Google Cloud v8.22.0, Mar 13 25

Google Cloud v8.22.0 published on Thursday, Mar 13, 2025 by Pulumi

gcp.chronicle.Rule

Explore with Pulumi AI

Google Cloud v8.22.0 published on Thursday, Mar 13, 2025 by Pulumi

pulumi/pulumi-gcp

Example Usage

Chronicle Rule Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const example = new gcp.chronicle.Rule("example", {
    location: "us",
    instance: "00000000-0000-0000-0000-000000000000",
    deletionPolicy: "DEFAULT",
    text: "rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n",
});

import pulumi
import pulumi_gcp as gcp

example = gcp.chronicle.Rule("example",
    location="us",
    instance="00000000-0000-0000-0000-000000000000",
    deletion_policy="DEFAULT",
    text="rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := chronicle.NewRule(ctx, "example", &chronicle.RuleArgs{
			Location:       pulumi.String("us"),
			Instance:       pulumi.String("00000000-0000-0000-0000-000000000000"),
			DeletionPolicy: pulumi.String("DEFAULT"),
			Text:           pulumi.String("rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var example = new Gcp.Chronicle.Rule("example", new()
    {
        Location = "us",
        Instance = "00000000-0000-0000-0000-000000000000",
        DeletionPolicy = "DEFAULT",
        Text = @"rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.Rule;
import com.pulumi.gcp.chronicle.RuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Rule("example", RuleArgs.builder()
            .location("us")
            .instance("00000000-0000-0000-0000-000000000000")
            .deletionPolicy("DEFAULT")
            .text("""
rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
            """)
            .build());

    }
}

resources:
  example:
    type: gcp:chronicle:Rule
    properties:
      location: us
      instance: 00000000-0000-0000-0000-000000000000
      deletionPolicy: DEFAULT
      text: |
        rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }

Chronicle Rule With Force Deletion

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const example = new gcp.chronicle.Rule("example", {
    location: "us",
    instance: "00000000-0000-0000-0000-000000000000",
    deletionPolicy: "FORCE",
    text: "rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n",
});

import pulumi
import pulumi_gcp as gcp

example = gcp.chronicle.Rule("example",
    location="us",
    instance="00000000-0000-0000-0000-000000000000",
    deletion_policy="FORCE",
    text="rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := chronicle.NewRule(ctx, "example", &chronicle.RuleArgs{
			Location:       pulumi.String("us"),
			Instance:       pulumi.String("00000000-0000-0000-0000-000000000000"),
			DeletionPolicy: pulumi.String("FORCE"),
			Text:           pulumi.String("rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var example = new Gcp.Chronicle.Rule("example", new()
    {
        Location = "us",
        Instance = "00000000-0000-0000-0000-000000000000",
        DeletionPolicy = "FORCE",
        Text = @"rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.Rule;
import com.pulumi.gcp.chronicle.RuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Rule("example", RuleArgs.builder()
            .location("us")
            .instance("00000000-0000-0000-0000-000000000000")
            .deletionPolicy("FORCE")
            .text("""
rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
            """)
            .build());

    }
}

resources:
  example:
    type: gcp:chronicle:Rule
    properties:
      location: us
      instance: 00000000-0000-0000-0000-000000000000
      deletionPolicy: FORCE
      text: |
        rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }

Chronicle Rule With Data Access Scope

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const dataAccessScopeTest = new gcp.chronicle.DataAccessScope("data_access_scope_test", {
    location: "us",
    instance: "00000000-0000-0000-0000-000000000000",
    dataAccessScopeId: "scope-name",
    description: "scope-description",
    allowedDataAccessLabels: [{
        logType: "GCP_CLOUDAUDIT",
    }],
});
const example = new gcp.chronicle.Rule("example", {
    location: "us",
    instance: "00000000-0000-0000-0000-000000000000",
    scope: googleChronicleDataAccessScope.dataAccessScopeTest.name,
    text: "rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n",
});

