Azure v6.21.0, Mar 7 25

We recommend using Azure Native.

Azure v6.21.0 published on Friday, Mar 7, 2025 by Pulumi

pulumi/pulumi-azure

azure.sentinel.AlertRuleNrt

Explore with Pulumi AI

We recommend using Azure Native.

Azure v6.21.0 published on Friday, Mar 7, 2025 by Pulumi

pulumi/pulumi-azure

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const example = new azure.core.ResourceGroup("example", {
    name: "example-resources",
    location: "West Europe",
});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", {
    name: "example-workspace",
    location: example.location,
    resourceGroupName: example.name,
    sku: "pergb2018",
});
const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", {workspaceId: exampleAnalyticsWorkspace.id});
const exampleAlertRuleNrt = new azure.sentinel.AlertRuleNrt("example", {
    name: "example",
    logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId,
    displayName: "example",
    severity: "High",
    query: `AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
`,
});

import pulumi
import pulumi_azure as azure

example = azure.core.ResourceGroup("example",
    name="example-resources",
    location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("example",
    name="example-workspace",
    location=example.location,
    resource_group_name=example.name,
    sku="pergb2018")
example_log_analytics_workspace_onboarding = azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", workspace_id=example_analytics_workspace.id)
example_alert_rule_nrt = azure.sentinel.AlertRuleNrt("example",
    name="example",
    log_analytics_workspace_id=example_log_analytics_workspace_onboarding.workspace_id,
    display_name="example",
    severity="High",
    query="""AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")

package main

import (
	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/operationalinsights"
	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/sentinel"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
			Name:     pulumi.String("example-resources"),
			Location: pulumi.String("West Europe"),
		})
		if err != nil {
			return err
		}
		exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "example", &operationalinsights.AnalyticsWorkspaceArgs{
			Name:              pulumi.String("example-workspace"),
			Location:          example.Location,
			ResourceGroupName: example.Name,
			Sku:               pulumi.String("pergb2018"),
		})
		if err != nil {
			return err
		}
		exampleLogAnalyticsWorkspaceOnboarding, err := sentinel.NewLogAnalyticsWorkspaceOnboarding(ctx, "example", &sentinel.LogAnalyticsWorkspaceOnboardingArgs{
			WorkspaceId: exampleAnalyticsWorkspace.ID(),
		})
		if err != nil {
			return err
		}
		_, err = sentinel.NewAlertRuleNrt(ctx, "example", &sentinel.AlertRuleNrtArgs{
			Name:                    pulumi.String("example"),
			LogAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
			DisplayName:             pulumi.String("example"),
			Severity:                pulumi.String("High"),
			Query:                   pulumi.String("AzureActivity |\n  where OperationName == \"Create or Update Virtual Machine\" or OperationName ==\"Create Deployment\" |\n  where ActivityStatus == \"Succeeded\" |\n  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;

return await Deployment.RunAsync(() => 
{
    var example = new Azure.Core.ResourceGroup("example", new()
    {
        Name = "example-resources",
        Location = "West Europe",
    });

    var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("example", new()
    {
        Name = "example-workspace",
        Location = example.Location,
        ResourceGroupName = example.Name,
        Sku = "pergb2018",
    });

    var exampleLogAnalyticsWorkspaceOnboarding = new Azure.Sentinel.LogAnalyticsWorkspaceOnboarding("example", new()
    {
        WorkspaceId = exampleAnalyticsWorkspace.Id,
    });

    var exampleAlertRuleNrt = new Azure.Sentinel.AlertRuleNrt("example", new()
    {
        Name = "example",
        LogAnalyticsWorkspaceId = exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
        DisplayName = "example",
        Severity = "High",
        Query = @"AzureActivity |
  where OperationName == ""Create or Update Virtual Machine"" or OperationName ==""Create Deployment"" |
  where ActivityStatus == ""Succeeded"" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
import com.pulumi.azure.sentinel.AlertRuleNrt;
import com.pulumi.azure.sentinel.AlertRuleNrtArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new ResourceGroup("example", ResourceGroupArgs.builder()
            .name("example-resources")
            .location("West Europe")
            .build());

        var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()
            .name("example-workspace")
            .location(example.location())
            .resourceGroupName(example.name())
            .sku("pergb2018")
            .build());

        var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()
            .workspaceId(exampleAnalyticsWorkspace.id())
            .build());

        var exampleAlertRuleNrt = new AlertRuleNrt("exampleAlertRuleNrt", AlertRuleNrtArgs.builder()
            .name("example")
            .logAnalyticsWorkspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
            .displayName("example")
            .severity("High")
            .query("""
AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
            """)
            .build());

    }
}

resources:
  example:
    type: azure:core:ResourceGroup
    properties:
      name: example-resources
      location: West Europe
  exampleAnalyticsWorkspace:
    type: azure:operationalinsights:AnalyticsWorkspace
    name: example
    properties:
      name: example-workspace
      location: ${example.location}
      resourceGroupName: ${example.name}
      sku: pergb2018
  exampleLogAnalyticsWorkspaceOnboarding:
    type: azure:sentinel:LogAnalyticsWorkspaceOnboarding
    name: example
    properties:
      workspaceId: ${exampleAnalyticsWorkspace.id}
  exampleAlertRuleNrt:
    type: azure:sentinel:AlertRuleNrt
    name: example
    properties:
      name: example
      logAnalyticsWorkspaceId: ${exampleLogAnalyticsWorkspaceOnboarding.workspaceId}
      displayName: example
      severity: High
      query: |
        AzureActivity |
          where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
          where ActivityStatus == "Succeeded" |
          make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller

Create AlertRuleNrt Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new AlertRuleNrt(name: string, args: AlertRuleNrtArgs, opts?: CustomResourceOptions);

@overload
def AlertRuleNrt(resource_name: str,
                 args: AlertRuleNrtArgs,
                 opts: Optional[ResourceOptions] = None)

@overload
def AlertRuleNrt(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 query: Optional[str] = None,
                 display_name: Optional[str] = None,
                 event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
                 severity: Optional[str] = None,
                 log_analytics_workspace_id: Optional[str] = None,
                 techniques: Optional[Sequence[str]] = None,
                 alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
                 entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
                 alert_rule_template_version: Optional[str] = None,
                 alert_rule_template_guid: Optional[str] = None,
                 name: Optional[str] = None,
                 description: Optional[str] = None,
                 enabled: Optional[bool] = None,
                 sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
                 custom_details: Optional[Mapping[str, str]] = None,
                 suppression_duration: Optional[str] = None,
                 suppression_enabled: Optional[bool] = None,
                 tactics: Optional[Sequence[str]] = None,
                 incident: Optional[AlertRuleNrtIncidentArgs] = None)

func NewAlertRuleNrt(ctx *Context, name string, args AlertRuleNrtArgs, opts ...ResourceOption) (*AlertRuleNrt, error)

public AlertRuleNrt(string name, AlertRuleNrtArgs args, CustomResourceOptions? opts = null)

public AlertRuleNrt(String name, AlertRuleNrtArgs args)
public AlertRuleNrt(String name, AlertRuleNrtArgs args, CustomResourceOptions options)

type: azure:sentinel:AlertRuleNrt
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args AlertRuleNrtArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AlertRuleNrtArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AlertRuleNrtArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AlertRuleNrtArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AlertRuleNrtArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var alertRuleNrtResource = new Azure.Sentinel.AlertRuleNrt("alertRuleNrtResource", new()
{
    Query = "string",
    DisplayName = "string",
    EventGrouping = new Azure.Sentinel.Inputs.AlertRuleNrtEventGroupingArgs
    {
        AggregationMethod = "string",
    },
    Severity = "string",
    LogAnalyticsWorkspaceId = "string",
    Techniques = new[]
    {
        "string",
    },
    AlertDetailsOverrides = new[]
    {
        new Azure.Sentinel.Inputs.AlertRuleNrtAlertDetailsOverrideArgs
        {
            DescriptionFormat = "string",
            DisplayNameFormat = "string",
            DynamicProperties = new[]
            {
                new Azure.Sentinel.Inputs.AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs
                {
                    Name = "string",
                    Value = "string",
                },
            },
            SeverityColumnName = "string",
            TacticsColumnName = "string",
        },
    },
    EntityMappings = new[]
    {
        new Azure.Sentinel.Inputs.AlertRuleNrtEntityMappingArgs
        {
            EntityType = "string",
            FieldMappings = new[]
            {
                new Azure.Sentinel.Inputs.AlertRuleNrtEntityMappingFieldMappingArgs
                {
                    ColumnName = "string",
                    Identifier = "string",
                },
            },
        },
    },
    AlertRuleTemplateVersion = "string",
    AlertRuleTemplateGuid = "string",
    Name = "string",
    Description = "string",
    Enabled = false,
    SentinelEntityMappings = new[]
    {
        new Azure.Sentinel.Inputs.AlertRuleNrtSentinelEntityMappingArgs
        {
            ColumnName = "string",
        },
    },
    CustomDetails = 
    {
        { "string", "string" },
    },
    SuppressionDuration = "string",
    SuppressionEnabled = false,
    Tactics = new[]
    {
        "string",
    },
    Incident = new Azure.Sentinel.Inputs.AlertRuleNrtIncidentArgs
    {
        CreateIncidentEnabled = false,
        Grouping = new Azure.Sentinel.Inputs.AlertRuleNrtIncidentGroupingArgs
        {
            ByAlertDetails = new[]
            {
                "string",
            },
            ByCustomDetails = new[]
            {
                "string",
            },
            ByEntities = new[]
            {
                "string",
            },
            Enabled = false,
            EntityMatchingMethod = "string",
            LookbackDuration = "string",
            ReopenClosedIncidents = false,
        },
    },
});

