Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
Azure Integration with JupiterOne - AskJ1 Community
<main> <article class="userContent"> <h2 data-id="azure-jupiterone-integration-benefits">Azure + JupiterOne Integration Benefits</h2> <ul><li>Visualize Azure cloud resources in the JupiterOne graph.</li> <li>Map Azure users to employees in your JupiterOne account.</li> <li><p>Monitor visibility and governance of your Azure cloud environment by<br> leveraging hundreds of out of the box queries.</p></li> <li><p>Monitor compliance against the Azure CIS Benchmarks framework and other<br> security benchmarks using the JupiterOne compliance app.</p></li> <li><p>Monitor Azure vulnerabilities and findings from multiple services within the<br> alerts app.</p></li> <li><p>Monitor changes to your Azure cloud resources using multiple JupiterOne alert<br> rule packs specific to Azure.</p></li> </ul><h2 data-id="how-it-works">How it Works</h2> <ul><li><p>JupiterOne periodically fetches users and cloud resources from Azure to update<br> the graph.</p></li> <li><p>Write JupiterOne queries to review and monitor updates to the graph, or<br> leverage existing queries.</p></li> <li><p>Configure alerts to take action when the JupiterOne graph changes, or leverage<br> existing alerts.</p></li> </ul><h2 data-id="requirements">Requirements</h2> <ul><li><p>JupiterOne requires the API credentials for the Azure endpoint, specifically<br> the Directory (tenant) id, the Application (client) id, and the Application<br> (client) secret with the correct permissions assigned.</p></li> <li><p>You must have permission in JupiterOne to install new integrations.</p></li> </ul><h2 data-id="support">Support</h2> <p>If you need help with this integration, please contact<br><a rel="nofollow" href="https://support.jupiterone.io">JupiterOne Support</a>.</p> <h2 data-id="integration-walkthrough">Integration Walkthrough</h2> <p>Customers authorize access by creating a Service Principal (App Registration)<br> and providing the credentials to JupiterOne.</p> <p>The integration is triggered by an event containing the information for a<br> specific integration instance. Users configure the integration by providing API<br> credentials obtained through the Azure portal.</p> <p>Azure Active Directory is authenticated and accessed through the <a rel="nofollow" href="https://docs.microsoft.com/en-us/graph/auth-v2-service">Microsoft<br> Graph API</a>. Azure Resource Manager is authenticated and accessed through<br><a rel="nofollow" href="https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-api-authentication">Resource Manager APIs</a>.</p> <h3 data-id="in-azure">In Azure</h3> <p>To create the App Registration:</p> <ol><li>Go to your Azure portal</li> <li>Navigate to <strong>App registrations</strong></li> <li>Create a new App registration, using the <strong>Name</strong> "JupiterOne", selecting<br><strong>Accounts in this organizational directory only</strong>, with <strong>no</strong> "Redirect<br> URI"</li> <li>Navigate to the <strong>Overview</strong> page of the new app</li> <li>Copy the <strong>Application (client) ID</strong></li> <li>Copy the <strong>Directory (tenant) ID</strong></li> <li>Navigate to the <strong>Certificates & secrets</strong> section</li> <li>Create a new client secret</li> <li>Copy the generated secret <strong>Value</strong> (you only get one chance!)</li> </ol><h4 data-id="api-permissions-azure-active-directory">API Permissions (Azure Active Directory)</h4> <p>Grant permission to read Microsoft Graph information:</p> <ol><li>Navigate to <strong>API permissions</strong>, choose <strong>Microsoft Graph</strong>, then<br><strong>Application Permissions</strong></li> <li><p>Grant the following permissions to the application:</p> <p><strong>Required</strong></p></li> </ol><ul><li><p><code class="code codeInline" spellcheck="false" tabindex="0">Directory.Read.All</code></p> <p><strong>Optional</strong></p></li> </ul><table><thead><tr><th>Permission</th> <th>Endpoint(s)</th> </tr></thead><tbody><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">Policy.Read.All</code></td> <td><a rel="nofollow" href="https://docs.microsoft.com/en-us/graph/api/identitysecuritydefaultsenforcementpolicy-get?view=graph-rest-1.0&tabs=http">/policies/identitySecurityDefaultsEnforcementPolicy</a></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">Reports.Read.All</code></td> <td><a rel="nofollow" href="https://docs.microsoft.com/en-us/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http">/beta/reports/credentialUserRegistrationDetails</a></td> </tr></tbody></table><ol><li>Grant admin consent for this directory for the permissions above</li> </ol><h4 data-id="iam-roles-azure-management-groups-subscriptions">IAM Roles (Azure Management Groups / Subscriptions)</h4> <p>Please note that minimally <a rel="nofollow" href="https://docs.microsoft.com/en-us/graph/api/organization-get"><code class="code codeInline" spellcheck="false" tabindex="0">User.Read</code> is required</a> even when AD ingestion<br> is disabled. The integration will request Organization information to maintain<br> the <code class="code codeInline" spellcheck="false" tabindex="0">Account</code> entity.</p> <p>Grant the <code class="code codeInline" spellcheck="false" tabindex="0">Reader</code> RBAC subscription role to read Azure Resource Manager<br> information:</p> <ol><li><p>Navigate to the correct scope for your integration.</p> <p><em>If configuring a single Azure Subscription:</em></p></li> </ol><ul><li><p>navigate to <strong>Subscriptions</strong>, choose the subscription from which you want<br> to ingest resources.</p> <p><em>If configuring all subscriptions for a tenant (using the<br><code class="code codeInline" spellcheck="false" tabindex="0">Configure Subscription Instances</code> flag in JupiterOne):</em></p></li> <li><p>navigate to <strong>Management Groups</strong>, then to the<br><a rel="nofollow" href="https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#root-management-group-for-each-directory">Tenant Root Group</a>.