import pulumi
import pulumi_gcp as gcp

data_access_scope_test = gcp.chronicle.DataAccessScope("data_access_scope_test",
    location="us",
    instance="00000000-0000-0000-0000-000000000000",
    data_access_scope_id="scope-name",
    description="scope-description",
    allowed_data_access_labels=[{
        "log_type": "GCP_CLOUDAUDIT",
    }])
example = gcp.chronicle.Rule("example",
    location="us",
    instance="00000000-0000-0000-0000-000000000000",
    scope=google_chronicle_data_access_scope["dataAccessScopeTest"]["name"],
    text="rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := chronicle.NewDataAccessScope(ctx, "data_access_scope_test", &chronicle.DataAccessScopeArgs{
			Location:          pulumi.String("us"),
			Instance:          pulumi.String("00000000-0000-0000-0000-000000000000"),
			DataAccessScopeId: pulumi.String("scope-name"),
			Description:       pulumi.String("scope-description"),
			AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
				&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
					LogType: pulumi.String("GCP_CLOUDAUDIT"),
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = chronicle.NewRule(ctx, "example", &chronicle.RuleArgs{
			Location: pulumi.String("us"),
			Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
			Scope:    pulumi.Any(googleChronicleDataAccessScope.DataAccessScopeTest.Name),
			Text:     pulumi.String("rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var dataAccessScopeTest = new Gcp.Chronicle.DataAccessScope("data_access_scope_test", new()
    {
        Location = "us",
        Instance = "00000000-0000-0000-0000-000000000000",
        DataAccessScopeId = "scope-name",
        Description = "scope-description",
        AllowedDataAccessLabels = new[]
        {
            new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
            {
                LogType = "GCP_CLOUDAUDIT",
            },
        },
    });

    var example = new Gcp.Chronicle.Rule("example", new()
    {
        Location = "us",
        Instance = "00000000-0000-0000-0000-000000000000",
        Scope = googleChronicleDataAccessScope.DataAccessScopeTest.Name,
        Text = @"rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import com.pulumi.gcp.chronicle.Rule;
import com.pulumi.gcp.chronicle.RuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var dataAccessScopeTest = new DataAccessScope("dataAccessScopeTest", DataAccessScopeArgs.builder()
            .location("us")
            .instance("00000000-0000-0000-0000-000000000000")
            .dataAccessScopeId("scope-name")
            .description("scope-description")
            .allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
                .logType("GCP_CLOUDAUDIT")
                .build())
            .build());

        var example = new Rule("example", RuleArgs.builder()
            .location("us")
            .instance("00000000-0000-0000-0000-000000000000")
            .scope(googleChronicleDataAccessScope.dataAccessScopeTest().name())
            .text("""
rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
            """)
            .build());

    }
}

resources:
  dataAccessScopeTest:
    type: gcp:chronicle:DataAccessScope
    name: data_access_scope_test
    properties:
      location: us
      instance: 00000000-0000-0000-0000-000000000000
      dataAccessScopeId: scope-name
      description: scope-description
      allowedDataAccessLabels:
        - logType: GCP_CLOUDAUDIT
  example:
    type: gcp:chronicle:Rule
    properties:
      location: us
      instance: 00000000-0000-0000-0000-000000000000
      scope: ${googleChronicleDataAccessScope.dataAccessScopeTest.name}
      text: |
        rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }

Create Rule Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Rule(name: string, args: RuleArgs, opts?: CustomResourceOptions);

@overload
def Rule(resource_name: str,
         args: RuleArgs,
         opts: Optional[ResourceOptions] = None)

@overload
def Rule(resource_name: str,
         opts: Optional[ResourceOptions] = None,
         instance: Optional[str] = None,
         location: Optional[str] = None,
         deletion_policy: Optional[str] = None,
         etag: Optional[str] = None,
         project: Optional[str] = None,
         rule_id: Optional[str] = None,
         scope: Optional[str] = None,
         text: Optional[str] = None)

func NewRule(ctx *Context, name string, args RuleArgs, opts ...ResourceOption) (*Rule, error)

public Rule(string name, RuleArgs args, CustomResourceOptions? opts = null)

public Rule(String name, RuleArgs args)
public Rule(String name, RuleArgs args, CustomResourceOptions options)

type: gcp:chronicle:Rule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args RuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args RuleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args RuleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args RuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args RuleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var ruleResource = new Gcp.Chronicle.Rule("ruleResource", new()
{
    Instance = "string",
    Location = "string",
    DeletionPolicy = "string",
    Etag = "string",
    Project = "string",
    RuleId = "string",
    Scope = "string",
    Text = "string",
});