example, err := sentinel.NewAlertRuleNrt(ctx, "alertRuleNrtResource", &sentinel.AlertRuleNrtArgs{
	Query:       pulumi.String("string"),
	DisplayName: pulumi.String("string"),
	EventGrouping: &sentinel.AlertRuleNrtEventGroupingArgs{
		AggregationMethod: pulumi.String("string"),
	},
	Severity:                pulumi.String("string"),
	LogAnalyticsWorkspaceId: pulumi.String("string"),
	Techniques: pulumi.StringArray{
		pulumi.String("string"),
	},
	AlertDetailsOverrides: sentinel.AlertRuleNrtAlertDetailsOverrideArray{
		&sentinel.AlertRuleNrtAlertDetailsOverrideArgs{
			DescriptionFormat: pulumi.String("string"),
			DisplayNameFormat: pulumi.String("string"),
			DynamicProperties: sentinel.AlertRuleNrtAlertDetailsOverrideDynamicPropertyArray{
				&sentinel.AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs{
					Name:  pulumi.String("string"),
					Value: pulumi.String("string"),
				},
			},
			SeverityColumnName: pulumi.String("string"),
			TacticsColumnName:  pulumi.String("string"),
		},
	},
	EntityMappings: sentinel.AlertRuleNrtEntityMappingArray{
		&sentinel.AlertRuleNrtEntityMappingArgs{
			EntityType: pulumi.String("string"),
			FieldMappings: sentinel.AlertRuleNrtEntityMappingFieldMappingArray{
				&sentinel.AlertRuleNrtEntityMappingFieldMappingArgs{
					ColumnName: pulumi.String("string"),
					Identifier: pulumi.String("string"),
				},
			},
		},
	},
	AlertRuleTemplateVersion: pulumi.String("string"),
	AlertRuleTemplateGuid:    pulumi.String("string"),
	Name:                     pulumi.String("string"),
	Description:              pulumi.String("string"),
	Enabled:                  pulumi.Bool(false),
	SentinelEntityMappings: sentinel.AlertRuleNrtSentinelEntityMappingArray{
		&sentinel.AlertRuleNrtSentinelEntityMappingArgs{
			ColumnName: pulumi.String("string"),
		},
	},
	CustomDetails: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	SuppressionDuration: pulumi.String("string"),
	SuppressionEnabled:  pulumi.Bool(false),
	Tactics: pulumi.StringArray{
		pulumi.String("string"),
	},
	Incident: &sentinel.AlertRuleNrtIncidentArgs{
		CreateIncidentEnabled: pulumi.Bool(false),
		Grouping: &sentinel.AlertRuleNrtIncidentGroupingArgs{
			ByAlertDetails: pulumi.StringArray{
				pulumi.String("string"),
			},
			ByCustomDetails: pulumi.StringArray{
				pulumi.String("string"),
			},
			ByEntities: pulumi.StringArray{
				pulumi.String("string"),
			},
			Enabled:               pulumi.Bool(false),
			EntityMatchingMethod:  pulumi.String("string"),
			LookbackDuration:      pulumi.String("string"),
			ReopenClosedIncidents: pulumi.Bool(false),
		},
	},
})

var alertRuleNrtResource = new AlertRuleNrt("alertRuleNrtResource", AlertRuleNrtArgs.builder()
    .query("string")
    .displayName("string")
    .eventGrouping(AlertRuleNrtEventGroupingArgs.builder()
        .aggregationMethod("string")
        .build())
    .severity("string")
    .logAnalyticsWorkspaceId("string")
    .techniques("string")
    .alertDetailsOverrides(AlertRuleNrtAlertDetailsOverrideArgs.builder()
        .descriptionFormat("string")
        .displayNameFormat("string")
        .dynamicProperties(AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs.builder()
            .name("string")
            .value("string")
            .build())
        .severityColumnName("string")
        .tacticsColumnName("string")
        .build())
    .entityMappings(AlertRuleNrtEntityMappingArgs.builder()
        .entityType("string")
        .fieldMappings(AlertRuleNrtEntityMappingFieldMappingArgs.builder()
            .columnName("string")
            .identifier("string")
            .build())
        .build())
    .alertRuleTemplateVersion("string")
    .alertRuleTemplateGuid("string")
    .name("string")
    .description("string")
    .enabled(false)
    .sentinelEntityMappings(AlertRuleNrtSentinelEntityMappingArgs.builder()
        .columnName("string")
        .build())
    .customDetails(Map.of("string", "string"))
    .suppressionDuration("string")
    .suppressionEnabled(false)
    .tactics("string")
    .incident(AlertRuleNrtIncidentArgs.builder()
        .createIncidentEnabled(false)
        .grouping(AlertRuleNrtIncidentGroupingArgs.builder()
            .byAlertDetails("string")
            .byCustomDetails("string")
            .byEntities("string")
            .enabled(false)
            .entityMatchingMethod("string")
            .lookbackDuration("string")
            .reopenClosedIncidents(false)
            .build())
        .build())
    .build());

alert_rule_nrt_resource = azure.sentinel.AlertRuleNrt("alertRuleNrtResource",
    query="string",
    display_name="string",
    event_grouping={
        "aggregation_method": "string",
    },
    severity="string",
    log_analytics_workspace_id="string",
    techniques=["string"],
    alert_details_overrides=[{
        "description_format": "string",
        "display_name_format": "string",
        "dynamic_properties": [{
            "name": "string",
            "value": "string",
        }],
        "severity_column_name": "string",
        "tactics_column_name": "string",
    }],
    entity_mappings=[{
        "entity_type": "string",
        "field_mappings": [{
            "column_name": "string",
            "identifier": "string",
        }],
    }],
    alert_rule_template_version="string",
    alert_rule_template_guid="string",
    name="string",
    description="string",
    enabled=False,
    sentinel_entity_mappings=[{
        "column_name": "string",
    }],
    custom_details={
        "string": "string",
    },
    suppression_duration="string",
    suppression_enabled=False,
    tactics=["string"],
    incident={
        "create_incident_enabled": False,
        "grouping": {
            "by_alert_details": ["string"],
            "by_custom_details": ["string"],
            "by_entities": ["string"],
            "enabled": False,
            "entity_matching_method": "string",
            "lookback_duration": "string",
            "reopen_closed_incidents": False,
        },
    })

