Metadata - Create
Create a Metadata.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/metadata/{metadataName}?api-version=2025-03-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
metadata
|
path | True |
string pattern: ^\S+$ |
The Metadata name. |
|
resource
|
path | True |
string minLength: 1maxLength: 90 |
The name of the resource group. The name is case insensitive. |
|
subscription
|
path | True |
string (uuid) |
The ID of the target subscription. The value must be an UUID. |
|
workspace
|
path | True |
string minLength: 1maxLength: 90 pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$ |
The name of the workspace. |
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
Request Body
| Name | Required | Type | Description |
|---|---|---|---|
| properties.kind | True |
string |
The kind of content the metadata is for. |
| properties.parentId | True |
string |
Full parent resource ID of the content item the metadata is for. This is the full resource ID including the scope (subscription and resource group) |
| etag |
string |
Etag of the azure resource |
|
| properties.author |
The creator of the content item. |
||
| properties.categories |
Categories for the solution content item |
||
| properties.contentId |
string |
Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name |
|
| properties.contentSchemaVersion |
string |
Schema version of the content. Can be used to distinguish between different flow based on the schema version |
|
| properties.customVersion |
string |
The custom version of the content. A optional free text |
|
| properties.dependencies |
Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats. |
||
| properties.firstPublishDate |
string (date) |
first publish date solution content item |
|
| properties.icon |
string |
the icon identifier. this id can later be fetched from the solution template |
|
| properties.lastPublishDate |
string (date) |
last publish date for the solution content item |
|
| properties.previewImages |
string[] |
preview image file names. These will be taken from the solution artifacts |
|
| properties.previewImagesDark |
string[] |
preview image file names. These will be taken from the solution artifacts. used for dark theme support |
|
| properties.providers |
string[] |
Providers for the solution content item |
|
| properties.source |
Source of the content. This is where/how it was created. |
||
| properties.support |
Support information for the metadata - type, name, contact information |
||
| properties.threatAnalysisTactics |
string[] |
the tactics the resource covers |
|
| properties.threatAnalysisTechniques |
string[] |
the techniques the resource covers, these have to be aligned with the tactics being used |
|
| properties.version |
string |
Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM template best practices. Can also be any string, but then we cannot guarantee any version checks |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
OK, Operation successfully completed |
|
| 201 Created |
Created |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
| Create/update full metadata. |
| Create/update minimal metadata. |
Create/update full metadata.
Sample request
PUT https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName?api-version=2025-03-01
{
"properties": {
"contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0",
"version": "1.0.0.0",
"kind": "AnalyticsRule",
"parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName",
"source": {
"kind": "Solution",
"name": "Contoso Solution 1.0",
"sourceId": "b688a130-76f4-4a07-bf57-762222a3cadf"
},
"author": {
"name": "User Name",
"email": "email@microsoft.com"
},
"support": {
"name": "Microsoft",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/",
"tier": "Partner"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"operator": "OR",
"criteria": [
{
"contentId": "045d06d0-ee72-4794-aba4-cf5646e4c756",
"kind": "DataConnector",
"name": "Microsoft Defender for Endpoint"
},
{
"contentId": "dbfcb2cc-d782-40ef-8d94-fe7af58a6f2d",
"kind": "DataConnector"
},
{
"contentId": "de4dca9b-eb37-47d6-a56f-b8b06b261593",
