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
defaultNotifications string[]: Notification targets for the default rule case, when none of the third-party cases match.
signalTitleTemplate string: A template for the signal title; if omitted, the title is generated based on the case name.

default_status str: Severity of the default rule case, when none of the third-party cases match. Valid values are info, low, medium, high, critical.
root_queries Sequence[SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQuery]: Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
default_notifications Sequence[str]: Notification targets for the default rule case, when none of the third-party cases match.
signal_title_template str: A template for the signal title; if omitted, the title is generated based on the case name.

defaultStatus String: Severity of the default rule case, when none of the third-party cases match. Valid values are info, low, medium, high, critical.
rootQueries List<Property Map>: Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
defaultNotifications List<String>: Notification targets for the default rule case, when none of the third-party cases match.
signalTitleTemplate String: A template for the signal title; if omitted, the title is generated based on the case name.

SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQuery, SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArgs

Query string: Query to filter logs.
GroupByFields List<string>: Fields to group by. If empty, each log triggers a signal.

Query string: Query to filter logs.
GroupByFields []string: Fields to group by. If empty, each log triggers a signal.

query String: Query to filter logs.
groupByFields List<String>: Fields to group by. If empty, each log triggers a signal.

query string: Query to filter logs.
groupByFields string[]: Fields to group by. If empty, each log triggers a signal.

query str: Query to filter logs.
group_by_fields Sequence[str]: Fields to group by. If empty, each log triggers a signal.

query String: Query to filter logs.
groupByFields List<String>: Fields to group by. If empty, each log triggers a signal.

SecurityMonitoringRuleQuery, SecurityMonitoringRuleQueryArgs

Query string: Query to run on logs.
AgentRules List<SecurityMonitoringRuleQueryAgentRule>: Deprecated. It won't be applied anymore. Deprecated. agent_rule has been deprecated in favor of new Agent Rule resource.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
Aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "count".
DistinctFields List<string>: Field for which the cardinality is measured. Sent as an array.
GroupByFields List<string>: Fields to group by.
Metric string: The target field to aggregate over when using the sum, max, or geo_data aggregations. Deprecated. Configure metrics instead. This attribute will be removed in the next major version of the provider.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
Metrics List<string>: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
Name string: Name of the query. Not compatible with new_value aggregations.

Query string: Query to run on logs.
AgentRules []SecurityMonitoringRuleQueryAgentRule: Deprecated. It won't be applied anymore. Deprecated. agent_rule has been deprecated in favor of new Agent Rule resource.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
Aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "count".
DistinctFields []string: Field for which the cardinality is measured. Sent as an array.
GroupByFields []string: Fields to group by.
Metric string: The target field to aggregate over when using the sum, max, or geo_data aggregations. Deprecated. Configure metrics instead. This attribute will be removed in the next major version of the provider.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
Metrics []string: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
Name string: Name of the query. Not compatible with new_value aggregations.

query String: Query to run on logs.
agentRules List<SecurityMonitoringRuleQueryAgentRule>: Deprecated. It won't be applied anymore. Deprecated. agent_rule has been deprecated in favor of new Agent Rule resource.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
aggregation String: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "count".
distinctFields List<String>: Field for which the cardinality is measured. Sent as an array.
groupByFields List<String>: Fields to group by.
metric String: The target field to aggregate over when using the sum, max, or geo_data aggregations. Deprecated. Configure metrics instead. This attribute will be removed in the next major version of the provider.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
metrics List<String>: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
name String: Name of the query. Not compatible with new_value aggregations.

query string: Query to run on logs.
agentRules SecurityMonitoringRuleQueryAgentRule[]: Deprecated. It won't be applied anymore. Deprecated. agent_rule has been deprecated in favor of new Agent Rule resource.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "count".
distinctFields string[]: Field for which the cardinality is measured. Sent as an array.
groupByFields string[]: Fields to group by.
metric string: The target field to aggregate over when using the sum, max, or geo_data aggregations. Deprecated. Configure metrics instead. This attribute will be removed in the next major version of the provider.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
metrics string[]: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
name string: Name of the query. Not compatible with new_value aggregations.