const alertRuleNrtResource = new azure.sentinel.AlertRuleNrt("alertRuleNrtResource", {
    query: "string",
    displayName: "string",
    eventGrouping: {
        aggregationMethod: "string",
    },
    severity: "string",
    logAnalyticsWorkspaceId: "string",
    techniques: ["string"],
    alertDetailsOverrides: [{
        descriptionFormat: "string",
        displayNameFormat: "string",
        dynamicProperties: [{
            name: "string",
            value: "string",
        }],
        severityColumnName: "string",
        tacticsColumnName: "string",
    }],
    entityMappings: [{
        entityType: "string",
        fieldMappings: [{
            columnName: "string",
            identifier: "string",
        }],
    }],
    alertRuleTemplateVersion: "string",
    alertRuleTemplateGuid: "string",
    name: "string",
    description: "string",
    enabled: false,
    sentinelEntityMappings: [{
        columnName: "string",
    }],
    customDetails: {
        string: "string",
    },
    suppressionDuration: "string",
    suppressionEnabled: false,
    tactics: ["string"],
    incident: {
        createIncidentEnabled: false,
        grouping: {
            byAlertDetails: ["string"],
            byCustomDetails: ["string"],
            byEntities: ["string"],
            enabled: false,
            entityMatchingMethod: "string",
            lookbackDuration: "string",
            reopenClosedIncidents: false,
        },
    },
});

type: azure:sentinel:AlertRuleNrt
properties:
    alertDetailsOverrides:
        - descriptionFormat: string
          displayNameFormat: string
          dynamicProperties:
            - name: string
              value: string
          severityColumnName: string
          tacticsColumnName: string
    alertRuleTemplateGuid: string
    alertRuleTemplateVersion: string
    customDetails:
        string: string
    description: string
    displayName: string
    enabled: false
    entityMappings:
        - entityType: string
          fieldMappings:
            - columnName: string
              identifier: string
    eventGrouping:
        aggregationMethod: string
    incident:
        createIncidentEnabled: false
        grouping:
            byAlertDetails:
                - string
            byCustomDetails:
                - string
            byEntities:
                - string
            enabled: false
            entityMatchingMethod: string
            lookbackDuration: string
            reopenClosedIncidents: false
    logAnalyticsWorkspaceId: string
    name: string
    query: string
    sentinelEntityMappings:
        - columnName: string
    severity: string
    suppressionDuration: string
    suppressionEnabled: false
    tactics:
        - string
    techniques:
        - string

AlertRuleNrt Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The AlertRuleNrt resource accepts the following input properties:

DisplayName string: The friendly name of this Sentinel NRT Alert Rule.
EventGrouping AlertRuleNrtEventGrouping: A event_grouping block as defined below.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
Query string: The query of this Sentinel NRT Alert Rule.
Severity string: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
AlertDetailsOverrides List<AlertRuleNrtAlertDetailsOverride>: An alert_details_override block as defined below.
AlertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
AlertRuleTemplateVersion string: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
CustomDetails Dictionary<string, string>: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
Description string: The description of this Sentinel NRT Alert Rule.
Enabled bool: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
EntityMappings List<AlertRuleNrtEntityMapping>: A list of entity_mapping blocks as defined below.
Incident AlertRuleNrtIncident: A incident block as defined below.
Name string: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
SentinelEntityMappings List<AlertRuleNrtSentinelEntityMapping>: A list of sentinel_entity_mapping blocks as defined below.
NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics List<string>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
Techniques List<string>: A list of techniques of attacks by which to classify the rule.

DisplayName string: The friendly name of this Sentinel NRT Alert Rule.
EventGrouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
Query string: The query of this Sentinel NRT Alert Rule.
Severity string: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
AlertDetailsOverrides []AlertRuleNrtAlertDetailsOverrideArgs: An alert_details_override block as defined below.
AlertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
AlertRuleTemplateVersion string: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
CustomDetails map[string]string: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
Description string: The description of this Sentinel NRT Alert Rule.
Enabled bool: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
EntityMappings []AlertRuleNrtEntityMappingArgs: A list of entity_mapping blocks as defined below.
Incident AlertRuleNrtIncidentArgs: A incident block as defined below.
Name string: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
SentinelEntityMappings []AlertRuleNrtSentinelEntityMappingArgs: A list of sentinel_entity_mapping blocks as defined below.
NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics []string: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
Techniques []string: A list of techniques of attacks by which to classify the rule.

displayName String: The friendly name of this Sentinel NRT Alert Rule.
eventGrouping AlertRuleNrtEventGrouping: A event_grouping block as defined below.
logAnalyticsWorkspaceId String: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
query String: The query of this Sentinel NRT Alert Rule.
severity String: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
alertDetailsOverrides List<AlertRuleNrtAlertDetailsOverride>: An alert_details_override block as defined below.
alertRuleTemplateGuid String: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alertRuleTemplateVersion String: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
customDetails Map<String,String>: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description String: The description of this Sentinel NRT Alert Rule.
enabled Boolean: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entityMappings List<AlertRuleNrtEntityMapping>: A list of entity_mapping blocks as defined below.
incident AlertRuleNrtIncident: A incident block as defined below.
name String: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
sentinelEntityMappings List<AlertRuleNrtSentinelEntityMapping>: A list of sentinel_entity_mapping blocks as defined below.
NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.
suppressionDuration String: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled Boolean: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List<String>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
techniques List<String>: A list of techniques of attacks by which to classify the rule.

