1. Packages
  2. Azure Classic
  3. API Docs
  4. sentinel
  5. AuthomationRule

We recommend using Azure Native.

Azure Classic v5.81.0 published on Monday, Jun 24, 2024 by Pulumi

azure.sentinel.AuthomationRule

Explore with Pulumi AI

azure logo

We recommend using Azure Native.

Azure Classic v5.81.0 published on Monday, Jun 24, 2024 by Pulumi
    Deprecated: azure.sentinel.AuthomationRule has been deprecated in favor of azure.sentinel.AutomationRule

    Manages a Sentinel Automation Rule.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const example = new azure.core.ResourceGroup("example", {
        name: "example-rg",
        location: "west europe",
    });
    const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", {
        name: "example-workspace",
        location: example.location,
        resourceGroupName: example.name,
        sku: "PerGB2018",
    });
    const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", {workspaceId: exampleAnalyticsWorkspace.id});
    const exampleAutomationRule = new azure.sentinel.AutomationRule("example", {
        name: "56094f72-ac3f-40e7-a0c0-47bd95f70336",
        logAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId,
        displayName: "automation_rule1",
        order: 1,
        actionIncidents: [{
            order: 1,
            status: "Active",
        }],
    });
    
    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example-rg",
        location="west europe")
    example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("example",
        name="example-workspace",
        location=example.location,
        resource_group_name=example.name,
        sku="PerGB2018")
    example_log_analytics_workspace_onboarding = azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", workspace_id=example_analytics_workspace.id)
    example_automation_rule = azure.sentinel.AutomationRule("example",
        name="56094f72-ac3f-40e7-a0c0-47bd95f70336",
        log_analytics_workspace_id=example_log_analytics_workspace_onboarding.workspace_id,
        display_name="automation_rule1",
        order=1,
        action_incidents=[azure.sentinel.AutomationRuleActionIncidentArgs(
            order=1,
            status="Active",
        )])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/operationalinsights"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/sentinel"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example-rg"),
    			Location: pulumi.String("west europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "example", &operationalinsights.AnalyticsWorkspaceArgs{
    			Name:              pulumi.String("example-workspace"),
    			Location:          example.Location,
    			ResourceGroupName: example.Name,
    			Sku:               pulumi.String("PerGB2018"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleLogAnalyticsWorkspaceOnboarding, err := sentinel.NewLogAnalyticsWorkspaceOnboarding(ctx, "example", &sentinel.LogAnalyticsWorkspaceOnboardingArgs{
    			WorkspaceId: exampleAnalyticsWorkspace.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = sentinel.NewAutomationRule(ctx, "example", &sentinel.AutomationRuleArgs{
    			Name:                    pulumi.String("56094f72-ac3f-40e7-a0c0-47bd95f70336"),
    			LogAnalyticsWorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
    			DisplayName:             pulumi.String("automation_rule1"),
    			Order:                   pulumi.Int(1),
    			ActionIncidents: sentinel.AutomationRuleActionIncidentArray{
    				&sentinel.AutomationRuleActionIncidentArgs{
    					Order:  pulumi.Int(1),
    					Status: pulumi.String("Active"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example-rg",
            Location = "west europe",
        });
    
        var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("example", new()
        {
            Name = "example-workspace",
            Location = example.Location,
            ResourceGroupName = example.Name,
            Sku = "PerGB2018",
        });
    
        var exampleLogAnalyticsWorkspaceOnboarding = new Azure.Sentinel.LogAnalyticsWorkspaceOnboarding("example", new()
        {
            WorkspaceId = exampleAnalyticsWorkspace.Id,
        });
    
        var exampleAutomationRule = new Azure.Sentinel.AutomationRule("example", new()
        {
            Name = "56094f72-ac3f-40e7-a0c0-47bd95f70336",
            LogAnalyticsWorkspaceId = exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
            DisplayName = "automation_rule1",
            Order = 1,
            ActionIncidents = new[]
            {
                new Azure.Sentinel.Inputs.AutomationRuleActionIncidentArgs
                {
                    Order = 1,
                    Status = "Active",
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
    import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
    import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
    import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
    import com.pulumi.azure.sentinel.AutomationRule;
    import com.pulumi.azure.sentinel.AutomationRuleArgs;
    import com.pulumi.azure.sentinel.inputs.AutomationRuleActionIncidentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()
                .name("example-rg")
                .location("west europe")
                .build());
    