</p></li> </ul><ol><li>Navigate to <strong>Access control (IAM)</strong>, then <strong>Add role assignment</strong></li> <li>Select <strong>Role</strong> "Reader", <strong>Assign access to</strong> "Azure AD user, group, or<br> service principal", and select the App "JupiterOne"</li> <li>Create a custom role called "JupiterOne Reader" with the following<br> permissions: <ul><li><code class="code codeInline" spellcheck="false" tabindex="0">Microsoft.PolicyInsights/policyStates/queryResults/action</code></li> </ul></li> <li>(Optional) If you'd like integration to be able to fetch auth settings for<br> all Web Apps, add the following permissions to the same custom role: <ul><li><code class="code codeInline" spellcheck="false" tabindex="0">Microsoft.Web/sites/config/list/Action</code></li> </ul></li> <li>Select <strong>Role</strong> "JupiterOne Reader", <strong>Assign access to</strong> "Azure AD user,<br> group, or service principal", and select the app "JupiterOne"</li> <li><em>If configuring all subscriptions for a tenant (using the<br><code class="code codeInline" spellcheck="false" tabindex="0">Configure Subscription Instances</code> flag in JupiterOne):</em></li> </ol><ul><li>Also assign the "Management Group Reader" role to the App "JupiterOne"</li> </ul><h3 data-id="key-vault-access-policy">Key Vault Access Policy</h3> <p>Please note that listing Key Vault keys and secrets (<code class="code codeInline" spellcheck="false" tabindex="0">rm-keyvault-keys</code> and<br><code class="code codeInline" spellcheck="false" tabindex="0">rm-keyvault-secrets</code> steps) require JupiterOne users to grant the following<br> permissions to the JupiterOne security principal <em>for each Key Vault in their<br> account</em>:</p> <ul><li><p>Key Permissions</p> <ul><li>Key Management Operations</li> <li>List</li> </ul></li> <li><p>Secret Permisisons</p> <ul><li>Secret Management Operations</li> <li>List</li> </ul></li> </ul><p>The steps necesssary for that are outlined on this page:<br><a rel="nofollow" href="https://go.microsoft.com/fwlink/?linkid=2125287">Assign a Key Vault access policy</a>.</p> <h3 data-id="in-jupiterone">In JupiterOne</h3> <ol><li>From the configuration <strong>Gear Icon</strong>, select <strong>Integrations</strong>.</li> <li>Scroll to the <strong>Azure</strong> integration tile and click it.</li> <li>Click the <strong>Add Configuration</strong> button and configure the following settings:</li> </ol><ul><li><p>Enter the <strong>Account Name</strong> by which you'd like to identify this Azure account<br> in JupiterOne. Ingested entities will have this value stored in<br><code class="code codeInline" spellcheck="false" tabindex="0">tag.AccountName</code> when <strong>Tag with Account Name</strong> is checked.</p></li> <li><p>Enter a <strong>Description</strong> that will further assist your team when identifying<br> the integration instance.</p></li> <li><p>Select a <strong>Polling Interval</strong> that you feel is sufficient for your monitoring<br> needs. You may leave this as <code class="code codeInline" spellcheck="false" tabindex="0">DISABLED</code> and manually execute the integration.</p></li> <li><p>Enter the <strong>Directory (tenant) ID</strong> of the Active Directory to target in Azure<br> API requests.</p></li> <li><p>Enter the <strong>Application (client) ID</strong> created for JupiterOne, used to<br> authenticate with Azure.</p></li> <li><p>Enter the <strong>Application (client) Secret</strong> associated with the application ID,<br> used to authenticate with Azure.</p></li> <li><p>Select the option <strong>Ingest Active Directory</strong> to ingest Directory information.<br> This should only be enabled in one integration instance per Directory.</p></li> </ul><ol start="4"><li>Click <strong>Create Configuration</strong> once all values are provided.</li> </ol><h3 data-id="troubleshooting">Troubleshooting</h3> <h4 data-id="authentication-errors">Authentication Errors</h4> <p>If the Azure integration does not complete, and you encounter a message like<br><code class="code codeInline" spellcheck="false" tabindex="0">[validation_failure] Error occurred while validating integration configuration</code><br> in your job log, check the following common configuration errors:</p> <ul><li><p><strong>Verify the Application (client) ID and Application (client) Secret:</strong> Make<br> sure that you've verified the proper value for client ID and client secret.<br> The client secret has both a <strong>Value</strong> property and a <strong>Secret ID</strong> property.<br> The <strong>Secret ID</strong> is unused - make sure you haven't accidentally used the<br><strong>Secret ID</strong> as the <strong>Client ID</strong>.</p></li> <li><p><strong>Verify that you've enabled the proper API permissions:</strong> Make sure the<br> required API permissions (described above) are enabled for the application.</p></li> <li><p><strong>Verify that the API permissions have been granted as "Application" and not<br> "Delegated":</strong> The integration requires API Permissions of type<br><strong>Application</strong>. Permissions of type <strong>Delegated</strong> will cause issues in your<br> integration.</p></li> <li><p><strong>Verify that your permissions have been "Grant(ed) admin consent for<br> Directory":</strong> If you have added API Permissions to the application, but have<br> not granted Admin Consent, the permissions are not yet active.</p></li> </ul><p><br></p> <h2 data-id="data-model">Data Model</h2> <h3 data-id="entities">Entities</h3> <p>The following entities are created:</p> <table><thead><tr><th>Resources</th> <th>Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> <th>Entity <code class="code codeInline" spellcheck="false" tabindex="0">_class</code></th> </tr></thead><tbody><tr><td>[AD] Account</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_account</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Account</code></td> </tr><tr><td>[AD] Group</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_user_group</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">UserGroup</code></td> </tr><tr><td>[AD] Group Member</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_group_member</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">User</code></td> </tr><tr><td>[AD] Service Principal</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_principal</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Service</code></td> </tr><tr><td>[AD] User</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_user</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">User</code></td> </tr><tr><td>[RM] API Management API</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_api_management_api</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">ApplicationEndpoint</code></td> </tr><tr><td>[RM] API Management Service</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_api_management_service</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Gateway</code></td> </tr><tr><td>[RM] Advisor Recommendation</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_advisor_recommendation</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Finding</code></td> </tr><tr><td>[RM] App Service