displayName string: The friendly name of this Sentinel NRT Alert Rule.
eventGrouping AlertRuleNrtEventGrouping: A event_grouping block as defined below.
logAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
query string: The query of this Sentinel NRT Alert Rule.
severity string: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
alertDetailsOverrides AlertRuleNrtAlertDetailsOverride[]: An alert_details_override block as defined below.
alertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alertRuleTemplateVersion string: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
customDetails {[key: string]: string}: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description string: The description of this Sentinel NRT Alert Rule.
enabled boolean: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entityMappings AlertRuleNrtEntityMapping[]: A list of entity_mapping blocks as defined below.
incident AlertRuleNrtIncident: A incident block as defined below.
name string: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
sentinelEntityMappings AlertRuleNrtSentinelEntityMapping[]: A list of sentinel_entity_mapping blocks as defined below.
NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.
suppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled boolean: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics string[]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
techniques string[]: A list of techniques of attacks by which to classify the rule.

display_name str: The friendly name of this Sentinel NRT Alert Rule.
event_grouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
log_analytics_workspace_id str: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
query str: The query of this Sentinel NRT Alert Rule.
severity str: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
alert_details_overrides Sequence[AlertRuleNrtAlertDetailsOverrideArgs]: An alert_details_override block as defined below.
alert_rule_template_guid str: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alert_rule_template_version str: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
custom_details Mapping[str, str]: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description str: The description of this Sentinel NRT Alert Rule.
enabled bool: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entity_mappings Sequence[AlertRuleNrtEntityMappingArgs]: A list of entity_mapping blocks as defined below.
incident AlertRuleNrtIncidentArgs: A incident block as defined below.
name str: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
sentinel_entity_mappings Sequence[AlertRuleNrtSentinelEntityMappingArgs]: A list of sentinel_entity_mapping blocks as defined below.
NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.
suppression_duration str: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppression_enabled bool: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics Sequence[str]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
techniques Sequence[str]: A list of techniques of attacks by which to classify the rule.

displayName String: The friendly name of this Sentinel NRT Alert Rule.
eventGrouping Property Map: A event_grouping block as defined below.
logAnalyticsWorkspaceId String: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
query String: The query of this Sentinel NRT Alert Rule.
severity String: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
alertDetailsOverrides List<Property Map>: An alert_details_override block as defined below.
alertRuleTemplateGuid String: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alertRuleTemplateVersion String: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
customDetails Map<String>: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description String: The description of this Sentinel NRT Alert Rule.
enabled Boolean: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entityMappings List<Property Map>: A list of entity_mapping blocks as defined below.
incident Property Map: A incident block as defined below.
name String: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
sentinelEntityMappings List<Property Map>: A list of sentinel_entity_mapping blocks as defined below.
NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.
suppressionDuration String: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled Boolean: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List<String>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
techniques List<String>: A list of techniques of attacks by which to classify the rule.

Outputs

All input properties are implicitly available as output properties. Additionally, the AlertRuleNrt resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing AlertRuleNrt Resource

Get an existing AlertRuleNrt resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AlertRuleNrtState, opts?: CustomResourceOptions): AlertRuleNrt

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        alert_details_overrides: Optional[Sequence[AlertRuleNrtAlertDetailsOverrideArgs]] = None,
        alert_rule_template_guid: Optional[str] = None,
        alert_rule_template_version: Optional[str] = None,
        custom_details: Optional[Mapping[str, str]] = None,
        description: Optional[str] = None,
        display_name: Optional[str] = None,
        enabled: Optional[bool] = None,
        entity_mappings: Optional[Sequence[AlertRuleNrtEntityMappingArgs]] = None,
        event_grouping: Optional[AlertRuleNrtEventGroupingArgs] = None,
        incident: Optional[AlertRuleNrtIncidentArgs] = None,
        log_analytics_workspace_id: Optional[str] = None,
        name: Optional[str] = None,
        query: Optional[str] = None,
        sentinel_entity_mappings: Optional[Sequence[AlertRuleNrtSentinelEntityMappingArgs]] = None,
        severity: Optional[str] = None,
        suppression_duration: Optional[str] = None,
        suppression_enabled: Optional[bool] = None,
        tactics: Optional[Sequence[str]] = None,
        techniques: Optional[Sequence[str]] = None) -> AlertRuleNrt

func GetAlertRuleNrt(ctx *Context, name string, id IDInput, state *AlertRuleNrtState, opts ...ResourceOption) (*AlertRuleNrt, error)

public static AlertRuleNrt Get(string name, Input<string> id, AlertRuleNrtState? state, CustomResourceOptions? opts = null)

public static AlertRuleNrt get(String name, Output<String> id, AlertRuleNrtState state, CustomResourceOptions options)

resources:  _:    type: azure:sentinel:AlertRuleNrt    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AlertDetailsOverrides List<AlertRuleNrtAlertDetailsOverride>: An alert_details_override block as defined below.
AlertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
AlertRuleTemplateVersion string: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
CustomDetails Dictionary<string, string>: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
Description string: The description of this Sentinel NRT Alert Rule.
DisplayName string: The friendly name of this Sentinel NRT Alert Rule.
Enabled bool: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
EntityMappings List<AlertRuleNrtEntityMapping>: A list of entity_mapping blocks as defined below.
EventGrouping AlertRuleNrtEventGrouping: A event_grouping block as defined below.
Incident AlertRuleNrtIncident: A incident block as defined below.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
Name string: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
Query string: The query of this Sentinel NRT Alert Rule.
SentinelEntityMappings List<AlertRuleNrtSentinelEntityMapping>: A list of sentinel_entity_mapping blocks as defined below.
NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.
Severity string: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics List<string>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
Techniques List<string>: A list of techniques of attacks by which to classify the rule.