"kind": "DataConnector",
"version": "2.0"
}
]
},
{
"kind": "Playbook",
"contentId": "31ee11cc-9989-4de8-b176-5e0ef5c4dbab",
"version": "1.0"
},
{
"kind": "Parser",
"contentId": "21ba424a-9438-4444-953a-7059539a7a1b"
}
]
},
"categories": {
"domains": [
"Application",
"Security – Insider Threat"
],
"verticals": [
"Healthcare"
]
},
"providers": [
"Amazon",
"Microsoft"
],
"firstPublishDate": "2021-05-18",
"lastPublishDate": "2021-05-18",
"previewImages": [
"firstImage.png",
"secondImage.jpeg"
],
"previewImagesDark": [
"firstImageDark.png",
"secondImageDark.jpeg"
],
"contentSchemaVersion": "2.0",
"customVersion": "1.0",
"threatAnalysisTactics": [
"reconnaissance",
"commandandcontrol"
],
"threatAnalysisTechniques": [
"T1548",
"T1548.001"
]
}
}
Sample response
{
"id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName",
"name": "metadataName",
"type": "Microsoft.SecurityInsights/metadata",
"properties": {
"contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0",
"version": "1.0.0.0",
"kind": "AnalyticsRule",
"parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName",
"source": {
"kind": "Solution",
"name": "Contoso Solution 1.0",
"sourceId": "b688a130-76f4-4a07-bf57-762222a3cadf"
},
"author": {
"name": "User Name",
"email": "email@microsoft.com"
},
"support": {
"name": "Microsoft",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/",
"tier": "Partner"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"operator": "OR",
"criteria": [
{
"contentId": "045d06d0-ee72-4794-aba4-cf5646e4c756",
"kind": "DataConnector"
},
{
"contentId": "dbfcb2cc-d782-40ef-8d94-fe7af58a6f2d",
"kind": "DataConnector"
},
{
"contentId": "de4dca9b-eb37-47d6-a56f-b8b06b261593",
"kind": "DataConnector",
"version": "2.0"
}
]
},
{
"kind": "Playbook",
"contentId": "31ee11cc-9989-4de8-b176-5e0ef5c4dbab",
"version": "1.0"
},
{
"kind": "Parser",
"contentId": "21ba424a-9438-4444-953a-7059539a7a1b"
}
]
},
"categories": {
"domains": [
"Application",
"Security – Insider Threat"
],
"verticals": [
"Healthcare"
]
},
"providers": [
"Amazon",
"Microsoft"
],
"firstPublishDate": "2021-05-18",
"lastPublishDate": "2021-05-18",
"previewImages": [
"firstImage.png",
"secondImage.jpeg"
],
"previewImagesDark": [
"firstImageDark.png",
"secondImageDark.jpeg"
],
"contentSchemaVersion": "2.0",
"customVersion": "1.0",
"threatAnalysisTactics": [
"reconnaissance",
"commandandcontrol"
],
"threatAnalysisTechniques": [
"T1548",
"T1548.001"
]
}
}{
"id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName",
"name": "metadataName",
"type": "Microsoft.SecurityInsights/metadata",
"properties": {
"contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0",
"version": "1.0.0.0",
"kind": "AnalyticsRule",
"parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName",
"source": {
"kind": "Solution",
"name": "Contoso Solution 1.0",
"sourceId": "b688a130-76f4-4a07-bf57-762222a3cadf"
},
"author": {
"name": "User Name",
"email": "email@microsoft.com"
},
"support": {
"name": "Microsoft",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/",
"tier": "Partner"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"operator": "OR",
"criteria": [
{
"contentId": "045d06d0-ee72-4794-aba4-cf5646e4c756",
"kind": "DataConnector"
},
{
"contentId": "dbfcb2cc-d782-40ef-8d94-fe7af58a6f2d",
"kind": "DataConnector"
},
{
"contentId": "de4dca9b-eb37-47d6-a56f-b8b06b261593",
"kind": "DataConnector",
"version": "2.0"
}
]
},
{
"kind": "Playbook",
"contentId": "31ee11cc-9989-4de8-b176-5e0ef5c4dbab",
"version": "1.0"
},
{
"kind": "Parser",
"contentId": "21ba424a-9438-4444-953a-7059539a7a1b"
}
]
},
"categories": {
"domains": [
"Application",
"Security – Insider Threat"
],
"verticals": [
"Healthcare"
]
},
"providers": [
"Amazon",
"Microsoft"
],
"firstPublishDate": "2021-05-18",
"lastPublishDate": "2021-05-18",
"previewImages": [
"firstImage.png",
"secondImage.jpeg"
],
"previewImagesDark": [
"firstImageDark.png",
"secondImageDark.jpeg"
],
"contentSchemaVersion": "2.0",
"customVersion": "1.0",
"threatAnalysisTactics": [
"reconnaissance",
"commandandcontrol"
],
"threatAnalysisTechniques": [
"T1548",
"T1548.001"
]
}
}Create/update minimal metadata.