example, err := chronicle.NewRule(ctx, "ruleResource", &chronicle.RuleArgs{
	Instance:       pulumi.String("string"),
	Location:       pulumi.String("string"),
	DeletionPolicy: pulumi.String("string"),
	Etag:           pulumi.String("string"),
	Project:        pulumi.String("string"),
	RuleId:         pulumi.String("string"),
	Scope:          pulumi.String("string"),
	Text:           pulumi.String("string"),
})

var ruleResource = new Rule("ruleResource", RuleArgs.builder()
    .instance("string")
    .location("string")
    .deletionPolicy("string")
    .etag("string")
    .project("string")
    .ruleId("string")
    .scope("string")
    .text("string")
    .build());

rule_resource = gcp.chronicle.Rule("ruleResource",
    instance="string",
    location="string",
    deletion_policy="string",
    etag="string",
    project="string",
    rule_id="string",
    scope="string",
    text="string")

const ruleResource = new gcp.chronicle.Rule("ruleResource", {
    instance: "string",
    location: "string",
    deletionPolicy: "string",
    etag: "string",
    project: "string",
    ruleId: "string",
    scope: "string",
    text: "string",
});

type: gcp:chronicle:Rule
properties:
    deletionPolicy: string
    etag: string
    instance: string
    location: string
    project: string
    ruleId: string
    scope: string
    text: string

Rule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Rule resource accepts the following input properties:

Instance string: The unique identifier for the Chronicle instance, which is the same as the customer ID.
Location string: The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
DeletionPolicy string: Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
Etag string: The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
Project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
RuleId string: Rule Id is the ID of the Rule.
Scope string: Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
Text string: The YARA-L content of the rule. Populated in FULL view.

Instance string: The unique identifier for the Chronicle instance, which is the same as the customer ID.
Location string: The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
DeletionPolicy string: Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
Etag string: The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
Project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
RuleId string: Rule Id is the ID of the Rule.
Scope string: Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
Text string: The YARA-L content of the rule. Populated in FULL view.

instance String: The unique identifier for the Chronicle instance, which is the same as the customer ID.
location String: The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
deletionPolicy String: Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
etag String: The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
project String: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
ruleId String: Rule Id is the ID of the Rule.
scope String: Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
text String: The YARA-L content of the rule. Populated in FULL view.

instance string: The unique identifier for the Chronicle instance, which is the same as the customer ID.
location string: The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
deletionPolicy string: Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
etag string: The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
ruleId string: Rule Id is the ID of the Rule.
scope string: Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
text string: The YARA-L content of the rule. Populated in FULL view.

instance str: The unique identifier for the Chronicle instance, which is the same as the customer ID.
location str: The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
deletion_policy str: Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
etag str: The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
project str: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
rule_id str: Rule Id is the ID of the Rule.
scope str: Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
text str: The YARA-L content of the rule. Populated in FULL view.

instance String: The unique identifier for the Chronicle instance, which is the same as the customer ID.
location String: The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
deletionPolicy String: Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
etag String: The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
project String: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
ruleId String: Rule Id is the ID of the Rule.
scope String: Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
text String: The YARA-L content of the rule. Populated in FULL view.

Outputs

All input properties are implicitly available as output properties. Additionally, the Rule resource produces the following output properties:

AllowedRunFrequencies List<string>: Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
Author string: Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
CompilationDiagnostics List<RuleCompilationDiagnostic>: Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.
CompilationState string: Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED
CreateTime string: Output only. The timestamp of when the rule was created. Populated in FULL view.
DataTables List<string>: Output only. Resource names of the data tables used in this rule.
DisplayName string: The display name of the severity level. Extracted from the meta section of the rule text.
Id string: The provider-assigned unique ID for this managed resource.
Metadata Dictionary<string, string>: Output only. Additional metadata specified in the meta section of text. Populated in FULL view.
Name string: Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
NearRealTimeLiveRuleEligible bool: Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
ReferenceLists List<string>: Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
RevisionCreateTime string: Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.
RevisionId string: Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
Severities List<RuleSeverity>: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
Type string: Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