            var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()
                .name("example-workspace")
                .location(example.location())
                .resourceGroupName(example.name())
                .sku("PerGB2018")
                .build());
    
            var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()
                .workspaceId(exampleAnalyticsWorkspace.id())
                .build());
    
            var exampleAutomationRule = new AutomationRule("exampleAutomationRule", AutomationRuleArgs.builder()
                .name("56094f72-ac3f-40e7-a0c0-47bd95f70336")
                .logAnalyticsWorkspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
                .displayName("automation_rule1")
                .order(1)
                .actionIncidents(AutomationRuleActionIncidentArgs.builder()
                    .order(1)
                    .status("Active")
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example-rg
          location: west europe
      exampleAnalyticsWorkspace:
        type: azure:operationalinsights:AnalyticsWorkspace
        name: example
        properties:
          name: example-workspace
          location: ${example.location}
          resourceGroupName: ${example.name}
          sku: PerGB2018
      exampleLogAnalyticsWorkspaceOnboarding:
        type: azure:sentinel:LogAnalyticsWorkspaceOnboarding
        name: example
        properties:
          workspaceId: ${exampleAnalyticsWorkspace.id}
      exampleAutomationRule:
        type: azure:sentinel:AutomationRule
        name: example
        properties:
          name: 56094f72-ac3f-40e7-a0c0-47bd95f70336
          logAnalyticsWorkspaceId: ${exampleLogAnalyticsWorkspaceOnboarding.workspaceId}
          displayName: automation_rule1
          order: 1
          actionIncidents:
            - order: 1
              status: Active
    

    Create AuthomationRule Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new AuthomationRule(name: string, args: AuthomationRuleArgs, opts?: CustomResourceOptions);
    @overload
    def AuthomationRule(resource_name: str,
                        args: AuthomationRuleArgs,
                        opts: Optional[ResourceOptions] = None)
    
    @overload
    def AuthomationRule(resource_name: str,
                        opts: Optional[ResourceOptions] = None,
                        action_incidents: Optional[Sequence[AuthomationRuleActionIncidentArgs]] = None,
                        action_playbooks: Optional[Sequence[AuthomationRuleActionPlaybookArgs]] = None,
                        condition_json: Optional[str] = None,
                        conditions: Optional[Sequence[AuthomationRuleConditionArgs]] = None,
                        display_name: Optional[str] = None,
                        enabled: Optional[bool] = None,
                        expiration: Optional[str] = None,
                        log_analytics_workspace_id: Optional[str] = None,
                        name: Optional[str] = None,
                        order: Optional[int] = None,
                        triggers_on: Optional[str] = None,
                        triggers_when: Optional[str] = None)
    func NewAuthomationRule(ctx *Context, name string, args AuthomationRuleArgs, opts ...ResourceOption) (*AuthomationRule, error)
    public AuthomationRule(string name, AuthomationRuleArgs args, CustomResourceOptions? opts = null)
    public AuthomationRule(String name, AuthomationRuleArgs args)
    public AuthomationRule(String name, AuthomationRuleArgs args, CustomResourceOptions options)
    
    type: azure:sentinel:AuthomationRule
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args AuthomationRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AuthomationRuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AuthomationRuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AuthomationRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AuthomationRuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    AuthomationRule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The AuthomationRule resource accepts the following input properties:

    DisplayName string
    The display name which should be used for this Sentinel Automation Rule.
    LogAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
    Order int
    The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.
    ActionIncidents List<AuthomationRuleActionIncident>
    One or more action_incident blocks as defined below.
    ActionPlaybooks List<AuthomationRuleActionPlaybook>

    One or more action_playbook blocks as defined below.

    Note: Either one action_incident block or action_playbook block has to be specified.

    ConditionJson string
    A JSON array of one or more condition JSON objects as is defined here.
    Conditions List<AuthomationRuleCondition>

    One or more condition blocks as defined below.

    Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

    Deprecated: This is deprecated in favor of condition_json

    Enabled bool
    Whether this Sentinel Automation Rule is enabled? Defaults to true.
    Expiration string
    The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.
    Name string
    The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
    TriggersOn string
    Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.
    TriggersWhen string
    Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.
    DisplayName string
    The display name which should be used for this Sentinel Automation Rule.
    LogAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
    Order int
    The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.
    ActionIncidents []AuthomationRuleActionIncidentArgs
    One or more action_incident blocks as defined below.
    ActionPlaybooks []AuthomationRuleActionPlaybookArgs

    One or more action_playbook blocks as defined below.

    Note: Either one action_incident block or action_playbook block has to be specified.

    ConditionJson string
    A JSON array of one or more condition JSON objects as is defined here.
    Conditions []AuthomationRuleConditionArgs

    One or more condition blocks as defined below.

    Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

    Deprecated: This is deprecated in favor of condition_json

    Enabled bool
    Whether this Sentinel Automation Rule is enabled? Defaults to true.
    Expiration string
    The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.
    Name string
    The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
    TriggersOn string
    Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.
    TriggersWhen string
    Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.
    displayName String
    The display name which should be used for this Sentinel Automation Rule.
    logAnalyticsWorkspaceId String
    The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
    order Integer
    The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.
    actionIncidents List<AuthomationRuleActionIncident>
    One or more action_incident blocks as defined below.
    actionPlaybooks List<AuthomationRuleActionPlaybook>

    One or more action_playbook blocks as defined below.

    Note: Either one action_incident block or action_playbook block has to be specified.

    conditionJson String
    A JSON array of one or more condition JSON objects as is defined here.
    conditions List<AuthomationRuleCondition>

    One or more condition blocks as defined below.

    Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

    Deprecated: This is deprecated in favor of condition_json

    enabled Boolean
    Whether this Sentinel Automation Rule is enabled? Defaults to true.
    expiration String
    The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.
    name String
    The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
    triggersOn String
    Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.
    triggersWhen String
    Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.
    displayName string
    The display name which should be used for this Sentinel Automation Rule.
    logAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
    order number
    The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.
    actionIncidents AuthomationRuleActionIncident[]
    One or more action_incident blocks as defined below.
    actionPlaybooks AuthomationRuleActionPlaybook[]

    One or more action_playbook blocks as defined below.

    Note: Either one action_incident block or action_playbook block has to be specified.

    conditionJson string
    A JSON array of one or more condition JSON objects as is defined here.
    conditions AuthomationRuleCondition[]

    One or more condition blocks as defined below.

    Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

    Deprecated: This is deprecated in favor of condition_json

    enabled boolean
    Whether this Sentinel Automation Rule is enabled? Defaults to true.
    expiration string
    The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.
    name string
    The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
    triggersOn string
    Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.
    triggersWhen string
    Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.
    display_name str
    The display name which should be used for this Sentinel Automation Rule.
    log_analytics_workspace_id str
    The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
    order int
    The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.
    action_incidents Sequence[AuthomationRuleActionIncidentArgs]
    One or more action_incident blocks as defined below.
    action_playbooks Sequence[AuthomationRuleActionPlaybookArgs]

    One or more action_playbook blocks as defined below.

    Note: Either one action_incident block or action_playbook block has to be specified.

    condition_json str
    A JSON array of one or more condition JSON objects as is defined here.
    conditions Sequence[AuthomationRuleConditionArgs]

    One or more condition blocks as defined below.

    Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

    Deprecated: This is deprecated in favor of condition_json

    enabled bool
    Whether this Sentinel Automation Rule is enabled? Defaults to true.
    expiration str
    The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.
    name str
    The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
    triggers_on str
    Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.
    triggers_when str
    Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.
    displayName String
    The display name which should be used for this Sentinel Automation Rule.
    logAnalyticsWorkspaceId String
    The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
    order Number
    The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.
    actionIncidents List<Property Map>
    One or more action_incident blocks as defined below.
    actionPlaybooks List<Property Map>

    One or more action_playbook blocks as defined below.

