Skip to content

azurermSentinelMetadata

Manages a Sentinel Metadata.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermLogAnalyticsWorkspaceExample =
  new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_2", {
    location: azurermResourceGroupExample.location,
    name: "example-workspace",
    resource_group_name: azurermResourceGroupExample.name,
    sku: "pergb2018",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermLogAnalyticsSolutionExample =
  new azurerm.logAnalyticsSolution.LogAnalyticsSolution(this, "example_3", {
    location: azurermResourceGroupExample.location,
    plan: [
      {
        product: "OMSGallery/SecurityInsights",
        publisher: "Microsoft",
      },
    ],
    resource_group_name: azurermResourceGroupExample.name,
    solution_name: "SecurityInsights",
    workspace_name: azurermLogAnalyticsWorkspaceExample.name,
    workspace_resource_id: azurermLogAnalyticsWorkspaceExample.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsSolutionExample.overrideLogicalId("example");
const azurermSentinelAlertRuleNrtExample =
  new azurerm.sentinelAlertRuleNrt.SentinelAlertRuleNrt(this, "example_4", {
    display_name: "example",
    log_analytics_workspace_id:
      azurermLogAnalyticsSolutionExample.workspaceResourceId,
    name: "example",
    query:
      'AzureActivity |\n  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |\n  where ActivityStatus == "Succeeded" |\n  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller\n',
    severity: "High",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelAlertRuleNrtExample.overrideLogicalId("example");
const azurermSentinelMetadataExample =
  new azurerm.sentinelMetadata.SentinelMetadata(this, "example_5", {
    content_id: azurermSentinelAlertRuleNrtExample.name,
    kind: "AnalyticsRule",
    name: "exampl",
    parent_id: azurermSentinelAlertRuleNrtExample.id,
    workspace_id: azurermLogAnalyticsSolutionExample.workspaceResourceId,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelMetadataExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • contentId - (Required) The ID of the content. Used to identify dependencies and content from solutions or community.

  • kind - (Required) The kind of content the metadata is for. Possible values are analyticsRule, analyticsRuleTemplate, automationRule, azureFunction, dataConnector, dataType, huntingQuery, investigationQuery, logicAppsCustomConnector, parser, playbook, playbookTemplate, solution, watchlist, watchlistTemplate, workbook and workbookTemplate.

  • name - (Required) The name which should be used for this Sentinel Metadata. Changing this forces a new Sentinel Metadata to be created.

  • parentId - (Required) The ID of the parent resource ID of the content item, which the metadata belongs to.

  • workspaceId - (Required) The ID of the Log Analytics Workspace. Changing this forces a new Sentinel Metadata to be created.

  • author - (Optional) An author blocks as defined below.

  • category - (Optional) A category block as defined below.

  • contentSchemaVersion - (Optional) Schema version of the content. Can be used to distinguish between flow based on the schema version.

  • customVersion - (Optional) The Custom version of the content.

  • dependency - (Optional) A JSON formatted dependency block as defined below. Dependency for the content item, what other content items it requires to work.

  • firstPublishDate - (Optional) The first publish date of solution content item.

  • iconId - (Optional) The ID of the icon, this id can be fetched from the solution template.

  • lastPublishDate - (Optional) The last publish date of solution content item.

  • previewImage - (Optional) Specifies a list of preview image file names. These will be taken from solution artifacts.

  • previewImageDark - (Optional) Specifies a list of preview image file names used for dark theme. These will be taken from solution artifacts.

  • providers - (Optional) Specifies a list of providers for the solution content item.

  • source - (Optional) A source block as defined below.

  • support - (Optional) A support block as defined below.

  • threatAnalysisTactics - (Optional) Specifies a list of tactics the resource covers.

  • threatAnalysisTechniques - (Optional) Specifies a list of techniques the resource covers.

  • version - (Optional) Version of the content.

A author block supports the following:

  • name - (Optional) The name of the author, company or person.

  • email - (Optional) The email address of the author contact.

  • link - (Optional) The link for author/vendor page.

A category block supports the following:

  • domains - (Optional) Specifies a list of domains for the solution content item.

  • verticals - (Optional) Specifies a list of industry verticals for the solution content item.

A dependency block supports the following:

  • contentId - (Optional) ID of the content item that is depended on.

  • kind - (Optional) Type of the content item that is depended on.

  • version - (Optional) Version of the content item that is depended on.

  • operator - (Optional) Operator used for list of dependencies in criteria array.

  • criteria - (Optional) Specifies a list of dependency which must be fulfilled, according to the operator.

A source block supports the following:

  • name - (Optional) The name of the content source, repo name, solution name, Log Analytics Workspace name, etc.

  • kind - (Required) The kind of the content source. Possible values are localWorkspace, communtity, solution and sourceRepository.

  • id - (Optional) The id of the content source, the solution ID, Log Analytics Workspace name etc.

A support block supports the following:

  • tier - (Required) The type of support for content item. Possible values are microsoft, partner and community.

  • email - (Optional) The email address of the support contact.

  • link - (Optional) The link for support help.

  • name - (Optional) The name of the support contact.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Sentinel Metadata.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Sentinel Metadata.
  • read - (Defaults to 5 minutes) Used when retrieving the Sentinel Metadata.
  • update - (Defaults to 30 minutes) Used when updating the Sentinel Metadata.
  • delete - (Defaults to 30 minutes) Used when deleting the Sentinel Metadata.

Import

Sentinel Metadata can be imported using the resourceId, e.g.

terraform import azurerm_sentinel_metadata.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourcegroup1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/metadata/metadata1