Plan</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_app_service_plan</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Configuration</code></td> </tr><tr><td>[RM] Azure Kubernetes Cluster</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_kubernetes_cluster</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Cluster</code></td> </tr><tr><td>[RM] Azure Managed Disk</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_managed_disk</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code>, <code class="code codeInline" spellcheck="false" tabindex="0">Disk</code></td> </tr><tr><td>[RM] Batch Account</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_batch_account</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Service</code></td> </tr><tr><td>[RM] Batch Application</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_batch_application</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Process</code></td> </tr><tr><td>[RM] Batch Certificate</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_batch_certificate</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Certificate</code></td> </tr><tr><td>[RM] Batch Pool</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_batch_pool</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Cluster</code></td> </tr><tr><td>[RM] CDN Endpoint</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_cdn_endpoint</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Gateway</code></td> </tr><tr><td>[RM] CDN Profile</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_cdn_profile</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Service</code></td> </tr><tr><td>[RM] Classic Admin</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_classic_admin_group</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">UserGroup</code></td> </tr><tr><td>[RM] Container</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Container</code></td> </tr><tr><td>[RM] Container Group</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_group</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Group</code></td> </tr><tr><td>[RM] Container Registry</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_registry</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code></td> </tr><tr><td>[RM] Container Registry Webhook</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_registry_webhook</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">ApplicationEndpoint</code></td> </tr><tr><td>[RM] Container Volume</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_volume</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Disk</code></td> </tr><tr><td>[RM] Cosmos DB Account</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_cosmosdb_account</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Account</code>, <code class="code codeInline" spellcheck="false" tabindex="0">Service</code></td> </tr><tr><td>[RM] Cosmos DB Database</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_cosmosdb_sql_database</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Database</code>, <code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code></td> </tr><tr><td>[RM] DNS Record Set</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_dns_record_set</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">DomainRecord</code></td> </tr><tr><td>[RM] DNS Zone</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_dns_zone</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">DomainZone</code></td> </tr><tr><td>[RM] Event Grid Domain</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_event_grid_domain</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Service</code></td> </tr><tr><td>[RM] Event Grid Domain Topic</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_event_grid_domain_topic</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Queue</code></td> </tr><tr><td>[RM] Event Grid Topic</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_event_grid_topic</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Queue</code></td> </tr><tr><td>[RM] Event Grid Topic Subscription</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_event_grid_topic_subscription</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Subscription</code></td> </tr><tr><td>[RM] Function App</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_function_app</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Function</code></td> </tr><tr><td>[RM] Gallery</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_gallery</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Repository</code></td> </tr><tr><td>[RM] Image</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_image</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Image</code></td> </tr><tr><td>[RM] Key Vault</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_keyvault_service</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Service</code></td> </tr><tr><td>[RM] Key Vault Key</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_keyvault_key</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Key</code></td> </tr><tr><td>[RM] Key Vault Secret</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_keyvault_secret</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Secret</code></td> </tr><tr><td>[RM] Load Balancer</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_lb</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Gateway</code></td> </tr><tr><td>[RM] Location</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_location</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Site</code></td> </tr><tr><td>[RM] Management Group</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_management_group</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Group</code></td> </tr><tr><td>[RM] MariaDB Database</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_mariadb_database</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Database</code>, <code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code></td> </tr><tr><td>[RM] MariaDB Server</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_mariadb_server</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Database</code>, <code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code>, <code class="code codeInline" spellcheck="false" tabindex="0">Host</code></td> </tr><tr><td>[RM] Monitor Activity Log Alert</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_monitor_activity_log_alert</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Rule</code></td> </tr><tr><td>[RM] Monitor Diagnostic Settings Resource</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_diagnostic_setting</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Configuration</code></td> </tr><tr><td>[RM] Monitor