    Note: Either one action_incident block or action_playbook block has to be specified.

    conditionJson String
    A JSON array of one or more condition JSON objects as is defined here.
    conditions List<Property Map>

    One or more condition blocks as defined below.

    Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

    Deprecated: This is deprecated in favor of condition_json

    enabled Boolean
    Whether this Sentinel Automation Rule is enabled? Defaults to true.
    expiration String
    The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.
    name String
    The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
    triggersOn String
    Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.
    triggersWhen String
    Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the AuthomationRule resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing AuthomationRule Resource

    Get an existing AuthomationRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: AuthomationRuleState, opts?: CustomResourceOptions): AuthomationRule
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            action_incidents: Optional[Sequence[AuthomationRuleActionIncidentArgs]] = None,
            action_playbooks: Optional[Sequence[AuthomationRuleActionPlaybookArgs]] = None,
            condition_json: Optional[str] = None,
            conditions: Optional[Sequence[AuthomationRuleConditionArgs]] = None,
            display_name: Optional[str] = None,
            enabled: Optional[bool] = None,
            expiration: Optional[str] = None,
            log_analytics_workspace_id: Optional[str] = None,
            name: Optional[str] = None,
            order: Optional[int] = None,
            triggers_on: Optional[str] = None,
            triggers_when: Optional[str] = None) -> AuthomationRule
    func GetAuthomationRule(ctx *Context, name string, id IDInput, state *AuthomationRuleState, opts ...ResourceOption) (*AuthomationRule, error)
    public static AuthomationRule Get(string name, Input<string> id, AuthomationRuleState? state, CustomResourceOptions? opts = null)
    public static AuthomationRule get(String name, Output<String> id, AuthomationRuleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    ActionIncidents List<AuthomationRuleActionIncident>
    One or more action_incident blocks as defined below.
    ActionPlaybooks List<AuthomationRuleActionPlaybook>

    One or more action_playbook blocks as defined below.

    Note: Either one action_incident block or action_playbook block has to be specified.

    ConditionJson string
    A JSON array of one or more condition JSON objects as is defined here.
    Conditions List<AuthomationRuleCondition>

    One or more condition blocks as defined below.

    Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

    Deprecated: This is deprecated in favor of condition_json

    DisplayName string
    The display name which should be used for this Sentinel Automation Rule.
    Enabled bool
    Whether this Sentinel Automation Rule is enabled? Defaults to true.
    Expiration string
    The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.
    LogAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
    Name string
    The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
    Order int
    The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.
    TriggersOn string
    Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.
    TriggersWhen string
    Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.
    ActionIncidents []AuthomationRuleActionIncidentArgs
    One or more action_incident blocks as defined below.
    ActionPlaybooks []AuthomationRuleActionPlaybookArgs

    One or more action_playbook blocks as defined below.

    Note: Either one action_incident block or action_playbook block has to be specified.

    ConditionJson string
    A JSON array of one or more condition JSON objects as is defined here.
    Conditions []AuthomationRuleConditionArgs

    One or more condition blocks as defined below.

    Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

    Deprecated: This is deprecated in favor of condition_json

    DisplayName string
    The display name which should be used for this Sentinel Automation Rule.
    Enabled bool
    Whether this Sentinel Automation Rule is enabled? Defaults to true.
    Expiration string
    The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.
    LogAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
    Name string
    The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
    Order int
    The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.
    TriggersOn string
    Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.
    TriggersWhen string
    Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.
    actionIncidents List<AuthomationRuleActionIncident>
    One or more action_incident blocks as defined below.
    actionPlaybooks List<AuthomationRuleActionPlaybook>

    One or more action_playbook blocks as defined below.

    Note: Either one action_incident block or action_playbook block has to be specified.

    conditionJson String
    A JSON array of one or more condition JSON objects as is defined here.
    conditions List<AuthomationRuleCondition>

    One or more condition blocks as defined below.

    Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

    Deprecated: This is deprecated in favor of condition_json

    displayName String
    The display name which should be used for this Sentinel Automation Rule.
    enabled Boolean
    Whether this Sentinel Automation Rule is enabled? Defaults to true.
    expiration String
    The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.
    logAnalyticsWorkspaceId String
    The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
    name String
    The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
    order Integer
    The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.
    triggersOn String
    Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.
    triggersWhen String
    Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.
    actionIncidents AuthomationRuleActionIncident[]
    One or more action_incident blocks as defined below.
    actionPlaybooks AuthomationRuleActionPlaybook[]

    One or more action_playbook blocks as defined below.

    Note: Either one action_incident block or action_playbook block has to be specified.

    conditionJson string
    A JSON array of one or more condition JSON objects as is defined here.
    conditions AuthomationRuleCondition[]

    One or more condition blocks as defined below.

    Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

    Deprecated: This is deprecated in favor of condition_json

    displayName string
    The display name which should be used for this Sentinel Automation Rule.
    enabled boolean
    Whether this Sentinel Automation Rule is enabled? Defaults to true.
    expiration string
    The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.
    logAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
    name string
    The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
    order number
    The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.
    triggersOn string
    Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.
    triggersWhen string
    Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.
    action_incidents Sequence[AuthomationRuleActionIncidentArgs]
    One or more action_incident blocks as defined below.
    action_playbooks Sequence[AuthomationRuleActionPlaybookArgs]

    One or more action_playbook blocks as defined below.

    Note: Either one action_incident block or action_playbook block has to be specified.

    condition_json str
    A JSON array of one or more condition JSON objects as is defined here.
    conditions Sequence[AuthomationRuleConditionArgs]

    One or more condition blocks as defined below.

    Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

    Deprecated: This is deprecated in favor of condition_json

    display_name str
    The display name which should be used for this Sentinel Automation Rule.
    enabled bool
    Whether this Sentinel Automation Rule is enabled? Defaults to true.
    expiration str
    The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.
    log_analytics_workspace_id str
    The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
    name str
    The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
    order int
    The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.
    triggers_on str
    Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.
    triggers_when str
    Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.
    actionIncidents List<Property Map>
    One or more action_incident blocks as defined below.
    actionPlaybooks List<Property Map>

    One or more action_playbook blocks as defined below.

    Note: Either one action_incident block or action_playbook block has to be specified.

    conditionJson String
    A JSON array of one or more condition JSON objects as is defined here.
    conditions List<Property Map>

    One or more condition blocks as defined below.

    Note: condition only supports the Property condition type. Please use condition_json if you want other condition types.

    Deprecated: This is deprecated in favor of condition_json

    displayName String
    The display name which should be used for this Sentinel Automation Rule.
    enabled Boolean
    Whether this Sentinel Automation Rule is enabled? Defaults to true.
    expiration String
    The time in RFC3339 format of kind UTC that determines when this Automation Rule should expire and be disabled.
    logAnalyticsWorkspaceId String
    The ID of the Log Analytics Workspace where this Sentinel applies to. Changing this forces a new Sentinel Automation Rule to be created.
    name String
    The UUID which should be used for this Sentinel Automation Rule. Changing this forces a new Sentinel Automation Rule to be created.
    order Number
    The order of this Sentinel Automation Rule. Possible values varies between 1 and 1000.
    triggersOn String
    Specifies what triggers this automation rule. Possible values are Alerts and Incidents. Defaults to Incidents.
    triggersWhen String
    Specifies when will this automation rule be triggered. Possible values are Created and Updated. Defaults to Created.

    Supporting Types

    AuthomationRuleActionIncident, AuthomationRuleActionIncidentArgs

    Order int
    The execution order of this action.
    Classification string

    The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

    Note: The classification is required when status is Closed.

    ClassificationComment string

    The comment why the incident is to be closed.

    Note: The classification_comment is allowed to set only when status is Closed.

    Labels List<string>
    Specifies a list of labels to add to the incident.
    OwnerId string
    The object ID of the entity this incident is assigned to.
    Severity string

    The severity to add to the incident. Possible values are High, Informational, Low and Medium.

    Note:: At least one of status, labels, owner_id and severity has to be set.

    Status string
    The status to set to the incident. Possible values are: Active, Closed, New.
    Order int
    The execution order of this action.
    Classification string

    The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

    Note: The classification is required when status is Closed.