AlertDetailsOverrides []AlertRuleNrtAlertDetailsOverrideArgs: An alert_details_override block as defined below.
AlertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
AlertRuleTemplateVersion string: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
CustomDetails map[string]string: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
Description string: The description of this Sentinel NRT Alert Rule.
DisplayName string: The friendly name of this Sentinel NRT Alert Rule.
Enabled bool: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
EntityMappings []AlertRuleNrtEntityMappingArgs: A list of entity_mapping blocks as defined below.
EventGrouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
Incident AlertRuleNrtIncidentArgs: A incident block as defined below.
LogAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
Name string: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
Query string: The query of this Sentinel NRT Alert Rule.
SentinelEntityMappings []AlertRuleNrtSentinelEntityMappingArgs: A list of sentinel_entity_mapping blocks as defined below.
NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.
Severity string: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
SuppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
SuppressionEnabled bool: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
Tactics []string: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
Techniques []string: A list of techniques of attacks by which to classify the rule.

alertDetailsOverrides List<AlertRuleNrtAlertDetailsOverride>: An alert_details_override block as defined below.
alertRuleTemplateGuid String: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alertRuleTemplateVersion String: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
customDetails Map<String,String>: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description String: The description of this Sentinel NRT Alert Rule.
displayName String: The friendly name of this Sentinel NRT Alert Rule.
enabled Boolean: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entityMappings List<AlertRuleNrtEntityMapping>: A list of entity_mapping blocks as defined below.
eventGrouping AlertRuleNrtEventGrouping: A event_grouping block as defined below.
incident AlertRuleNrtIncident: A incident block as defined below.
logAnalyticsWorkspaceId String: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
name String: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
query String: The query of this Sentinel NRT Alert Rule.
sentinelEntityMappings List<AlertRuleNrtSentinelEntityMapping>: A list of sentinel_entity_mapping blocks as defined below.
NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.
severity String: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
suppressionDuration String: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled Boolean: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List<String>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
techniques List<String>: A list of techniques of attacks by which to classify the rule.

alertDetailsOverrides AlertRuleNrtAlertDetailsOverride[]: An alert_details_override block as defined below.
alertRuleTemplateGuid string: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alertRuleTemplateVersion string: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
customDetails {[key: string]: string}: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description string: The description of this Sentinel NRT Alert Rule.
displayName string: The friendly name of this Sentinel NRT Alert Rule.
enabled boolean: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entityMappings AlertRuleNrtEntityMapping[]: A list of entity_mapping blocks as defined below.
eventGrouping AlertRuleNrtEventGrouping: A event_grouping block as defined below.
incident AlertRuleNrtIncident: A incident block as defined below.
logAnalyticsWorkspaceId string: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
name string: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
query string: The query of this Sentinel NRT Alert Rule.
sentinelEntityMappings AlertRuleNrtSentinelEntityMapping[]: A list of sentinel_entity_mapping blocks as defined below.
NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.
severity string: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
suppressionDuration string: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled boolean: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics string[]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
techniques string[]: A list of techniques of attacks by which to classify the rule.

alert_details_overrides Sequence[AlertRuleNrtAlertDetailsOverrideArgs]: An alert_details_override block as defined below.
alert_rule_template_guid str: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alert_rule_template_version str: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
custom_details Mapping[str, str]: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description str: The description of this Sentinel NRT Alert Rule.
display_name str: The friendly name of this Sentinel NRT Alert Rule.
enabled bool: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entity_mappings Sequence[AlertRuleNrtEntityMappingArgs]: A list of entity_mapping blocks as defined below.
event_grouping AlertRuleNrtEventGroupingArgs: A event_grouping block as defined below.
incident AlertRuleNrtIncidentArgs: A incident block as defined below.
log_analytics_workspace_id str: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
name str: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
query str: The query of this Sentinel NRT Alert Rule.
sentinel_entity_mappings Sequence[AlertRuleNrtSentinelEntityMappingArgs]: A list of sentinel_entity_mapping blocks as defined below.
NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.
severity str: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
suppression_duration str: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppression_enabled bool: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics Sequence[str]: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
techniques Sequence[str]: A list of techniques of attacks by which to classify the rule.

alertDetailsOverrides List<Property Map>: An alert_details_override block as defined below.
alertRuleTemplateGuid String: The GUID of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
alertRuleTemplateVersion String: The version of the alert rule template which is used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
customDetails Map<String>: A map of string key-value pairs of columns to be attached to this Sentinel NRT Alert Rule. The key will appear as the field name in alerts and the value is the event parameter you wish to surface in the alerts.
description String: The description of this Sentinel NRT Alert Rule.
displayName String: The friendly name of this Sentinel NRT Alert Rule.
enabled Boolean: Should the Sentinel NRT Alert Rule be enabled? Defaults to true.
entityMappings List<Property Map>: A list of entity_mapping blocks as defined below.
eventGrouping Property Map: A event_grouping block as defined below.
incident Property Map: A incident block as defined below.
logAnalyticsWorkspaceId String: The ID of the Log Analytics Workspace this Sentinel NRT Alert Rule belongs to. Changing this forces a new Sentinel NRT Alert Rule to be created.
name String: The name which should be used for this Sentinel NRT Alert Rule. Changing this forces a new Sentinel NRT Alert Rule to be created.
query String: The query of this Sentinel NRT Alert Rule.
sentinelEntityMappings List<Property Map>: A list of sentinel_entity_mapping blocks as defined below.
NOTE: entity_mapping and sentinel_entity_mapping together can't exceed 5.
severity String: The alert severity of this Sentinel NRT Alert Rule. Possible values are High, Medium, Low and Informational.
suppressionDuration String: If suppression_enabled is true, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to PT5H.
suppressionEnabled Boolean: Should the Sentinel NRT Alert Rulea stop running query after alert is generated? Defaults to false.
tactics List<String>: A list of categories of attacks by which to classify the rule. Possible values are Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, ImpairProcessControl, InhibitResponseFunction, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation, Reconnaissance and ResourceDevelopment.
techniques List<String>: A list of techniques of attacks by which to classify the rule.