Log Profile</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_monitor_log_profile</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Configuration</code></td> </tr><tr><td>[RM] MySQL Database</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_mysql_database</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Database</code>, <code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code></td> </tr><tr><td>[RM] MySQL Server</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_mysql_server</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Database</code>, <code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code>, <code class="code codeInline" spellcheck="false" tabindex="0">Host</code></td> </tr><tr><td>[RM] Network Firewall</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_network_firewall</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Firewall</code></td> </tr><tr><td>[RM] Network Interface</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_nic</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">NetworkInterface</code></td> </tr><tr><td>[RM] Network Watcher</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_network_watcher</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Resource</code></td> </tr><tr><td>[RM] Policy Assignment</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_assignment</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">ControlPolicy</code></td> </tr><tr><td>[RM] Policy Definition</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_definition</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Rule</code></td> </tr><tr><td>[RM] Policy Set Definition</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_set_definition</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Ruleset</code></td> </tr><tr><td>[RM] Policy State</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_state</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Review</code></td> </tr><tr><td>[RM] PostgreSQL Database</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_postgresql_database</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Database</code>, <code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code></td> </tr><tr><td>[RM] PostgreSQL Server</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_postgresql_server</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Database</code>, <code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code>, <code class="code codeInline" spellcheck="false" tabindex="0">Host</code></td> </tr><tr><td>[RM] PostgreSQL Server Firewall Rule</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_postgresql_server_firewall_rule</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Firewall</code></td> </tr><tr><td>[RM] Private DNS Record Set</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_private_dns_record_set</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">DomainRecord</code></td> </tr><tr><td>[RM] Private DNS Zone</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_private_dns_zone</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">DomainZone</code></td> </tr><tr><td>[RM] Private Endpoint</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_private_endpoint</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">NetworkEndpoint</code></td> </tr><tr><td>[RM] Public IP Address</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_public_ip</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">IpAddress</code></td> </tr><tr><td>[RM] Redis Cache</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_redis_cache</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Database</code>, <code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code>, <code class="code codeInline" spellcheck="false" tabindex="0">Cluster</code></td> </tr><tr><td>[RM] Redis Firewall Rule</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_firewall_rule</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Firewall</code></td> </tr><tr><td>[RM] Resource Group</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Group</code></td> </tr><tr><td>[RM] Resource Lock</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_lock</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Rule</code></td> </tr><tr><td>[RM] Role Assignment</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">AccessPolicy</code></td> </tr><tr><td>[RM] Role Definition</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_definition</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">AccessRole</code></td> </tr><tr><td>[RM] SQL Database</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_sql_database</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Database</code>, <code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code></td> </tr><tr><td>[RM] SQL Server</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_sql_server</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Database</code>, <code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code>, <code class="code codeInline" spellcheck="false" tabindex="0">Host</code></td> </tr><tr><td>[RM] SQL Server Active Directory Admin</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_sql_server_active_directory_admin</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">AccessRole</code></td> </tr><tr><td>[RM] SQL Server Firewall Rule</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_sql_server_firewall_rule</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Firewall</code></td> </tr><tr><td>[RM] Security Assessment</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_assessment</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Assessment</code></td> </tr><tr><td>[RM] Security Center Auto Provisioning Setting</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_center_auto_provisioning_setting</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Configuration</code></td> </tr><tr><td>[RM] Security Center Setting</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_center_setting</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Configuration</code></td> </tr><tr><td>[RM] Security Center Subscription Pricing</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_center_subscription_pricing</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Configuration</code></td> </tr><tr><td>[RM] Security Contact</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_center_contact</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Resource</code></td> </tr><tr><td>[RM] Security Group</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_group</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Firewall</code></td> </tr><tr><td>[RM] Security