Content
data class ContentTemplateArgs(val author: Output<MetadataAuthorArgs>? = null, val categories: Output<MetadataCategoriesArgs>? = null, val contentId: Output<String>? = null, val contentKind: Output<Either<String, Kind>>? = null, val contentProductId: Output<String>? = null, val contentSchemaVersion: Output<String>? = null, val customVersion: Output<String>? = null, val dependencies: Output<MetadataDependenciesArgs>? = null, val displayName: Output<String>? = null, val firstPublishDate: Output<String>? = null, val icon: Output<String>? = null, val lastPublishDate: Output<String>? = null, val mainTemplate: Output<Any>? = null, val packageId: Output<String>? = null, val packageKind: Output<Either<String, PackageKind>>? = null, val packageName: Output<String>? = null, val packageVersion: Output<String>? = null, val previewImages: Output<List<String>>? = null, val previewImagesDark: Output<List<String>>? = null, val providers: Output<List<String>>? = null, val resourceGroupName: Output<String>? = null, val source: Output<MetadataSourceArgs>? = null, val support: Output<MetadataSupportArgs>? = null, val templateId: Output<String>? = null, val threatAnalysisTactics: Output<List<String>>? = null, val threatAnalysisTechniques: Output<List<String>>? = null, val version: Output<String>? = null, val workspaceName: Output<String>? = null) : ConvertibleToJava<ContentTemplateArgs>
Template resource definition. Uses Azure REST API version 2024-09-01. In version 2.x of the Azure Native provider, it used API version 2023-06-01-preview. Other available API versions: 2023-04-01-preview, 2023-05-01-preview, 2023-06-01-preview, 2023-07-01-preview, 2023-08-01-preview, 2023-09-01-preview, 2023-10-01-preview, 2023-11-01, 2023-12-01-preview, 2024-01-01-preview, 2024-03-01, 2024-04-01-preview, 2024-10-01-preview, 2025-01-01-preview, 2025-03-01, 2025-04-01-preview. These can be accessed by generating a local SDK package using the CLI command pulumi package add azure-native securityinsights [ApiVersion]. See the ../../../version-guide/#accessing-any-api-version-via-local-packages for details.
Example Usage
Get a template.
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var contentTemplate = new AzureNative.SecurityInsights.ContentTemplate("contentTemplate", new()
{
Author = new AzureNative.SecurityInsights.Inputs.MetadataAuthorArgs
{
Email = "support@microsoft.com",
Name = "Microsoft",
},
ContentId = "8365ebfe-a381-45b7-ad08-7d818070e11f",
ContentKind = AzureNative.SecurityInsights.Kind.AnalyticsRule,
ContentProductId = "str.azure-sentinel-solution-str-ar-cbfe4fndz66bi",
DisplayName = "API Protection workbook template",
MainTemplate = new Dictionary<string, object?>
{
["$schema"] = "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
["contentVersion"] = "1.0.1",
["resources"] = new[]
{
new Dictionary<string, object?>
{
["apiVersion"] = "2022-04-01-preview",
["kind"] = "Scheduled",
["location"] = "[parameters('workspace-location')]",
["name"] = "8365ebfe-a381-45b7-ad08-7d818070e11f",
["properties"] = new Dictionary<string, object?>
{
["description"] = "Creates an incident when a large number of Critical/High severity CrowdStrike Falcon sensor detections is triggered by a single user",
["displayName"] = "Critical or High Severity Detections by User",
["enabled"] = false,
["query"] = "...",
["queryFrequency"] = "PT1H",
["queryPeriod"] = "PT1H",
["severity"] = "High",
["status"] = "Available",
["suppressionDuration"] = "PT1H",
["suppressionEnabled"] = false,
["triggerOperator"] = "GreaterThan",
["triggerThreshold"] = 0,
},
["type"] = "Microsoft.SecurityInsights/AlertRuleTemplates",
},
new Dictionary<string, object?>
{
["apiVersion"] = "2022-01-01-preview",
["name"] = "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split([resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 8365ebfe-a381-45b7-ad08-7d818070e11f)],'/'))))]",
["properties"] = new Dictionary<string, object?>
