Docs
Packages
Azure Native v1.103.0, Jun 2 23
Azure Native v1.103.0, Jun 2 23
azure-native.securityinsights.ActivityCustomEntityQuery
Explore with Pulumi AI
Represents Activity entity query. API Version: 2021-03-01-preview.
Example Usage
Creates or updates an Activity entity query.
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var activityCustomEntityQuery = new AzureNative.SecurityInsights.ActivityCustomEntityQuery("activityCustomEntityQuery", new()
{
Content = "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
Description = "Account deleted on host",
Enabled = true,
EntitiesFilter =
{
{ "Host_OsFamily", new[]
{
"Windows",
} },
},
EntityQueryId = "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
InputEntityType = "Host",
Kind = "Activity",
OperationalInsightsResourceProvider = "Microsoft.OperationalIinsights",
QueryDefinitions = new AzureNative.SecurityInsights.Inputs.ActivityEntityQueriesPropertiesQueryDefinitionsArgs
{
Query = @"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', tostring(split(Computer, '.')[-2]),
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'),
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain)
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain)
or v_Host_AzureID =~ _ResourceId
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
| where EventID == 4726 ",
},
RequiredInputFieldsSets = new[]
{
new[]
{
"Host_HostName",
"Host_NTDomain",
},
new[]
{
"Host_HostName",
"Host_DnsDomain",
},
new[]
{
"Host_AzureID",
},
new[]
{
"Host_OMSAgentID",
},
},
ResourceGroupName = "myRg",
Title = "An account was deleted on this host",
WorkspaceName = "myWorkspace",
});
});
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewActivityCustomEntityQuery(ctx, "activityCustomEntityQuery", &securityinsights.ActivityCustomEntityQueryArgs{
Content: pulumi.String("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'"),
Description: pulumi.String("Account deleted on host"),
Enabled: pulumi.Bool(true),
EntitiesFilter: pulumi.StringArrayMap{
"Host_OsFamily": pulumi.StringArray{
pulumi.String("Windows"),
},
},
EntityQueryId: pulumi.String("07da3cc8-c8ad-4710-a44e-334cdcb7882b"),
InputEntityType: pulumi.String("Host"),
Kind: pulumi.String("Activity"),
OperationalInsightsResourceProvider: pulumi.String("Microsoft.OperationalIinsights"),
QueryDefinitions: &securityinsights.ActivityEntityQueriesPropertiesQueryDefinitionsArgs{
Query: pulumi.String("let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 "),
},
RequiredInputFieldsSets: pulumi.StringArrayArray{
pulumi.StringArray{
pulumi.String("Host_HostName"),
pulumi.String("Host_NTDomain"),
},
pulumi.StringArray{
pulumi.String("Host_HostName"),
pulumi.String("Host_DnsDomain"),
},
pulumi.StringArray{
pulumi.String("Host_AzureID"),
},
pulumi.StringArray{
pulumi.String("Host_OMSAgentID"),
},
},
ResourceGroupName: pulumi.String("myRg"),
Title: pulumi.String("An account was deleted on this host"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQuery;
import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQueryArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var activityCustomEntityQuery = new ActivityCustomEntityQuery("activityCustomEntityQuery", ActivityCustomEntityQueryArgs.builder()
.content("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'")
.description("Account deleted on host")
.enabled(true)
.entitiesFilter(Map.of("Host_OsFamily", "Windows"))
.entityQueryId("07da3cc8-c8ad-4710-a44e-334cdcb7882b")
.inputEntityType("Host")
.kind("Activity")
.operationalInsightsResourceProvider("Microsoft.OperationalIinsights")
.queryDefinitions(Map.of("query", """
let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', tostring(split(Computer, '.')[-2]),
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'),
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain)
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain)
or v_Host_AzureID =~ _ResourceId
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
| where EventID == 4726 """))
.requiredInputFieldsSets(
"Host_HostName",
"Host_NTDomain",
"Host_HostName",
"Host_DnsDomain",
"Host_AzureID",
"Host_OMSAgentID")
.resourceGroupName("myRg")
.title("An account was deleted on this host")
.workspaceName("myWorkspace")
.build());
}
}
import pulumi
import pulumi_azure_native as azure_native
activity_custom_entity_query = azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQuery",
content="On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
description="Account deleted on host",
enabled=True,
entities_filter={
"Host_OsFamily": ["Windows"],
},
entity_query_id="07da3cc8-c8ad-4710-a44e-334cdcb7882b",
input_entity_type="Host",
kind="Activity",
operational_insights_resource_provider="Microsoft.OperationalIinsights",
query_definitions=azure_native.securityinsights.ActivityEntityQueriesPropertiesQueryDefinitionsArgs(
query="""let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', tostring(split(Computer, '.')[-2]),
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'),
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain)
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain)
or v_Host_AzureID =~ _ResourceId
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
| where EventID == 4726 """,
),
required_input_fields_sets=[
[
"Host_HostName",
"Host_NTDomain",
],
[
"Host_HostName",
"Host_DnsDomain",
],
["Host_AzureID"],
["Host_OMSAgentID"],
],
resource_group_name="myRg",
title="An account was deleted on this host",
workspace_name="myWorkspace")
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const activityCustomEntityQuery = new azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQuery", {
content: "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
description: "Account deleted on host",
enabled: true,
entitiesFilter: {
Host_OsFamily: ["Windows"],
},
entityQueryId: "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
inputEntityType: "Host",
kind: "Activity",
operationalInsightsResourceProvider: "Microsoft.OperationalIinsights",
queryDefinitions: {
query: `let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\\\', tostring(split(Computer, '\\\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\\\', tostring(split(Computer, '\\\\')[0]),
Computer has '.', tostring(split(Computer, '.')[-2]),