Group Flow Logs</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_group_flow_logs</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Logs</code></td> </tr><tr><td>[RM] Service Bus Namespace</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_bus_namespace</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Service</code></td> </tr><tr><td>[RM] Service Bus Queue</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_bus_queue</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Queue</code></td> </tr><tr><td>[RM] Service Bus Subscription</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_bus_subscription</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Subscription</code></td> </tr><tr><td>[RM] Service Bus Topic</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_bus_topic</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Queue</code></td> </tr><tr><td>[RM] Shared Image</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Image</code></td> </tr><tr><td>[RM] Shared Image Version</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image_version</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Image</code></td> </tr><tr><td>[RM] Storage Account</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_account</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Service</code></td> </tr><tr><td>[RM] Storage Container</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_container</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code></td> </tr><tr><td>[RM] Storage File Share</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_file_share</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code></td> </tr><tr><td>[RM] Storage Queue</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_queue</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Queue</code></td> </tr><tr><td>[RM] Storage Table</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_table</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code>, <code class="code codeInline" spellcheck="false" tabindex="0">Database</code></td> </tr><tr><td>[RM] Subnet</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subnet</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Network</code></td> </tr><tr><td>[RM] Subscription</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subscription</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Account</code></td> </tr><tr><td>[RM] Virtual Machine</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Host</code></td> </tr><tr><td>[RM] Virtual Machine Extension</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm_extension</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Application</code></td> </tr><tr><td>[RM] Virtual Network</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vnet</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Network</code></td> </tr><tr><td>[RM] Web App</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_web_app</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Application</code></td> </tr></tbody></table><h3 data-id="relationships">Relationships</h3> <p>The following relationships are created:</p> <table><thead><tr><th>Source Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> <th>Relationship <code class="code codeInline" spellcheck="false" tabindex="0">_class</code></th> <th>Target Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> </tr></thead><tbody><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_user_group</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_keyvault_service</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_management_group</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_user</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_api_management_service</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_api_management_api</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_assessment</code></td> <td><strong>IDENTIFIED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_advisor_recommendation</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_batch_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_batch_application</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_batch_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_batch_certificate</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_batch_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_batch_pool</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_cdn_profile</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_cdn_endpoint</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_classic_admin_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_user</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_volume</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_registry</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_registry_webhook</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_volume</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_volume</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_file_share</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_cosmosdb_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_cosmosdb_sql_database</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_diagnostic_setting</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_account</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_dns_zone</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_dns_record_set</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_event_grid_domain</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_event_grid_domain_topic</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_event_grid_domain_topic</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_event_grid_topic_subscription</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_event_grid_topic</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_event_grid_topic_subscription</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_function_app</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_app_service_plan</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_gallery</code></td> <td><strong>CONTAINS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_user_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_user_group</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_user_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_group_member</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_user_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_user</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_keyvault_service</code></td> <td><strong>ALLOWS