{
["author"] = new Dictionary<string, object?>
{
["email"] = "support@microsoft.com",
["name"] = "Microsoft",
},
["contentId"] = "4465ebde-b381-45f7-ad08-7d818070a11c",
["description"] = "CrowdStrike Falcon Endpoint Protection Analytics Rule 1",
["kind"] = "AnalyticsRule",
["parentId"] = "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 8365ebfe-a381-45b7-ad08-7d818070e11f)]",
["source"] = new Dictionary<string, object?>
{
["kind"] = "Solution",
["name"] = "str",
["sourceId"] = "str.azure-sentinel-solution-str",
},
["support"] = new Dictionary<string, object?>
{
["email"] = "support@microsoft.com",
["link"] = "https://support.microsoft.com/",
["name"] = "Microsoft Corporation",
["tier"] = "Microsoft",
},
["version"] = "1.0.0",
},
["type"] = "Microsoft.OperationalInsights/workspaces/providers/metadata",
},
},
},
PackageId = "str.azure-sentinel-solution-str",
PackageKind = AzureNative.SecurityInsights.PackageKind.Solution,
PackageName = "str",
PackageVersion = "1.0.0",
ResourceGroupName = "myRg",
Source = new AzureNative.SecurityInsights.Inputs.MetadataSourceArgs
{
Kind = AzureNative.SecurityInsights.SourceKind.Solution,
Name = "str",
SourceId = "str.azure-sentinel-solution-str",
},
Support = new AzureNative.SecurityInsights.Inputs.MetadataSupportArgs
{
Email = "support@microsoft.com",
Link = "https://support.microsoft.com/",
Name = "Microsoft Corporation",
Tier = AzureNative.SecurityInsights.SupportTier.Microsoft,
},
TemplateId = "str.azure-sentinel-solution-str",
Version = "1.0.1",
WorkspaceName = "myWorkspace",
});
});Content copied to clipboard
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewContentTemplate(ctx, "contentTemplate", &securityinsights.ContentTemplateArgs{
Author: &securityinsights.MetadataAuthorArgs{
Email: pulumi.String("support@microsoft.com"),
Name: pulumi.String("Microsoft"),
},
ContentId: pulumi.String("8365ebfe-a381-45b7-ad08-7d818070e11f"),
ContentKind: pulumi.String(securityinsights.KindAnalyticsRule),
ContentProductId: pulumi.String("str.azure-sentinel-solution-str-ar-cbfe4fndz66bi"),
DisplayName: pulumi.String("API Protection workbook template"),
MainTemplate: pulumi.Any(map[string]interface{}{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.1",
"resources": []interface{}{
map[string]interface{}{
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"name": "8365ebfe-a381-45b7-ad08-7d818070e11f",
"properties": map[string]interface{}{
"description": "Creates an incident when a large number of Critical/High severity CrowdStrike Falcon sensor detections is triggered by a single user",
"displayName": "Critical or High Severity Detections by User",
"enabled": false,
"query": "...",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
},
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
},
map[string]interface{}{
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split([resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 8365ebfe-a381-45b7-ad08-7d818070e11f)],'/'))))]",
"properties": map[string]interface{}{
"author": map[string]interface{}{
"email": "support@microsoft.com",
"name": "Microsoft",
},
"contentId": "4465ebde-b381-45f7-ad08-7d818070a11c",
"description": "CrowdStrike Falcon Endpoint Protection Analytics Rule 1",
"kind": "AnalyticsRule",
"parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 8365ebfe-a381-45b7-ad08-7d818070e11f)]",
"source": map[string]interface{}{
"kind": "Solution",
"name": "str",
"sourceId": "str.azure-sentinel-solution-str",
},
"support": map[string]interface{}{
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/",
"name": "Microsoft Corporation",
"tier": "Microsoft",
},
"version": "1.0.0",
},
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
},
},
}),
PackageId: pulumi.String("str.azure-sentinel-solution-str"),
PackageKind: pulumi.String(securityinsights.PackageKindSolution),
PackageName: pulumi.String("str"),