    ClassificationComment string

    The comment why the incident is to be closed.

    Note: The classification_comment is allowed to set only when status is Closed.

    Labels []string
    Specifies a list of labels to add to the incident.
    OwnerId string
    The object ID of the entity this incident is assigned to.
    Severity string

    The severity to add to the incident. Possible values are High, Informational, Low and Medium.

    Note:: At least one of status, labels, owner_id and severity has to be set.

    Status string
    The status to set to the incident. Possible values are: Active, Closed, New.
    order Integer
    The execution order of this action.
    classification String

    The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

    Note: The classification is required when status is Closed.

    classificationComment String

    The comment why the incident is to be closed.

    Note: The classification_comment is allowed to set only when status is Closed.

    labels List<String>
    Specifies a list of labels to add to the incident.
    ownerId String
    The object ID of the entity this incident is assigned to.
    severity String

    The severity to add to the incident. Possible values are High, Informational, Low and Medium.

    Note:: At least one of status, labels, owner_id and severity has to be set.

    status String
    The status to set to the incident. Possible values are: Active, Closed, New.
    order number
    The execution order of this action.
    classification string

    The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

    Note: The classification is required when status is Closed.

    classificationComment string

    The comment why the incident is to be closed.

    Note: The classification_comment is allowed to set only when status is Closed.

    labels string[]
    Specifies a list of labels to add to the incident.
    ownerId string
    The object ID of the entity this incident is assigned to.
    severity string

    The severity to add to the incident. Possible values are High, Informational, Low and Medium.

    Note:: At least one of status, labels, owner_id and severity has to be set.

    status string
    The status to set to the incident. Possible values are: Active, Closed, New.
    order int
    The execution order of this action.
    classification str

    The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

    Note: The classification is required when status is Closed.

    classification_comment str

    The comment why the incident is to be closed.

    Note: The classification_comment is allowed to set only when status is Closed.

    labels Sequence[str]
    Specifies a list of labels to add to the incident.
    owner_id str
    The object ID of the entity this incident is assigned to.
    severity str

    The severity to add to the incident. Possible values are High, Informational, Low and Medium.

    Note:: At least one of status, labels, owner_id and severity has to be set.

    status str
    The status to set to the incident. Possible values are: Active, Closed, New.
    order Number
    The execution order of this action.
    classification String

    The classification of the incident, when closing it. Possible values are: BenignPositive_SuspiciousButExpected, FalsePositive_InaccurateData, FalsePositive_IncorrectAlertLogic, TruePositive_SuspiciousActivity and Undetermined.

    Note: The classification is required when status is Closed.

    classificationComment String

    The comment why the incident is to be closed.

    Note: The classification_comment is allowed to set only when status is Closed.

    labels List<String>
    Specifies a list of labels to add to the incident.
    ownerId String
    The object ID of the entity this incident is assigned to.
    severity String

    The severity to add to the incident. Possible values are High, Informational, Low and Medium.

    Note:: At least one of status, labels, owner_id and severity has to be set.

    status String
    The status to set to the incident. Possible values are: Active, Closed, New.

    AuthomationRuleActionPlaybook, AuthomationRuleActionPlaybookArgs

    LogicAppId string
    The ID of the Logic App that defines the playbook's logic.
    Order int
    The execution order of this action.
    TenantId string
    The ID of the Tenant that owns the playbook.
    LogicAppId string
    The ID of the Logic App that defines the playbook's logic.
    Order int
    The execution order of this action.
    TenantId string
    The ID of the Tenant that owns the playbook.
    logicAppId String
    The ID of the Logic App that defines the playbook's logic.
    order Integer
    The execution order of this action.
    tenantId String
    The ID of the Tenant that owns the playbook.
    logicAppId string
    The ID of the Logic App that defines the playbook's logic.
    order number
    The execution order of this action.
    tenantId string
    The ID of the Tenant that owns the playbook.
    logic_app_id str
    The ID of the Logic App that defines the playbook's logic.
    order int
    The execution order of this action.
    tenant_id str
    The ID of the Tenant that owns the playbook.
    logicAppId String
    The ID of the Logic App that defines the playbook's logic.
    order Number
    The execution order of this action.
    tenantId String
    The ID of the Tenant that owns the playbook.