Sample request
PUT https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName?api-version=2025-03-01
{
"properties": {
"contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0",
"kind": "AnalyticsRule",
"parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName"
}
}
Sample response
{
"id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName",
"name": "metadataName",
"type": "Microsoft.SecurityInsights/metadata",
"properties": {
"kind": "AnalyticsRule",
"parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName"
}
}{
"id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName",
"name": "metadataName",
"type": "Microsoft.SecurityInsights/metadata",
"properties": {
"kind": "AnalyticsRule",
"parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName"
}
}Definitions
| Name | Description |
|---|---|
|
Cloud |
Error response structure. |
|
Cloud |
Error details. |
|
created |
The type of identity that created the resource. |
|
metadata |
Publisher or creator of the content item. |
|
metadata |
ies for the solution content item |
|
metadata |
Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies. |
|
Metadata |
Metadata resource definition. |
|
metadata |
The original source of the content item, where it comes from. |
|
metadata |
Support information for the content item. |
| operator |
Operator used for list of dependencies in criteria array. |
|
source |
Source type of the content |
|
support |
Type of support for content item |
|
system |
Metadata pertaining to creation and last modification of the resource. |
CloudError
Error response structure.
| Name | Type | Description |
|---|---|---|
| error |
Error data |
CloudErrorBody
Error details.
| Name | Type | Description |
|---|---|---|
| code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
| message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
createdByType
The type of identity that created the resource.
| Value | Description |
|---|---|
| Application | |
| Key | |
| ManagedIdentity | |
| User |
metadataAuthor
Publisher or creator of the content item.
| Name | Type | Description |
|---|---|---|
|
string |
Email of author contact |
|
| link |
string |
Link for author/vendor page |
| name |
string |
Name of the author. Company or person. |
metadataCategories
ies for the solution content item
| Name | Type | Description |
|---|---|---|
| domains |
string[] |
domain for the solution content item |
| verticals |
string[] |
Industry verticals for the solution content item |
metadataDependencies
Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies.
| Name | Type | Description |
|---|---|---|
| contentId |
string |
Id of the content item we depend on |
| criteria |
This is the list of dependencies we must fulfill, according to the AND/OR operator |
|
| kind |
string |
Type of the content item we depend on |
| name |
string |
Name of the content item |
| operator |
Operator used for list of dependencies in criteria array. |
|
| version |
string |
Version of the the content item we depend on. Can be blank, * or missing to indicate any version fulfills the dependency. If version does not match our defined numeric format then an exact match is required. |
MetadataModel
Metadata resource definition.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string (arm-id) |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| name |
string |
The name of the resource |
| properties.author |
The creator of the content item. |
|
| properties.categories |
Categories for the solution content item |
|
| properties.contentId |
string |
Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name |
| properties.contentSchemaVersion |
string |
Schema version of the content. Can be used to distinguish between different flow based on the schema version |
| properties.customVersion |
string |
The custom version of the content. A optional free text |
| properties.dependencies |
Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats. |
|
| properties.firstPublishDate |
string (date) |
first publish date solution content item |
| properties.icon |
string |
the icon identifier. this id can later be fetched from the solution template |
| properties.kind |
string |
The kind of content the metadata is for. |
| properties.lastPublishDate |
string (date) |
last publish date for the solution content item |
| properties.parentId |
string |
Full parent resource ID of the content item the metadata is for. This is the full resource ID including the scope (subscription and resource group) |
| properties.previewImages |
string[] |
preview image file names. These will be taken from the solution artifacts |
| properties.previewImagesDark |
string[] |
preview image file names. These will be taken from the solution artifacts. used for dark theme support |
| properties.providers |
string[] |
Providers for the solution content item |
| properties.source |
Source of the content. This is where/how it was created. |
|
| properties.support |
Support information for the metadata - type, name, contact information |
|
| properties.threatAnalysisTactics |
string[] |
the tactics the resource covers |
| properties.threatAnalysisTechniques |
string[] |
the techniques the resource covers, these have to be aligned with the tactics being used |
| properties.version |
string |
Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM template best practices. Can also be any string, but then we cannot guarantee any version checks |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
metadataSource
The original source of the content item, where it comes from.
| Name | Type | Description |
|---|---|---|
| kind |
Source type of the content |
|
| name |
string |
Name of the content source. The repo name, solution name, LA workspace name etc. |
| sourceId |
string |
ID of the content source. The solution ID, workspace ID, etc |
metadataSupport
Support information for the content item.
| Name | Type | Description |
|---|---|---|
|
string |
Email of support contact |
|
| link |
string |
Link for support help, like to support page to open a ticket etc. |
| name |
string |
Name of the support contact. Company or person. |
| tier |
Type of support for content item |
operator
Operator used for list of dependencies in criteria array.
| Value | Description |
|---|---|
| AND | |
| OR |
sourceKind
Source type of the content
| Value | Description |
|---|---|
| Community | |
| LocalWorkspace | |
| Solution | |
| SourceRepository |
supportTier
Type of support for content item
| Value | Description |
|---|---|
| Community | |
| Microsoft | |
| Partner |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string (date-time) |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string (date-time) |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |