Threat
Manages a Sentinel Threat Intelligence Indicator.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", {
name: "example-rg",
location: "east us",
});
const exampleAnalyticsWorkspace = new azure.operationalinsights.AnalyticsWorkspace("example", {
name: "example-law",
location: example.location,
resourceGroupName: example.name,
sku: "PerGB2018",
retentionInDays: 30,
});
const exampleLogAnalyticsWorkspaceOnboarding = new azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", {workspaceId: exampleAnalyticsWorkspace.id});
const exampleThreatIntelligenceIndicator = new azure.sentinel.ThreatIntelligenceIndicator("example", {
workspaceId: exampleLogAnalyticsWorkspaceOnboarding.workspaceId,
patternType: "domain-name",
pattern: "http://example.com",
source: "Microsoft Sentinel",
validateFromUtc: "2022-12-14T16:00:00Z",
displayName: "example-indicator",
});Content copied to clipboard
import pulumi
import pulumi_azure as azure
example = azure.core.ResourceGroup("example",
name="example-rg",
location="east us")
example_analytics_workspace = azure.operationalinsights.AnalyticsWorkspace("example",
name="example-law",
location=example.location,
resource_group_name=example.name,
sku="PerGB2018",
retention_in_days=30)
example_log_analytics_workspace_onboarding = azure.sentinel.LogAnalyticsWorkspaceOnboarding("example", workspace_id=example_analytics_workspace.id)
example_threat_intelligence_indicator = azure.sentinel.ThreatIntelligenceIndicator("example",
workspace_id=example_log_analytics_workspace_onboarding.workspace_id,
pattern_type="domain-name",
pattern="http://example.com",
source="Microsoft Sentinel",
validate_from_utc="2022-12-14T16:00:00Z",
display_name="example-indicator")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-rg",
Location = "east us",
});
var exampleAnalyticsWorkspace = new Azure.OperationalInsights.AnalyticsWorkspace("example", new()
{
Name = "example-law",
Location = example.Location,
ResourceGroupName = example.Name,
Sku = "PerGB2018",
RetentionInDays = 30,
});
var exampleLogAnalyticsWorkspaceOnboarding = new Azure.Sentinel.LogAnalyticsWorkspaceOnboarding("example", new()
{
WorkspaceId = exampleAnalyticsWorkspace.Id,
});
var exampleThreatIntelligenceIndicator = new Azure.Sentinel.ThreatIntelligenceIndicator("example", new()
{
WorkspaceId = exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
PatternType = "domain-name",
Pattern = "http://example.com",
Source = "Microsoft Sentinel",
ValidateFromUtc = "2022-12-14T16:00:00Z",
DisplayName = "example-indicator",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/operationalinsights"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/sentinel"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-rg"),
Location: pulumi.String("east us"),
})
if err != nil {
return err
}
exampleAnalyticsWorkspace, err := operationalinsights.NewAnalyticsWorkspace(ctx, "example", &operationalinsights.AnalyticsWorkspaceArgs{
Name: pulumi.String("example-law"),
Location: example.Location,
ResourceGroupName: example.Name,
Sku: pulumi.String("PerGB2018"),
RetentionInDays: pulumi.Int(30),
})
if err != nil {
return err
}
exampleLogAnalyticsWorkspaceOnboarding, err := sentinel.NewLogAnalyticsWorkspaceOnboarding(ctx, "example", &sentinel.LogAnalyticsWorkspaceOnboardingArgs{
WorkspaceId: exampleAnalyticsWorkspace.ID(),
})
if err != nil {
return err
}
_, err = sentinel.NewThreatIntelligenceIndicator(ctx, "example", &sentinel.ThreatIntelligenceIndicatorArgs{
WorkspaceId: exampleLogAnalyticsWorkspaceOnboarding.WorkspaceId,
PatternType: pulumi.String("domain-name"),
Pattern: pulumi.String("http://example.com"),
Source: pulumi.String("Microsoft Sentinel"),
ValidateFromUtc: pulumi.String("2022-12-14T16:00:00Z"),
DisplayName: pulumi.String("example-indicator"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspace;
import com.pulumi.azure.operationalinsights.AnalyticsWorkspaceArgs;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboarding;
import com.pulumi.azure.sentinel.LogAnalyticsWorkspaceOnboardingArgs;
import com.pulumi.azure.sentinel.ThreatIntelligenceIndicator;
import com.pulumi.azure.sentinel.ThreatIntelligenceIndicatorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-rg")
.location("east us")
.build());
var exampleAnalyticsWorkspace = new AnalyticsWorkspace("exampleAnalyticsWorkspace", AnalyticsWorkspaceArgs.builder()
.name("example-law")
.location(example.location())
.resourceGroupName(example.name())
.sku("PerGB2018")
.retentionInDays(30)
.build());
var exampleLogAnalyticsWorkspaceOnboarding = new LogAnalyticsWorkspaceOnboarding("exampleLogAnalyticsWorkspaceOnboarding", LogAnalyticsWorkspaceOnboardingArgs.builder()
.workspaceId(exampleAnalyticsWorkspace.id())
.build());
var exampleThreatIntelligenceIndicator = new ThreatIntelligenceIndicator("exampleThreatIntelligenceIndicator", ThreatIntelligenceIndicatorArgs.builder()
.workspaceId(exampleLogAnalyticsWorkspaceOnboarding.workspaceId())
.patternType("domain-name")
.pattern("http://example.com")
.source("Microsoft Sentinel")
.validateFromUtc("2022-12-14T16:00:00Z")
.displayName("example-indicator")
.build());
}
}Content copied to clipboard
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-rg
location: east us
exampleAnalyticsWorkspace:
type: azure:operationalinsights:AnalyticsWorkspace
name: example
properties:
name: example-law
location: ${example.location}
resourceGroupName: ${example.name}
sku: PerGB2018
retentionInDays: 30
exampleLogAnalyticsWorkspaceOnboarding:
type: azure:sentinel:LogAnalyticsWorkspaceOnboarding
name: example
properties:
workspaceId: ${exampleAnalyticsWorkspace.id}
exampleThreatIntelligenceIndicator:
type: azure:sentinel:ThreatIntelligenceIndicator
name: example
properties:
workspaceId: ${exampleLogAnalyticsWorkspaceOnboarding.workspaceId}
patternType: domain-name
pattern: http://example.com
source: Microsoft Sentinel
validateFromUtc: 2022-12-14T16:00:00Z
displayName: example-indicatorContent copied to clipboard
Import
Sentinel Threat Intelligence Indicators can be imported using the resource id, e.g.
$ pulumi import azure:sentinel/threatIntelligenceIndicator:ThreatIntelligenceIndicator example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourcegroup1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/indicator1Content copied to clipboard
Properties
Link copied to clipboard
Confidence levels of the Threat Intelligence Indicator.
Link copied to clipboard
The description of the Threat Intelligence Indicator.
Link copied to clipboard
The display name of the Threat Intelligence Indicator.
Link copied to clipboard
The external ID of the Threat Intelligence Indicator.
Link copied to clipboard
the External last updated time in UTC.
Link copied to clipboard
One or more external_reference blocks as defined below.
Link copied to clipboard
One or more granular_marking blocks as defined below.
Link copied to clipboard
A list of indicator types of this Threat Intelligence Indicator.
Link copied to clipboard
One or more kill_chain_phase blocks as defined below.
Link copied to clipboard
The last updated time of the Threat Intelligence Indicator in UTC.
Link copied to clipboard
Specifies a list of Threat Intelligence marking references.
Link copied to clipboard
A parsed_pattern block as defined below.
Link copied to clipboard
The type of pattern used by the Threat Intelligence Indicator. Possible values are domain-name, file, ipv4-addr, ipv6-addr and url.
Link copied to clipboard
The version of a Threat Intelligence entity.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Specifies a list of threat types of this Threat Intelligence Indicator.
Link copied to clipboard
The start of validate date in RFC3339.
Link copied to clipboard
The end of validate date of the Threat Intelligence Indicator in RFC3339 format.
Link copied to clipboard
The ID of the Log Analytics Workspace. Changing this forces a new Sentinel Threat Intelligence Indicator to be created.