AllowedRunFrequencies []string: Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
Author string: Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
CompilationDiagnostics []RuleCompilationDiagnostic: Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.
CompilationState string: Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED
CreateTime string: Output only. The timestamp of when the rule was created. Populated in FULL view.
DataTables []string: Output only. Resource names of the data tables used in this rule.
DisplayName string: The display name of the severity level. Extracted from the meta section of the rule text.
Id string: The provider-assigned unique ID for this managed resource.
Metadata map[string]string: Output only. Additional metadata specified in the meta section of text. Populated in FULL view.
Name string: Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
NearRealTimeLiveRuleEligible bool: Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
ReferenceLists []string: Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
RevisionCreateTime string: Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.
RevisionId string: Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
Severities []RuleSeverity: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
Type string: Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

allowedRunFrequencies List<String>: Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
author String: Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
compilationDiagnostics List<RuleCompilationDiagnostic>: Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.
compilationState String: Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED
createTime String: Output only. The timestamp of when the rule was created. Populated in FULL view.
dataTables List<String>: Output only. Resource names of the data tables used in this rule.
displayName String: The display name of the severity level. Extracted from the meta section of the rule text.
id String: The provider-assigned unique ID for this managed resource.
metadata Map<String,String>: Output only. Additional metadata specified in the meta section of text. Populated in FULL view.
name String: Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
nearRealTimeLiveRuleEligible Boolean: Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
referenceLists List<String>: Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
revisionCreateTime String: Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.
revisionId String: Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
severities List<RuleSeverity>: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
type String: Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

allowedRunFrequencies string[]: Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
author string: Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
compilationDiagnostics RuleCompilationDiagnostic[]: Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.
compilationState string: Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED
createTime string: Output only. The timestamp of when the rule was created. Populated in FULL view.
dataTables string[]: Output only. Resource names of the data tables used in this rule.
displayName string: The display name of the severity level. Extracted from the meta section of the rule text.
id string: The provider-assigned unique ID for this managed resource.
metadata {[key: string]: string}: Output only. Additional metadata specified in the meta section of text. Populated in FULL view.
name string: Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
nearRealTimeLiveRuleEligible boolean: Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
referenceLists string[]: Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
revisionCreateTime string: Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.
revisionId string: Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
severities RuleSeverity[]: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
type string: Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

allowed_run_frequencies Sequence[str]: Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
author str: Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
compilation_diagnostics Sequence[RuleCompilationDiagnostic]: Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.
compilation_state str: Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED
create_time str: Output only. The timestamp of when the rule was created. Populated in FULL view.
data_tables Sequence[str]: Output only. Resource names of the data tables used in this rule.
display_name str: The display name of the severity level. Extracted from the meta section of the rule text.
id str: The provider-assigned unique ID for this managed resource.
metadata Mapping[str, str]: Output only. Additional metadata specified in the meta section of text. Populated in FULL view.
name str: Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
near_real_time_live_rule_eligible bool: Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
reference_lists Sequence[str]: Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
revision_create_time str: Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.
revision_id str: Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
severities Sequence[RuleSeverity]: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
type str: Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

allowedRunFrequencies List<String>: Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
author String: Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
compilationDiagnostics List<Property Map>: Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.
compilationState String: Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED
createTime String: Output only. The timestamp of when the rule was created. Populated in FULL view.
dataTables List<String>: Output only. Resource names of the data tables used in this rule.
displayName String: The display name of the severity level. Extracted from the meta section of the rule text.
id String: The provider-assigned unique ID for this managed resource.
metadata Map<String>: Output only. Additional metadata specified in the meta section of text. Populated in FULL view.
name String: Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
nearRealTimeLiveRuleEligible Boolean: Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
referenceLists List<String>: Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
revisionCreateTime String: Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.
revisionId String: Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
severities List<Property Map>: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
type String: Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

Look up Existing Rule Resource

Get an existing Rule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RuleState, opts?: CustomResourceOptions): Rule

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allowed_run_frequencies: Optional[Sequence[str]] = None,
        author: Optional[str] = None,
        compilation_diagnostics: Optional[Sequence[RuleCompilationDiagnosticArgs]] = None,
        compilation_state: Optional[str] = None,
        create_time: Optional[str] = None,
        data_tables: Optional[Sequence[str]] = None,
        deletion_policy: Optional[str] = None,
        display_name: Optional[str] = None,
        etag: Optional[str] = None,
        instance: Optional[str] = None,
        location: Optional[str] = None,
        metadata: Optional[Mapping[str, str]] = None,
        name: Optional[str] = None,
        near_real_time_live_rule_eligible: Optional[bool] = None,
        project: Optional[str] = None,
        reference_lists: Optional[Sequence[str]] = None,
        revision_create_time: Optional[str] = None,
        revision_id: Optional[str] = None,
        rule_id: Optional[str] = None,
        scope: Optional[str] = None,
        severities: Optional[Sequence[RuleSeverityArgs]] = None,
        text: Optional[str] = None,
        type: Optional[str] = None) -> Rule

func GetRule(ctx *Context, name string, id IDInput, state *RuleState, opts ...ResourceOption) (*Rule, error)

public static Rule Get(string name, Input<string> id, RuleState? state, CustomResourceOptions? opts = null)

public static Rule get(String name, Output<String> id, RuleState state, CustomResourceOptions options)

resources:  _:    type: gcp:chronicle:Rule    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowedRunFrequencies List<string>: Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
Author string: Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
CompilationDiagnostics List<RuleCompilationDiagnostic>: Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.
CompilationState string: Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED
CreateTime string: Output only. The timestamp of when the rule was created. Populated in FULL view.
DataTables List<string>: Output only. Resource names of the data tables used in this rule.
DeletionPolicy string: Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
DisplayName string: The display name of the severity level. Extracted from the meta section of the rule text.
Etag string: The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
Instance string: The unique identifier for the Chronicle instance, which is the same as the customer ID.
Location string: The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
Metadata Dictionary<string, string>: Output only. Additional metadata specified in the meta section of text. Populated in FULL view.
Name string: Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
NearRealTimeLiveRuleEligible bool: Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
Project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
ReferenceLists List<string>: Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
RevisionCreateTime string: Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.
RevisionId string: Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
RuleId string: Rule Id is the ID of the Rule.
Scope string: Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
Severities List<RuleSeverity>: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
Text string: The YARA-L content of the rule. Populated in FULL view.
Type string: Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

AllowedRunFrequencies []string: Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
Author string: Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
CompilationDiagnostics []RuleCompilationDiagnosticArgs: Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.
CompilationState string: Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED
CreateTime string: Output only. The timestamp of when the rule was created. Populated in FULL view.
DataTables []string: Output only. Resource names of the data tables used in this rule.
DeletionPolicy string: Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
DisplayName string: The display name of the severity level. Extracted from the meta section of the rule text.
Etag string: The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
Instance string: The unique identifier for the Chronicle instance, which is the same as the customer ID.
Location string: The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
Metadata map[string]string: Output only. Additional metadata specified in the meta section of text. Populated in FULL view.
Name string: Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
NearRealTimeLiveRuleEligible bool: Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
Project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
ReferenceLists []string: Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
RevisionCreateTime string: Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.
RevisionId string: Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
RuleId string: Rule Id is the ID of the Rule.
Scope string: Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
Severities []RuleSeverityArgs: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
Text string: The YARA-L content of the rule. Populated in FULL view.
Type string: Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

allowedRunFrequencies List<String>: Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
author String: Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
compilationDiagnostics List<RuleCompilationDiagnostic>: Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.
compilationState String: Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED
createTime String: Output only. The timestamp of when the rule was created. Populated in FULL view.
dataTables List<String>: Output only. Resource names of the data tables used in this rule.
deletionPolicy String: Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
displayName String: The display name of the severity level. Extracted from the meta section of the rule text.
etag String: The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
instance String: The unique identifier for the Chronicle instance, which is the same as the customer ID.
location String: The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
metadata Map<String,String>: Output only. Additional metadata specified in the meta section of text. Populated in FULL view.
name String: Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
nearRealTimeLiveRuleEligible Boolean: Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
project String: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
referenceLists List<String>: Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
revisionCreateTime String: Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.
revisionId String: Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
ruleId String: Rule Id is the ID of the Rule.
scope String: Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
severities List<RuleSeverity>: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
text String: The YARA-L content of the rule. Populated in FULL view.
type String: Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