PackageVersion: pulumi.String("1.0.0"),
ResourceGroupName: pulumi.String("myRg"),
Source: &securityinsights.MetadataSourceArgs{
Kind: pulumi.String(securityinsights.SourceKindSolution),
Name: pulumi.String("str"),
SourceId: pulumi.String("str.azure-sentinel-solution-str"),
},
Support: &securityinsights.MetadataSupportArgs{
Email: pulumi.String("support@microsoft.com"),
Link: pulumi.String("https://support.microsoft.com/"),
Name: pulumi.String("Microsoft Corporation"),
Tier: pulumi.String(securityinsights.SupportTierMicrosoft),
},
TemplateId: pulumi.String("str.azure-sentinel-solution-str"),
Version: pulumi.String("1.0.1"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ContentTemplate;
import com.pulumi.azurenative.securityinsights.ContentTemplateArgs;
import com.pulumi.azurenative.securityinsights.inputs.MetadataAuthorArgs;
import com.pulumi.azurenative.securityinsights.inputs.MetadataSourceArgs;
import com.pulumi.azurenative.securityinsights.inputs.MetadataSupportArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var contentTemplate = new ContentTemplate("contentTemplate", ContentTemplateArgs.builder()
.author(MetadataAuthorArgs.builder()
.email("support@microsoft.com")
.name("Microsoft")
.build())
.contentId("8365ebfe-a381-45b7-ad08-7d818070e11f")
.contentKind("AnalyticsRule")
.contentProductId("str.azure-sentinel-solution-str-ar-cbfe4fndz66bi")
.displayName("API Protection workbook template")
.mainTemplate(Map.ofEntries(
Map.entry("$schema", "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#"),
Map.entry("contentVersion", "1.0.1"),
Map.entry("resources",
Map.ofEntries(
Map.entry("apiVersion", "2022-04-01-preview"),
Map.entry("kind", "Scheduled"),
Map.entry("location", "[parameters('workspace-location')]"),
Map.entry("name", "8365ebfe-a381-45b7-ad08-7d818070e11f"),
Map.entry("properties", Map.ofEntries(
Map.entry("description", "Creates an incident when a large number of Critical/High severity CrowdStrike Falcon sensor detections is triggered by a single user"),
Map.entry("displayName", "Critical or High Severity Detections by User"),
Map.entry("enabled", false),
Map.entry("query", "..."),
Map.entry("queryFrequency", "PT1H"),
Map.entry("queryPeriod", "PT1H"),
Map.entry("severity", "High"),
Map.entry("status", "Available"),
Map.entry("suppressionDuration", "PT1H"),
Map.entry("suppressionEnabled", false),
Map.entry("triggerOperator", "GreaterThan"),
Map.entry("triggerThreshold", 0)
)),
Map.entry("type", "Microsoft.SecurityInsights/AlertRuleTemplates")
),
Map.ofEntries(
Map.entry("apiVersion", "2022-01-01-preview"),
Map.entry("name", "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split([resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 8365ebfe-a381-45b7-ad08-7d818070e11f)],'/'))))]"),
Map.entry("properties", Map.ofEntries(
Map.entry("author", Map.ofEntries(
Map.entry("email", "support@microsoft.com"),
Map.entry("name", "Microsoft")
)),
Map.entry("contentId", "4465ebde-b381-45f7-ad08-7d818070a11c"),
Map.entry("description", "CrowdStrike Falcon Endpoint Protection Analytics Rule 1"),
Map.entry("kind", "AnalyticsRule"),
Map.entry("parentId", "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 8365ebfe-a381-45b7-ad08-7d818070e11f)]"),
Map.entry("source", Map.ofEntries(
Map.entry("kind", "Solution"),
Map.entry("name", "str"),
Map.entry("sourceId", "str.azure-sentinel-solution-str")
)),
Map.entry("support", Map.ofEntries(
Map.entry("email", "support@microsoft.com"),
Map.entry("link", "https://support.microsoft.com/"),
Map.entry("name", "Microsoft Corporation"),
Map.entry("tier", "Microsoft")
)),
Map.entry("version", "1.0.0")
)),
Map.entry("type", "Microsoft.OperationalInsights/workspaces/providers/metadata")
))
))
.packageId("str.azure-sentinel-solution-str")
.packageKind("Solution")
.packageName("str")
.packageVersion("1.0.0")
.resourceGroupName("myRg")
.source(MetadataSourceArgs.builder()
.kind("Solution")
.name("str")