Supporting Types

AlertRuleNrtAlertDetailsOverride, AlertRuleNrtAlertDetailsOverrideArgs

DescriptionFormat string: The format containing columns name(s) to override the description of this Sentinel Alert Rule.
DisplayNameFormat string: The format containing columns name(s) to override the name of this Sentinel Alert Rule.
DynamicProperties List<AlertRuleNrtAlertDetailsOverrideDynamicProperty>: A list of dynamic_property blocks as defined below.
SeverityColumnName string: The column name to take the alert severity from.
TacticsColumnName string: The column name to take the alert tactics from.

DescriptionFormat string: The format containing columns name(s) to override the description of this Sentinel Alert Rule.
DisplayNameFormat string: The format containing columns name(s) to override the name of this Sentinel Alert Rule.
DynamicProperties []AlertRuleNrtAlertDetailsOverrideDynamicProperty: A list of dynamic_property blocks as defined below.
SeverityColumnName string: The column name to take the alert severity from.
TacticsColumnName string: The column name to take the alert tactics from.

descriptionFormat String: The format containing columns name(s) to override the description of this Sentinel Alert Rule.
displayNameFormat String: The format containing columns name(s) to override the name of this Sentinel Alert Rule.
dynamicProperties List<AlertRuleNrtAlertDetailsOverrideDynamicProperty>: A list of dynamic_property blocks as defined below.
severityColumnName String: The column name to take the alert severity from.
tacticsColumnName String: The column name to take the alert tactics from.

descriptionFormat string: The format containing columns name(s) to override the description of this Sentinel Alert Rule.
displayNameFormat string: The format containing columns name(s) to override the name of this Sentinel Alert Rule.
dynamicProperties AlertRuleNrtAlertDetailsOverrideDynamicProperty[]: A list of dynamic_property blocks as defined below.
severityColumnName string: The column name to take the alert severity from.
tacticsColumnName string: The column name to take the alert tactics from.

description_format str: The format containing columns name(s) to override the description of this Sentinel Alert Rule.
display_name_format str: The format containing columns name(s) to override the name of this Sentinel Alert Rule.
dynamic_properties Sequence[AlertRuleNrtAlertDetailsOverrideDynamicProperty]: A list of dynamic_property blocks as defined below.
severity_column_name str: The column name to take the alert severity from.
tactics_column_name str: The column name to take the alert tactics from.

descriptionFormat String: The format containing columns name(s) to override the description of this Sentinel Alert Rule.
displayNameFormat String: The format containing columns name(s) to override the name of this Sentinel Alert Rule.
dynamicProperties List<Property Map>: A list of dynamic_property blocks as defined below.
severityColumnName String: The column name to take the alert severity from.
tacticsColumnName String: The column name to take the alert tactics from.

AlertRuleNrtAlertDetailsOverrideDynamicProperty, AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs

Name string: The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
Value string: The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

Name string: The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
Value string: The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

name String: The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
value String: The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

name string: The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
value string: The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

name str: The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
value str: The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

name String: The name of the dynamic property. Possible Values are AlertLink, ConfidenceLevel, ConfidenceScore, ExtendedLinks, ProductComponentName, ProductName, ProviderName, RemediationSteps and Techniques.
value String: The value of the dynamic property. Pssible Values are Caller, dcount_ResourceId and EventSubmissionTimestamp.

AlertRuleNrtEntityMapping, AlertRuleNrtEntityMappingArgs

EntityType string: The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
FieldMappings List<AlertRuleNrtEntityMappingFieldMapping>: A list of field_mapping blocks as defined below.

EntityType string: The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
FieldMappings []AlertRuleNrtEntityMappingFieldMapping: A list of field_mapping blocks as defined below.

entityType String: The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
fieldMappings List<AlertRuleNrtEntityMappingFieldMapping>: A list of field_mapping blocks as defined below.

entityType string: The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
fieldMappings AlertRuleNrtEntityMappingFieldMapping[]: A list of field_mapping blocks as defined below.

entity_type str: The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
field_mappings Sequence[AlertRuleNrtEntityMappingFieldMapping]: A list of field_mapping blocks as defined below.

entityType String: The type of the entity. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
fieldMappings List<Property Map>: A list of field_mapping blocks as defined below.

AlertRuleNrtEntityMappingFieldMapping, AlertRuleNrtEntityMappingFieldMappingArgs

ColumnName string: The column name to be mapped to the identifier.
Identifier string: The identifier of the entity.

ColumnName string: The column name to be mapped to the identifier.
Identifier string: The identifier of the entity.

columnName String: The column name to be mapped to the identifier.
identifier String: The identifier of the entity.

columnName string: The column name to be mapped to the identifier.
identifier string: The identifier of the entity.

column_name str: The column name to be mapped to the identifier.
identifier str: The identifier of the entity.

columnName String: The column name to be mapped to the identifier.
identifier String: The identifier of the entity.

AlertRuleNrtEventGrouping, AlertRuleNrtEventGroupingArgs

AggregationMethod string: The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

AggregationMethod string: The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

aggregationMethod String: The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

aggregationMethod string: The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

aggregation_method str: The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

aggregationMethod String: The aggregation type of grouping the events. Possible values are AlertPerResult and SingleAlert.

AlertRuleNrtIncident, AlertRuleNrtIncidentArgs

CreateIncidentEnabled bool: Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
Grouping AlertRuleNrtIncidentGrouping: A grouping block as defined below.

CreateIncidentEnabled bool: Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
Grouping AlertRuleNrtIncidentGrouping: A grouping block as defined below.

createIncidentEnabled Boolean: Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
grouping AlertRuleNrtIncidentGrouping: A grouping block as defined below.

createIncidentEnabled boolean: Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
grouping AlertRuleNrtIncidentGrouping: A grouping block as defined below.

create_incident_enabled bool: Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
grouping AlertRuleNrtIncidentGrouping: A grouping block as defined below.

createIncidentEnabled Boolean: Whether to create an incident from alerts triggered by this Sentinel NRT Alert Rule?
grouping Property Map: A grouping block as defined below.

AlertRuleNrtIncidentGrouping, AlertRuleNrtIncidentGroupingArgs

ByAlertDetails List<string>: A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
ByCustomDetails List<string>: A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
ByEntities List<string>: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
Enabled bool: Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
EntityMatchingMethod string: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
LookbackDuration string: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
ReopenClosedIncidents bool: Whether to re-open closed matching incidents? Defaults to false.

ByAlertDetails []string: A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
ByCustomDetails []string: A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
ByEntities []string: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
Enabled bool: Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
EntityMatchingMethod string: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
LookbackDuration string: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
ReopenClosedIncidents bool: Whether to re-open closed matching incidents? Defaults to false.

byAlertDetails List<String>: A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
byCustomDetails List<String>: A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
byEntities List<String>: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
enabled Boolean: Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
entityMatchingMethod String: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
lookbackDuration String: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
reopenClosedIncidents Boolean: Whether to re-open closed matching incidents? Defaults to false.

byAlertDetails string[]: A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
byCustomDetails string[]: A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
byEntities string[]: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
enabled boolean: Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
entityMatchingMethod string: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
lookbackDuration string: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
reopenClosedIncidents boolean: Whether to re-open closed matching incidents? Defaults to false.

by_alert_details Sequence[str]: A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
by_custom_details Sequence[str]: A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
by_entities Sequence[str]: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
enabled bool: Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
entity_matching_method str: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
lookback_duration str: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
reopen_closed_incidents bool: Whether to re-open closed matching incidents? Defaults to false.

byAlertDetails List<String>: A list of alert details to group by, only when the entity_matching_method is Selected. Possible values are DisplayName and Severity.
byCustomDetails List<String>: A list of custom details keys to group by, only when the entity_matching_method is Selected. Only keys defined in the custom_details may be used.
byEntities List<String>: A list of entity types to group by, only when the entity_matching_method is Selected. Possible values are Account, AzureResource, CloudApplication, DNS, File, FileHash, Host, IP, Mailbox, MailCluster, MailMessage, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, SubmissionMail, URL.
enabled Boolean: Enable grouping incidents created from alerts triggered by this Sentinel NRT Alert Rule. Defaults to true.
entityMatchingMethod String: The method used to group incidents. Possible values are AnyAlert, Selected and AllEntities. Defaults to AnyAlert.
lookbackDuration String: Limit the group to alerts created within the lookback duration (in ISO 8601 duration format). Defaults to PT5M.
reopenClosedIncidents Boolean: Whether to re-open closed matching incidents? Defaults to false.

AlertRuleNrtSentinelEntityMapping, AlertRuleNrtSentinelEntityMappingArgs

ColumnName string: The column name to be mapped to the identifier.

ColumnName string: The column name to be mapped to the identifier.

columnName String: The column name to be mapped to the identifier.

columnName string: The column name to be mapped to the identifier.

column_name str: The column name to be mapped to the identifier.

columnName String: The column name to be mapped to the identifier.

Import

Sentinel NRT Alert Rules can be imported using the resource id, e.g.

$ pulumi import azure:sentinel/alertRuleNrt:AlertRuleNrt example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/alertRules/rule1

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Azure Classic pulumi/pulumi-azure
License: Apache-2.0
Notes: This Pulumi package is based on the azurerm Terraform Provider.

We recommend using Azure Native.

Azure v6.21.0 published on Friday, Mar 7, 2025 by Pulumi

pulumi/pulumi-azure

azure.sentinel.AlertRuleNrt

On this page

On this page

Example Usage

Create AlertRuleNrt Resource

Constructor syntax

Parameters

Constructor example

AlertRuleNrt Resource Properties

Inputs

Outputs

Look up Existing AlertRuleNrt Resource

Supporting Types

AlertRuleNrtAlertDetailsOverride, AlertRuleNrtAlertDetailsOverrideArgs

AlertRuleNrtAlertDetailsOverrideDynamicProperty, AlertRuleNrtAlertDetailsOverrideDynamicPropertyArgs

AlertRuleNrtEntityMapping, AlertRuleNrtEntityMappingArgs

AlertRuleNrtEntityMappingFieldMapping, AlertRuleNrtEntityMappingFieldMappingArgs

AlertRuleNrtEventGrouping, AlertRuleNrtEventGroupingArgs

AlertRuleNrtIncident, AlertRuleNrtIncidentArgs

AlertRuleNrtIncidentGrouping, AlertRuleNrtIncidentGroupingArgs

AlertRuleNrtSentinelEntityMapping, AlertRuleNrtSentinelEntityMappingArgs

Import

Package Details

On this page

On this page