pulumi-azure-kotlin/com.pulumi.azure.sentinel.kotlin/MetadataArgs

MetadataArgs

data class MetadataArgs(val author: Output<MetadataAuthorArgs>? = null, val category: Output<MetadataCategoryArgs>? = null, val contentId: Output<String>? = null, val contentSchemaVersion: Output<String>? = null, val customVersion: Output<String>? = null, val dependency: Output<String>? = null, val firstPublishDate: Output<String>? = null, val iconId: Output<String>? = null, val kind: Output<String>? = null, val lastPublishDate: Output<String>? = null, val name: Output<String>? = null, val parentId: Output<String>? = null, val previewImages: Output<List<String>>? = null, val previewImagesDarks: Output<List<String>>? = null, val providers: Output<List<String>>? = null, val source: Output<MetadataSourceArgs>? = null, val support: Output<MetadataSupportArgs>? = null, val threatAnalysisTactics: Output<List<String>>? = null, val threatAnalysisTechniques: Output<List<String>>? = null, val version: Output<String>? = null, val workspaceId: Output<String>? = null) : ConvertibleToJava<MetadataArgs>

Manages a Sentinel Metadata.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", {
    name: "example-resources",
    location: "West Europe",
});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", {
    name: "example-workspace",
    location: example.location,
    resourceGroupName: example.name,
    sku: "pergb2018",
});
const exampleAnalyticsSolution = new azure.operationalinsights.AnalyticsSolution("example", {
    solutionName: "SecurityInsights",
    location: example.location,
    resourceGroupName: example.name,
    workspaceResourceId: exampleAnalyticsWorkspace.id,
    workspaceName: exampleAnalyticsWorkspace.name,
    plan: {
        publisher: "Microsoft",
        product: "OMSGallery/SecurityInsights",
    },
});
const exampleAlertRuleNrt = new azure.sentinel.AlertRuleNrt("example", {
    name: "example",
    logAnalyticsWorkspaceId: exampleAnalyticsSolution.workspaceResourceId,
    displayName: "example",
    severity: "High",
    query: `AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
`,
});
const exampleMetadata = new azure.sentinel.Metadata("example", {
    name: "exampl",
    workspaceId: exampleAnalyticsSolution.workspaceResourceId,
    contentId: exampleAlertRuleNrt.name,
    kind: "AnalyticsRule",
    parentId: exampleAlertRuleNrt.id,
});
Content copied to clipboard
import pulumi
import pulumi_azure as azure
example = azure.core.ResourceGroup("example",
    name="example-resources",
    location="West Europe")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("example",
    name="example-workspace",
    location=example.location,
    resource_group_name=example.name,
    sku="pergb2018")
example_analytics_solution = azure.operationalinsights.AnalyticsSolution("example",
    solution_name="SecurityInsights",
    location=example.location,
    resource_group_name=example.name,
    workspace_resource_id=example_analytics_workspace.id,
    workspace_name=example_analytics_workspace.name,
    plan={
        "publisher": "Microsoft",
        "product": "OMSGallery/SecurityInsights",
    })
example_alert_rule_nrt = azure.sentinel.AlertRuleNrt("example",
    name="example",
    log_analytics_workspace_id=example_analytics_solution.workspace_resource_id,
    display_name="example",
    severity="High",
    query="""AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
""")
example_metadata = azure.sentinel.Metadata("example",
    name="exampl",
    workspace_id=example_analytics_solution.workspace_resource_id,
    content_id=example_alert_rule_nrt.name,
    kind="AnalyticsRule",
    parent_id=example_alert_rule_nrt.id)
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
    var example = new Azure.Core.ResourceGroup("example", new()
    {
        Name = "example-resources",
        Location = "West Europe",
    });
    var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("example", new()
    {
        Name = "example-workspace",
        Location = example.Location,
        ResourceGroupName = example.Name,
        Sku = "pergb2018",
    });
    var exampleAnalyticsSolution = new Azure.OperationalInsights.AnalyticsSolution("example", new()
    {
        SolutionName = "SecurityInsights",
        Location = example.Location,
        ResourceGroupName = example.Name,
        WorkspaceResourceId = exampleAnalyticsWorkspace.Id,
        WorkspaceName = exampleAnalyticsWorkspace.Name,
        Plan = new Azure.OperationalInsights.Inputs.AnalyticsSolutionPlanArgs
        {
            Publisher = "Microsoft",
            Product = "OMSGallery/SecurityInsights",
        },
    });
    var exampleAlertRuleNrt = new Azure.Sentinel.AlertRuleNrt("example", new()
    {
        Name = "example",
        LogAnalyticsWorkspaceId = exampleAnalyticsSolution.WorkspaceResourceId,
        DisplayName = "example",
        Severity = "High",
        Query = @"AzureActivity |
  where OperationName == ""Create or Update Virtual Machine"" or OperationName ==""Create Deployment"" |
  where ActivityStatus == ""Succeeded"" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
",
    });
    var exampleMetadata = new Azure.Sentinel.Metadata("example", new()
    {
        Name = "exampl",
        WorkspaceId = exampleAnalyticsSolution.WorkspaceResourceId,
        ContentId = exampleAlertRuleNrt.Name,
        Kind = "AnalyticsRule",
        ParentId = exampleAlertRuleNrt.Id,
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/operationalinsights"
	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/sentinel"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
			Name:     pulumi.String("example-resources"),
			Location: pulumi.String("West Europe"),
		})
		if err != nil {
			return err
		}
		exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "example", &operationalinsights.AnalyticsWorkspaceArgs{
			Name:              pulumi.String("example-workspace"),
			Location:          example.Location,
			ResourceGroupName: example.Name,
			Sku:               pulumi.String("pergb2018"),
		})
		if err != nil {
			return err
		}
		exampleAnalyticsSolution, err := operationalinsights.NewAnalyticsSolution(ctx, "example", &operationalinsights.AnalyticsSolutionArgs{
			SolutionName:        pulumi.String("SecurityInsights"),
			Location:            example.Location,
			ResourceGroupName:   example.Name,
			WorkspaceResourceId: exampleAnalyticsWorkspace.ID(),
			WorkspaceName:       exampleAnalyticsWorkspace.Name,
			Plan: &operationalinsights.AnalyticsSolutionPlanArgs{
				Publisher: pulumi.String("Microsoft"),
				Product:   pulumi.String("OMSGallery/SecurityInsights"),
			},
		})
		if err != nil {
			return err
		}
		exampleAlertRuleNrt, err := sentinel.NewAlertRuleNrt(ctx, "example", &sentinel.AlertRuleNrtArgs{
			Name:                    pulumi.String("example"),
			LogAnalyticsWorkspaceId: exampleAnalyticsSolution.WorkspaceResourceId,
			DisplayName:             pulumi.String("example"),
			Severity:                pulumi.String("High"),
			Query:                   pulumi.String("AzureActivity |\n  where OperationName == \"Create or Update Virtual Machine\" or OperationName ==\"Create Deployment\" |\n  where ActivityStatus == \"Succeeded\" |\n  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n"),
		})
		if err != nil {
			return err
		}
		_, err = sentinel.NewMetadata(ctx, "example", &sentinel.MetadataArgs{
			Name:        pulumi.String("exampl"),
			WorkspaceId: exampleAnalyticsSolution.WorkspaceResourceId,
			ContentId:   exampleAlertRuleNrt.Name,
			Kind:        pulumi.String("AnalyticsRule"),
			ParentId:    exampleAlertRuleNrt.ID(),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.operationalinsights.AnalyticsSolution;
import com.pulumi.azure.operationalinsights.AnalyticsSolutionArgs;
import com.pulumi.azure.operationalinsights.inputs.AnalyticsSolutionPlanArgs;
import com.pulumi.azure.sentinel.AlertRuleNrt;
import com.pulumi.azure.sentinel.AlertRuleNrtArgs;
import com.pulumi.azure.sentinel.Metadata;
import com.pulumi.azure.sentinel.MetadataArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new ResourceGroup("example", ResourceGroupArgs.builder()
            .name("example-resources")
            .location("West Europe")
            .build());
        var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()
            .name("example-workspace")
            .location(example.location())
            .resourceGroupName(example.name())
            .sku("pergb2018")
            .build());
        var exampleAnalyticsSolution = new AnalyticsSolution("exampleAnalyticsSolution", AnalyticsSolutionArgs.builder()
            .solutionName("SecurityInsights")
            .location(example.location())
            .resourceGroupName(example.name())
            .workspaceResourceId(exampleAnalyticsWorkspace.id())
            .workspaceName(exampleAnalyticsWorkspace.name())
            .plan(AnalyticsSolutionPlanArgs.builder()
                .publisher("Microsoft")
                .product("OMSGallery/SecurityInsights")
                .build())
            .build());
        var exampleAlertRuleNrt = new AlertRuleNrt("exampleAlertRuleNrt", AlertRuleNrtArgs.builder()
            .name("example")
            .logAnalyticsWorkspaceId(exampleAnalyticsSolution.workspaceResourceId())
            .displayName("example")
            .severity("High")
            .query("""
AzureActivity |
  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
  where ActivityStatus == "Succeeded" |
  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
            """)
            .build());
        var exampleMetadata = new Metadata("exampleMetadata", MetadataArgs.builder()
            .name("exampl")
            .workspaceId(exampleAnalyticsSolution.workspaceResourceId())
            .contentId(exampleAlertRuleNrt.name())
            .kind("AnalyticsRule")
            .parentId(exampleAlertRuleNrt.id())
            .build());
    }
}
Content copied to clipboard
resources:
  example:
    type: azure:core:ResourceGroup
    properties:
      name: example-resources
      location: West Europe
  exampleAnalyticsWorkspace:
    type: azure:operationalinsights:AnalyticsWorkspace
    name: example
    properties:
      name: example-workspace
      location: ${example.location}
      resourceGroupName: ${example.name}
      sku: pergb2018
  exampleAnalyticsSolution:
    type: azure:operationalinsights:AnalyticsSolution
    name: example
    properties:
      solutionName: SecurityInsights
      location: ${example.location}
      resourceGroupName: ${example.name}
      workspaceResourceId: ${exampleAnalyticsWorkspace.id}
      workspaceName: ${exampleAnalyticsWorkspace.name}
      plan:
        publisher: Microsoft
        product: OMSGallery/SecurityInsights
  exampleAlertRuleNrt:
    type: azure:sentinel:AlertRuleNrt
    name: example
    properties:
      name: example
      logAnalyticsWorkspaceId: ${exampleAnalyticsSolution.workspaceResourceId}
      displayName: example
      severity: High
      query: |
        AzureActivity |
          where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
          where ActivityStatus == "Succeeded" |
          make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
  exampleMetadata:
    type: azure:sentinel:Metadata
    name: example
    properties:
      name: exampl
      workspaceId: ${exampleAnalyticsSolution.workspaceResourceId}
      contentId: ${exampleAlertRuleNrt.name}
      kind: AnalyticsRule
      parentId: ${exampleAlertRuleNrt.id}
Content copied to clipboard