.sourceId("str.azure-sentinel-solution-str")
.build())
.support(MetadataSupportArgs.builder()
.email("support@microsoft.com")
.link("https://support.microsoft.com/")
.name("Microsoft Corporation")
.tier("Microsoft")
.build())
.templateId("str.azure-sentinel-solution-str")
.version("1.0.1")
.workspaceName("myWorkspace")
.build());
}
}Content copied to clipboard
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:securityinsights:ContentTemplate azuresentinel.azure-sentinel-solution-ciscoumbrella /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentTemplates/{templateId}Content copied to clipboard
Constructors
Link copied to clipboard
constructor(author: Output<MetadataAuthorArgs>? = null, categories: Output<MetadataCategoriesArgs>? = null, contentId: Output<String>? = null, contentKind: Output<Either<String, Kind>>? = null, contentProductId: Output<String>? = null, contentSchemaVersion: Output<String>? = null, customVersion: Output<String>? = null, dependencies: Output<MetadataDependenciesArgs>? = null, displayName: Output<String>? = null, firstPublishDate: Output<String>? = null, icon: Output<String>? = null, lastPublishDate: Output<String>? = null, mainTemplate: Output<Any>? = null, packageId: Output<String>? = null, packageKind: Output<Either<String, PackageKind>>? = null, packageName: Output<String>? = null, packageVersion: Output<String>? = null, previewImages: Output<List<String>>? = null, previewImagesDark: Output<List<String>>? = null, providers: Output<List<String>>? = null, resourceGroupName: Output<String>? = null, source: Output<MetadataSourceArgs>? = null, support: Output<MetadataSupportArgs>? = null, templateId: Output<String>? = null, threatAnalysisTactics: Output<List<String>>? = null, threatAnalysisTechniques: Output<List<String>>? = null, version: Output<String>? = null, workspaceName: Output<String>? = null)
Properties
Link copied to clipboard
The creator of the content item.
Link copied to clipboard
Categories for the item
Link copied to clipboard
The kind of content the template is for.
Link copied to clipboard
Unique ID for the content. It should be generated based on the contentId of the package, contentId of the template, contentKind of the template and the contentVersion of the template
Link copied to clipboard
Schema version of the content. Can be used to distinguish between different flow based on the schema version
Link copied to clipboard
The custom version of the content. A optional free text
Link copied to clipboard
Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats.
Link copied to clipboard
The display name of the template
Link copied to clipboard
first publish date content item
Link copied to clipboard
last publish date for the content item
Link copied to clipboard
The JSON of the ARM template to deploy active content. Expandable.
Link copied to clipboard
the packageKind of the package contains this template
Link copied to clipboard
the name of the package contains this template
Link copied to clipboard
Version of the package. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM metadata best practices. Can also be any string, but then we cannot guarantee any version checks
Link copied to clipboard
preview image file names. These will be taken from the solution artifacts
Link copied to clipboard
preview image file names. These will be taken from the solution artifacts. used for dark theme support
Link copied to clipboard
The name of the resource group. The name is case insensitive.
Link copied to clipboard
Source of the content. This is where/how it was created.
Link copied to clipboard
Support information for the template - type, name, contact information
Link copied to clipboard
template Id
Link copied to clipboard
the tactics the resource covers
Link copied to clipboard
the techniques the resource covers, these have to be aligned with the tactics being used
Link copied to clipboard
The name of the workspace.