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">ANY_PRINCIPAL</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_keyvault_service</code></td> <td><strong>CONTAINS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_keyvault_key</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_keyvault_service</code></td> <td><strong>CONTAINS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_keyvault_secret</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_lb</code></td> <td><strong>CONNECTS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_nic</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_management_group</code></td> <td><strong>CONTAINS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_management_group</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_mariadb_server</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_mariadb_database</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_monitor_activity_log_alert</code></td> <td><strong>MONITORS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">ANY_SCOPE</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_monitor_log_profile</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_account</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_mysql_server</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_mysql_database</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_network_watcher</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_group_flow_logs</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_assignment</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_state</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_assignment</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_definition</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_assignment</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_set_definition</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_definition</code></td> <td><strong>DEFINES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_state</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_set_definition</code></td> <td><strong>CONTAINS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_definition</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_postgresql_server</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_postgresql_database</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_postgresql_server</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_postgresql_server_firewall_rule</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_private_dns_zone</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_private_dns_record_set</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_private_endpoint</code></td> <td><strong>CONNECTS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">ANY_RESOURCE</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_private_endpoint</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_nic</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_redis_cache</code></td> <td><strong>CONNECTS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_redis_cache</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_redis_cache</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_firewall_rule</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_api_management_service</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_app_service_plan</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_batch_account</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_cdn_profile</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_group</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_container_registry</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_cosmosdb_account</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_dns_zone</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_event_grid_domain</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_event_grid_topic</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_function_app</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_gallery</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_image</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_keyvault_service</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_kubernetes_cluster</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_lb</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_managed_disk</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_mariadb_server</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_monitor_activity_log_alert</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_mysql_server</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_network_firewall</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_network_watcher</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_nic</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_postgresql_server</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_private_dns_zone</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_private_endpoint</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_public_ip</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_redis_cache</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_group</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_bus_namespace</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_sql_server</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_account</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vnet</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_web_app</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">ANY_SCOPE</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_diagnostic_setting</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">ANY_SCOPE</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_advisor_recommendation</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">ANY_SCOPE</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_assignment</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">ANY_RESOURCE</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_state</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_lock</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">ANY_SCOPE</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>ALLOWS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">ANY_SCOPE</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_application</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_directory</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_directory_role_template</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_everyone</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_foreign_group</