query str: Query to run on logs.
agent_rules Sequence[SecurityMonitoringRuleQueryAgentRule]: Deprecated. It won't be applied anymore. Deprecated. agent_rule has been deprecated in favor of new Agent Rule resource.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
aggregation str: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "count".
distinct_fields Sequence[str]: Field for which the cardinality is measured. Sent as an array.
group_by_fields Sequence[str]: Fields to group by.
metric str: The target field to aggregate over when using the sum, max, or geo_data aggregations. Deprecated. Configure metrics instead. This attribute will be removed in the next major version of the provider.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
metrics Sequence[str]: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
name str: Name of the query. Not compatible with new_value aggregations.

query String: Query to run on logs.
agentRules List<Property Map>: Deprecated. It won't be applied anymore. Deprecated. agent_rule has been deprecated in favor of new Agent Rule resource.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
aggregation String: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "count".
distinctFields List<String>: Field for which the cardinality is measured. Sent as an array.
groupByFields List<String>: Fields to group by.
metric String: The target field to aggregate over when using the sum, max, or geo_data aggregations. Deprecated. Configure metrics instead. This attribute will be removed in the next major version of the provider.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
metrics List<String>: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
name String: Name of the query. Not compatible with new_value aggregations.

SecurityMonitoringRuleQueryAgentRule, SecurityMonitoringRuleQueryAgentRuleArgs

AgentRuleId string: Deprecated. It won't be applied anymore.
Expression string: Deprecated. It won't be applied anymore.

AgentRuleId string: Deprecated. It won't be applied anymore.
Expression string: Deprecated. It won't be applied anymore.

agentRuleId String: Deprecated. It won't be applied anymore.
expression String: Deprecated. It won't be applied anymore.

agentRuleId string: Deprecated. It won't be applied anymore.
expression string: Deprecated. It won't be applied anymore.

agent_rule_id str: Deprecated. It won't be applied anymore.
expression str: Deprecated. It won't be applied anymore.

agentRuleId String: Deprecated. It won't be applied anymore.
expression String: Deprecated. It won't be applied anymore.

SecurityMonitoringRuleSignalQuery, SecurityMonitoringRuleSignalQueryArgs

RuleId string: Rule ID of the signal to correlate.
Aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "event_count".
CorrelatedByFields List<string>: Fields to correlate by.
CorrelatedQueryIndex string: Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to "".
DefaultRuleId string: Default Rule ID of the signal to correlate. This value is READ-ONLY.
Name string: Name of the query. Not compatible with new_value aggregations.

RuleId string: Rule ID of the signal to correlate.
Aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "event_count".
CorrelatedByFields []string: Fields to correlate by.
CorrelatedQueryIndex string: Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to "".
DefaultRuleId string: Default Rule ID of the signal to correlate. This value is READ-ONLY.
Name string: Name of the query. Not compatible with new_value aggregations.

ruleId String: Rule ID of the signal to correlate.
aggregation String: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "event_count".
correlatedByFields List<String>: Fields to correlate by.
correlatedQueryIndex String: Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to "".
defaultRuleId String: Default Rule ID of the signal to correlate. This value is READ-ONLY.
name String: Name of the query. Not compatible with new_value aggregations.

ruleId string: Rule ID of the signal to correlate.
aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "event_count".
correlatedByFields string[]: Fields to correlate by.
correlatedQueryIndex string: Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to "".
defaultRuleId string: Default Rule ID of the signal to correlate. This value is READ-ONLY.
name string: Name of the query. Not compatible with new_value aggregations.

rule_id str: Rule ID of the signal to correlate.
aggregation str: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "event_count".
correlated_by_fields Sequence[str]: Fields to correlate by.
correlated_query_index str: Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to "".
default_rule_id str: Default Rule ID of the signal to correlate. This value is READ-ONLY.
name str: Name of the query. Not compatible with new_value aggregations.

ruleId String: Rule ID of the signal to correlate.
aggregation String: The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count, cardinality, sum, max, new_value, geo_data, event_count, none. Defaults to "event_count".
correlatedByFields List<String>: Fields to correlate by.
correlatedQueryIndex String: Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to "".
defaultRuleId String: Default Rule ID of the signal to correlate. This value is READ-ONLY.
name String: Name of the query. Not compatible with new_value aggregations.