    AuthomationRuleCondition, AuthomationRuleConditionArgs

    Operator string
    The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.
    Property string
    The property to use for evaluate the condition. Possible values are AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AlertAnalyticRuleIds, AlertProductNames, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentCustomDetailsKey, IncidentCustomDetailsValue, IncidentDescription, IncidentLabel, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IncidentUpdatedBySource, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData and Url.
    Values List<string>
    Specifies a list of values to use for evaluate the condition.
    Operator string
    The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.
    Property string
    The property to use for evaluate the condition. Possible values are AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AlertAnalyticRuleIds, AlertProductNames, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentCustomDetailsKey, IncidentCustomDetailsValue, IncidentDescription, IncidentLabel, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IncidentUpdatedBySource, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData and Url.
    Values []string
    Specifies a list of values to use for evaluate the condition.
    operator String
    The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.
    property String
    The property to use for evaluate the condition. Possible values are AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AlertAnalyticRuleIds, AlertProductNames, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentCustomDetailsKey, IncidentCustomDetailsValue, IncidentDescription, IncidentLabel, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IncidentUpdatedBySource, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData and Url.
    values List<String>
    Specifies a list of values to use for evaluate the condition.
    operator string
    The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.
    property string
    The property to use for evaluate the condition. Possible values are AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AlertAnalyticRuleIds, AlertProductNames, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentCustomDetailsKey, IncidentCustomDetailsValue, IncidentDescription, IncidentLabel, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IncidentUpdatedBySource, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData and Url.
    values string[]
    Specifies a list of values to use for evaluate the condition.
    operator str
    The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.
    property str
    The property to use for evaluate the condition. Possible values are AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AlertAnalyticRuleIds, AlertProductNames, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentCustomDetailsKey, IncidentCustomDetailsValue, IncidentDescription, IncidentLabel, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IncidentUpdatedBySource, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData and Url.
    values Sequence[str]
    Specifies a list of values to use for evaluate the condition.
    operator String
    The operator to use for evaluate the condition. Possible values include: Equals, NotEquals, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith.
    property String
    The property to use for evaluate the condition. Possible values are AccountAadTenantId, AccountAadUserId, AccountNTDomain, AccountName, AccountObjectGuid, AccountPUID, AccountSid, AccountUPNSuffix, AlertAnalyticRuleIds, AlertProductNames, AzureResourceResourceId, AzureResourceSubscriptionId, CloudApplicationAppId, CloudApplicationAppName, DNSDomainName, FileDirectory, FileHashValue, FileName, HostAzureID, HostNTDomain, HostName, HostNetBiosName, HostOSVersion, IPAddress, IncidentCustomDetailsKey, IncidentCustomDetailsValue, IncidentDescription, IncidentLabel, IncidentProviderName, IncidentRelatedAnalyticRuleIds, IncidentSeverity, IncidentStatus, IncidentTactics, IncidentTitle, IncidentUpdatedBySource, IoTDeviceId, IoTDeviceModel, IoTDeviceName, IoTDeviceOperatingSystem, IoTDeviceType, IoTDeviceVendor, MailMessageDeliveryAction, MailMessageDeliveryLocation, MailMessageP1Sender, MailMessageP2Sender, MailMessageRecipient, MailMessageSenderIP, MailMessageSubject, MailboxDisplayName, MailboxPrimaryAddress, MailboxUPN, MalwareCategory, MalwareName, ProcessCommandLine, ProcessId, RegistryKey, RegistryValueData and Url.
    values List<String>
    Specifies a list of values to use for evaluate the condition.

    Import

    Sentinel Automation Rules can be imported using the resource id, e.g.

    $ pulumi import azure:sentinel/authomationRule:AuthomationRule example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/automationRules/rule1
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Azure Classic pulumi/pulumi-azure
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azurerm Terraform Provider.
    azure logo

    We recommend using Azure Native.

    Azure Classic v5.81.0 published on Monday, Jun 24, 2024 by Pulumi