Import

Sentinel Metadata can be imported using the resource id, e.g.

$ pulumi import azure:sentinel/metadata:Metadata example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourcegroup1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/metadata/metadata1
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(author: Output<MetadataAuthorArgs>? = null, category: Output<MetadataCategoryArgs>? = null, contentId: Output<String>? = null, contentSchemaVersion: Output<String>? = null, customVersion: Output<String>? = null, dependency: Output<String>? = null, firstPublishDate: Output<String>? = null, iconId: Output<String>? = null, kind: Output<String>? = null, lastPublishDate: Output<String>? = null, name: Output<String>? = null, parentId: Output<String>? = null, previewImages: Output<List<String>>? = null, previewImagesDarks: Output<List<String>>? = null, providers: Output<List<String>>? = null, source: Output<MetadataSourceArgs>? = null, support: Output<MetadataSupportArgs>? = null, threatAnalysisTactics: Output<List<String>>? = null, threatAnalysisTechniques: Output<List<String>>? = null, version: Output<String>? = null, workspaceId: Output<String>? = null)

Properties

Link copied to clipboard
val author: Output<MetadataAuthorArgs>? = null

An author blocks as defined below.

Link copied to clipboard
val category: Output<MetadataCategoryArgs>? = null

A category block as defined below.

Link copied to clipboard
val contentId: Output<String>? = null

The ID of the content. Used to identify dependencies and content from solutions or community.

Link copied to clipboard
val contentSchemaVersion: Output<String>? = null

Schema version of the content. Can be used to distinguish between flow based on the schema version.

Link copied to clipboard
val customVersion: Output<String>? = null

The Custom version of the content.

Link copied to clipboard
val dependency: Output<String>? = null

A JSON formatted dependency block as defined below. Dependency for the content item, what other content items it requires to work.

Link copied to clipboard
val firstPublishDate: Output<String>? = null

The first publish date of solution content item.

Link copied to clipboard
val iconId: Output<String>? = null

The ID of the icon, this id can be fetched from the solution template.

Link copied to clipboard
val kind: Output<String>? = null

The kind of content the metadata is for. Possible values are AnalyticsRule, AnalyticsRuleTemplate, AutomationRule, AzureFunction, DataConnector, DataType, HuntingQuery, InvestigationQuery, LogicAppsCustomConnector, Parser, Playbook, PlaybookTemplate, Solution, Watchlist, WatchlistTemplate, Workbook and WorkbookTemplate.

Link copied to clipboard
val lastPublishDate: Output<String>? = null

The last publish date of solution content item.

Link copied to clipboard
val name: Output<String>? = null

The name which should be used for this Sentinel Metadata. Changing this forces a new Sentinel Metadata to be created.

Link copied to clipboard
val parentId: Output<String>? = null

The ID of the parent resource ID of the content item, which the metadata belongs to.

Link copied to clipboard
val previewImages: Output<List<String>>? = null

Specifies a list of preview image file names. These will be taken from solution artifacts.

Link copied to clipboard
val previewImagesDarks: Output<List<String>>? = null

Specifies a list of preview image file names used for dark theme. These will be taken from solution artifacts.

Link copied to clipboard
val providers: Output<List<String>>? = null

Specifies a list of providers for the solution content item.

Link copied to clipboard
val source: Output<MetadataSourceArgs>? = null

A source block as defined below.

Link copied to clipboard
val support: Output<MetadataSupportArgs>? = null

A support block as defined below.

Link copied to clipboard
val threatAnalysisTactics: Output<List<String>>? = null

Specifies a list of tactics the resource covers. Possible values are Reconnaissance, ResourceDevelopment, InitialAccess, Execution, Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Collection, CommandAndControl, Exfiltration, Impact, ImpairProcessControl and InhibitResponseFunction.

Link copied to clipboard
val threatAnalysisTechniques: Output<List<String>>? = null

Specifies a list of techniques the resource covers.

Link copied to clipboard
val version: Output<String>? = null

Version of the content.

Link copied to clipboard
val workspaceId: Output<String>? = null

The ID of the Log Analytics Workspace. Changing this forces a new Sentinel Metadata to be created.

Functions

Link copied to clipboard
open override fun toJava(): MetadataArgs