SecurityMonitoringRuleThirdPartyCase, SecurityMonitoringRuleThirdPartyCaseArgs

Status string: Severity of the Security Signal. Valid values are info, low, medium, high, critical.
Name string: Name of the case.
Notifications List<string>: Notification targets for each rule case.
Query string: A query to associate a third-party event to this case.

Status string: Severity of the Security Signal. Valid values are info, low, medium, high, critical.
Name string: Name of the case.
Notifications []string: Notification targets for each rule case.
Query string: A query to associate a third-party event to this case.

status String: Severity of the Security Signal. Valid values are info, low, medium, high, critical.
name String: Name of the case.
notifications List<String>: Notification targets for each rule case.
query String: A query to associate a third-party event to this case.

status string: Severity of the Security Signal. Valid values are info, low, medium, high, critical.
name string: Name of the case.
notifications string[]: Notification targets for each rule case.
query string: A query to associate a third-party event to this case.

status str: Severity of the Security Signal. Valid values are info, low, medium, high, critical.
name str: Name of the case.
notifications Sequence[str]: Notification targets for each rule case.
query str: A query to associate a third-party event to this case.

status String: Severity of the Security Signal. Valid values are info, low, medium, high, critical.
name String: Name of the case.
notifications List<String>: Notification targets for each rule case.
query String: A query to associate a third-party event to this case.

Import

Security monitoring rules can be imported using ID, e.g.

$ pulumi import datadog:index/securityMonitoringRule:SecurityMonitoringRule my_rule m0o-hto-lkb

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Datadog pulumi/pulumi-datadog
License: Apache-2.0
Notes: This Pulumi package is based on the datadog Terraform Provider.

Datadog v4.28.1 published on Monday, Jun 24, 2024 by Pulumi

pulumi/pulumi-datadog

datadog.SecurityMonitoringRule

On this page

On this page

Example Usage

Create SecurityMonitoringRule Resource

Constructor syntax

Parameters

Constructor example

SecurityMonitoringRule Resource Properties

Inputs

Outputs

Look up Existing SecurityMonitoringRule Resource

Supporting Types

SecurityMonitoringRuleCase, SecurityMonitoringRuleCaseArgs

SecurityMonitoringRuleFilter, SecurityMonitoringRuleFilterArgs

SecurityMonitoringRuleOptions, SecurityMonitoringRuleOptionsArgs

SecurityMonitoringRuleOptionsImpossibleTravelOptions, SecurityMonitoringRuleOptionsImpossibleTravelOptionsArgs

SecurityMonitoringRuleOptionsNewValueOptions, SecurityMonitoringRuleOptionsNewValueOptionsArgs

SecurityMonitoringRuleOptionsThirdPartyRuleOptions, SecurityMonitoringRuleOptionsThirdPartyRuleOptionsArgs

SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQuery, SecurityMonitoringRuleOptionsThirdPartyRuleOptionsRootQueryArgs

SecurityMonitoringRuleQuery, SecurityMonitoringRuleQueryArgs

SecurityMonitoringRuleQueryAgentRule, SecurityMonitoringRuleQueryAgentRuleArgs

SecurityMonitoringRuleSignalQuery, SecurityMonitoringRuleSignalQueryArgs

SecurityMonitoringRuleThirdPartyCase, SecurityMonitoringRuleThirdPartyCaseArgs

Import

Package Details

On this page

On this page