allowedRunFrequencies string[]: Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
author string: Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
compilationDiagnostics RuleCompilationDiagnostic[]: Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.
compilationState string: Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED
createTime string: Output only. The timestamp of when the rule was created. Populated in FULL view.
dataTables string[]: Output only. Resource names of the data tables used in this rule.
deletionPolicy string: Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
displayName string: The display name of the severity level. Extracted from the meta section of the rule text.
etag string: The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
instance string: The unique identifier for the Chronicle instance, which is the same as the customer ID.
location string: The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
metadata {[key: string]: string}: Output only. Additional metadata specified in the meta section of text. Populated in FULL view.
name string: Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
nearRealTimeLiveRuleEligible boolean: Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
referenceLists string[]: Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
revisionCreateTime string: Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.
revisionId string: Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
ruleId string: Rule Id is the ID of the Rule.
scope string: Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
severities RuleSeverity[]: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
text string: The YARA-L content of the rule. Populated in FULL view.
type string: Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

allowed_run_frequencies Sequence[str]: Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
author str: Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
compilation_diagnostics Sequence[RuleCompilationDiagnosticArgs]: Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.
compilation_state str: Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED
create_time str: Output only. The timestamp of when the rule was created. Populated in FULL view.
data_tables Sequence[str]: Output only. Resource names of the data tables used in this rule.
deletion_policy str: Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
display_name str: The display name of the severity level. Extracted from the meta section of the rule text.
etag str: The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
instance str: The unique identifier for the Chronicle instance, which is the same as the customer ID.
location str: The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
metadata Mapping[str, str]: Output only. Additional metadata specified in the meta section of text. Populated in FULL view.
name str: Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
near_real_time_live_rule_eligible bool: Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
project str: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
reference_lists Sequence[str]: Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
revision_create_time str: Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.
revision_id str: Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
rule_id str: Rule Id is the ID of the Rule.
scope str: Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
severities Sequence[RuleSeverityArgs]: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
text str: The YARA-L content of the rule. Populated in FULL view.
type str: Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

allowedRunFrequencies List<String>: Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
author String: Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
compilationDiagnostics List<Property Map>: Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. Structure is documented below.
compilationState String: Output only. The current compilation state of the rule. Populated in FULL view. Possible values: COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED
createTime String: Output only. The timestamp of when the rule was created. Populated in FULL view.
dataTables List<String>: Output only. Resource names of the data tables used in this rule.
deletionPolicy String: Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
displayName String: The display name of the severity level. Extracted from the meta section of the rule text.
etag String: The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
instance String: The unique identifier for the Chronicle instance, which is the same as the customer ID.
location String: The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
metadata Map<String>: Output only. Additional metadata specified in the meta section of text. Populated in FULL view.
name String: Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
nearRealTimeLiveRuleEligible Boolean: Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
project String: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
referenceLists List<String>: Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
revisionCreateTime String: Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.
revisionId String: Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
ruleId String: Rule Id is the ID of the Rule.
scope String: Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
severities List<Property Map>: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
text String: The YARA-L content of the rule. Populated in FULL view.
type String: Possible values: RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT

Supporting Types

RuleCompilationDiagnostic, RuleCompilationDiagnosticArgs

Message string: (Output) Output only. The diagnostic message.
Position RuleCompilationDiagnosticPosition: CompilationPosition represents the location of a compilation diagnostic in rule text. Structure is documented below.
Severity string: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
Uri string: (Output) Output only. Link to documentation that describes a diagnostic in more detail.

Message string: (Output) Output only. The diagnostic message.
Position RuleCompilationDiagnosticPosition: CompilationPosition represents the location of a compilation diagnostic in rule text. Structure is documented below.
Severity string: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
Uri string: (Output) Output only. Link to documentation that describes a diagnostic in more detail.

message String: (Output) Output only. The diagnostic message.
position RuleCompilationDiagnosticPosition: CompilationPosition represents the location of a compilation diagnostic in rule text. Structure is documented below.
severity String: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
uri String: (Output) Output only. Link to documentation that describes a diagnostic in more detail.

message string: (Output) Output only. The diagnostic message.
position RuleCompilationDiagnosticPosition: CompilationPosition represents the location of a compilation diagnostic in rule text. Structure is documented below.
severity string: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
uri string: (Output) Output only. Link to documentation that describes a diagnostic in more detail.

message str: (Output) Output only. The diagnostic message.
position RuleCompilationDiagnosticPosition: CompilationPosition represents the location of a compilation diagnostic in rule text. Structure is documented below.
severity str: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
uri str: (Output) Output only. Link to documentation that describes a diagnostic in more detail.

message String: (Output) Output only. The diagnostic message.
position Property Map: CompilationPosition represents the location of a compilation diagnostic in rule text. Structure is documented below.
severity String: (Output) Output only. The severity of a rule's compilation diagnostic. Possible values: SEVERITY_UNSPECIFIED WARNING ERROR
uri String: (Output) Output only. Link to documentation that describes a diagnostic in more detail.