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_msi</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_principal</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_unknown</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_unknown_principal_type</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_user</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_user_group</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_definition</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_group_flow_logs</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_account</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_group_flow_logs</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_group</code></td> <td><strong>PROTECTS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_nic</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_group</code></td> <td><strong>PROTECTS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subnet</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_group</code></td> <td><strong>ALLOWS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subnet</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_bus_namespace</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_bus_queue</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_bus_namespace</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_bus_topic</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_bus_topic</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_bus_subscription</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image_version</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_sql_server</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_sql_server_active_directory_admin</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_sql_server</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_sql_database</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_sql_server</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_sql_server_firewall_rule</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_container</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_file_share</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_queue</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_table</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_account</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_keyvault_service</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subnet</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_private_endpoint</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subnet</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subscription</code></td> <td><strong>CONTAINS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_definition</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subscription</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_monitor_log_profile</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subscription</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_resource_group</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subscription</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_center_auto_provisioning_setting</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subscription</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_center_contact</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subscription</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_center_setting</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subscription</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_center_subscription_pricing</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subscription</code></td> <td><strong>PERFORMED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_security_assessment</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> <td><strong>GENERATED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image_version</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_image</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_managed_disk</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_service_principal</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_nic</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_public_ip</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image_version</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_storage_account</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vnet</code></td> <td><strong>CONTAINS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subnet</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_web_app</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_app_service_plan</code></td> </tr></tbody></table><h3 data-id="mapped-relationships">Mapped Relationships</h3> <p>The following mapped relationships are created:</p> <table><thead><tr><th>Source Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> <th>Relationship <code class="code codeInline" spellcheck="false" tabindex="0">_class</code></th> <th>Target Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> <th>Direction</th> </tr></thead><tbody><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_network_watcher</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">*azure_location*</code></td> <td>REVERSE</td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_subscription</code></td> <td><strong>USES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">*azure_location*</code></td> <td>FORWARD</td> </tr></tbody></table><p><br></p> <p><br></p> <h2 data-id="diagnostic-settings">Diagnostic Settings</h2> <p>Azure Diagnostic Settings are supported on many Azure resources. A list of<br> supported services / metrics can be found in<br><a rel="nofollow" href="https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported">Azure documentation</a>.</p> <p>The JupiterOne graph-azure project currently ingests diagnostic settings for the<br> following entities:</p> <ul><li>azure_api_management_service</li> <li>azure_batch_account</li> <li>azure_cdn_endpoint</li> <li>azure_cdn_profile</li> <li>azure_container_registry</li> <li>azure_event_grid_domain</li> <li>azure_event_grid_topic</li> <li><p>azure_keyvault_service</p> <ul><li>Log Categories:</li> <li>AuditEvent</li> </ul></li> <li><p>azure_lb</p></li> <li>azure_mariadb_server</li> <li>azure_mysql_server</li> <li>azure_network_firewall</li> <li>azure_postgresql_server</li> <li>azure_public_ip</li> <li>azure_security_group</li> <li>azure_sql_server</li> <li><p>azure_subscription</p> <ul><li>Log Categories:</li> <li>Administrative</li> <li>Alert</li> <li>Policy</li> <li>Security</li> </ul></li> <li><p>azure_vnet</p></li> </ul><p><br></p> </article> </main>