RuleCompilationDiagnosticPosition, RuleCompilationDiagnosticPositionArgs

EndColumn int: (Output) Output only. End column number, beginning at 1.
EndLine int: (Output) Output only. End line number, beginning at 1.
StartColumn int: (Output) Output only. Start column number, beginning at 1.
StartLine int: (Output) Output only. Start line number, beginning at 1.

EndColumn int: (Output) Output only. End column number, beginning at 1.
EndLine int: (Output) Output only. End line number, beginning at 1.
StartColumn int: (Output) Output only. Start column number, beginning at 1.
StartLine int: (Output) Output only. Start line number, beginning at 1.

endColumn Integer: (Output) Output only. End column number, beginning at 1.
endLine Integer: (Output) Output only. End line number, beginning at 1.
startColumn Integer: (Output) Output only. Start column number, beginning at 1.
startLine Integer: (Output) Output only. Start line number, beginning at 1.

endColumn number: (Output) Output only. End column number, beginning at 1.
endLine number: (Output) Output only. End line number, beginning at 1.
startColumn number: (Output) Output only. Start column number, beginning at 1.
startLine number: (Output) Output only. Start line number, beginning at 1.

end_column int: (Output) Output only. End column number, beginning at 1.
end_line int: (Output) Output only. End line number, beginning at 1.
start_column int: (Output) Output only. Start column number, beginning at 1.
start_line int: (Output) Output only. Start line number, beginning at 1.

endColumn Number: (Output) Output only. End column number, beginning at 1.
endLine Number: (Output) Output only. End line number, beginning at 1.
startColumn Number: (Output) Output only. Start column number, beginning at 1.
startLine Number: (Output) Output only. Start line number, beginning at 1.

RuleSeverity, RuleSeverityArgs

DisplayName string: The display name of the severity level. Extracted from the meta section of the rule text.

DisplayName string: The display name of the severity level. Extracted from the meta section of the rule text.

displayName String: The display name of the severity level. Extracted from the meta section of the rule text.

displayName string: The display name of the severity level. Extracted from the meta section of the rule text.

display_name str: The display name of the severity level. Extracted from the meta section of the rule text.

displayName String: The display name of the severity level. Extracted from the meta section of the rule text.

Import

Rule can be imported using any of these accepted formats:

projects/{{project}}/locations/{{location}}/instances/{{instance}}/rules/{{rule_id}}
{{project}}/{{location}}/{{instance}}/{{rule_id}}
{{location}}/{{instance}}/{{rule_id}}

When using the pulumi import command, Rule can be imported using one of the formats above. For example:

$ pulumi import gcp:chronicle/rule:Rule default projects/{{project}}/locations/{{location}}/instances/{{instance}}/rules/{{rule_id}}

$ pulumi import gcp:chronicle/rule:Rule default {{project}}/{{location}}/{{instance}}/{{rule_id}}

$ pulumi import gcp:chronicle/rule:Rule default {{location}}/{{instance}}/{{rule_id}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Google Cloud v8.22.0 published on Thursday, Mar 13, 2025 by Pulumi

pulumi/pulumi-gcp

gcp.chronicle.Rule

On this page

On this page

Example Usage

Chronicle Rule Basic

Chronicle Rule With Force Deletion

Chronicle Rule With Data Access Scope

Create Rule Resource

Constructor syntax

Parameters

Constructor example

Rule Resource Properties

Inputs

Outputs

Look up Existing Rule Resource

Supporting Types

RuleCompilationDiagnostic, RuleCompilationDiagnosticArgs

RuleCompilationDiagnosticPosition, RuleCompilationDiagnosticPositionArgs

RuleSeverity, RuleSeverityArgs

Import

Package Details

On this page

On this page