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\\\', tostring(split(Computer, '\\\\')[0]),
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'),
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain)
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain)
or v_Host_AzureID =~ _ResourceId
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
| where EventID == 4726 `,
},
requiredInputFieldsSets: [
[
"Host_HostName",
"Host_NTDomain",
],
[
"Host_HostName",
"Host_DnsDomain",
],
["Host_AzureID"],
["Host_OMSAgentID"],
],
resourceGroupName: "myRg",
title: "An account was deleted on this host",
workspaceName: "myWorkspace",
});
resources:
activityCustomEntityQuery:
type: azure-native:securityinsights:ActivityCustomEntityQuery
properties:
content: On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'
description: Account deleted on host
enabled: true
entitiesFilter:
Host_OsFamily:
- Windows
entityQueryId: 07da3cc8-c8ad-4710-a44e-334cdcb7882b
inputEntityType: Host
kind: Activity
operationalInsightsResourceProvider: Microsoft.OperationalIinsights
queryDefinitions:
query: "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 "
requiredInputFieldsSets:
- - Host_HostName
- Host_NTDomain
- - Host_HostName
- Host_DnsDomain
- - Host_AzureID
- - Host_OMSAgentID
resourceGroupName: myRg
title: An account was deleted on this host
workspaceName: myWorkspace
Create ActivityCustomEntityQuery Resource
new ActivityCustomEntityQuery(name: string, args: ActivityCustomEntityQueryArgs, opts?: CustomResourceOptions);@overload
def ActivityCustomEntityQuery(resource_name: str,
opts: Optional[ResourceOptions] = None,
content: Optional[str] = None,
description: Optional[str] = None,
enabled: Optional[bool] = None,
entities_filter: Optional[Mapping[str, Sequence[str]]] = None,
entity_query_id: Optional[str] = None,
input_entity_type: Optional[Union[str, EntityType]] = None,
operational_insights_resource_provider: Optional[str] = None,
query_definitions: Optional[ActivityEntityQueriesPropertiesQueryDefinitionsArgs] = None,
required_input_fields_sets: Optional[Sequence[Sequence[str]]] = None,
resource_group_name: Optional[str] = None,
template_name: Optional[str] = None,
title: Optional[str] = None,
workspace_name: Optional[str] = None)
@overload
def ActivityCustomEntityQuery(resource_name: str,
args: ActivityCustomEntityQueryArgs,
opts: Optional[ResourceOptions] = None)func NewActivityCustomEntityQuery(ctx *Context, name string, args ActivityCustomEntityQueryArgs, opts ...ResourceOption) (*ActivityCustomEntityQuery, error)public ActivityCustomEntityQuery(string name, ActivityCustomEntityQueryArgs args, CustomResourceOptions? opts = null)
public ActivityCustomEntityQuery(String name, ActivityCustomEntityQueryArgs args)
public ActivityCustomEntityQuery(String name, ActivityCustomEntityQueryArgs args, CustomResourceOptions options)
type: azure-native:securityinsights:ActivityCustomEntityQuery
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ActivityCustomEntityQueryArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ActivityCustomEntityQueryArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ActivityCustomEntityQueryArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ActivityCustomEntityQueryArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ActivityCustomEntityQueryArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
ActivityCustomEntityQuery Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ActivityCustomEntityQuery resource accepts the following input properties:
- Operational
Insights stringResource Provider The namespace of workspaces resource provider- Microsoft.OperationalInsights.
- Resource
Group stringName The name of the resource group. The name is case insensitive.
- Workspace
Name string The name of the workspace.
- Content string
The entity query content to display in timeline
- Description string
The entity query description
- Enabled bool
Determines whether this activity is enabled or disabled.
- Entities
Filter Dictionary<string, ImmutableArray<string>> The query applied only to entities matching to all filters
- Entity
Query stringId entity query ID
- Input
Entity string | Pulumi.Type Azure Native. Security Insights. Entity Type The type of the query's source entity
- Query
Definitions Pulumi.Azure Native. Security Insights. Inputs. Activity Entity Queries Properties Query Definitions Args The Activity query definitions
- Required
Input List<ImmutableFields Sets Array<string>> List of the fields of the source entity that are required to run the query
- Template
Name string The template id this activity was created from
- Title string
The entity query title
- Operational
Insights stringResource Provider The namespace of workspaces resource provider- Microsoft.OperationalInsights.
- Resource
Group stringName The name of the resource group. The name is case insensitive.
- Workspace
Name string The name of the workspace.
- Content string
The entity query content to display in timeline
- Description string
The entity query description
- Enabled bool
Determines whether this activity is enabled or disabled.
- Entities
Filter map[string][]string The query applied only to entities matching to all filters
- Entity
Query stringId entity query ID
- Input
Entity string | EntityType Type The type of the query's source entity
- Query
Definitions ActivityEntity Queries Properties Query Definitions Args The Activity query definitions
- Required
Input [][]stringFields Sets List of the fields of the source entity that are required to run the query
- Template
Name string The template id this activity was created from
- Title string
The entity query title
- operational
Insights StringResource Provider The namespace of workspaces resource provider- Microsoft.OperationalInsights.
- resource
Group StringName The name of the resource group. The name is case insensitive.
- workspace
Name String The name of the workspace.
- content String
The entity query content to display in timeline
- description String
The entity query description
- enabled Boolean
Determines whether this activity is enabled or disabled.
- entities
Filter Map<String,List<String>> The query applied only to entities matching to all filters
- entity
Query StringId entity query ID
- input
Entity String | EntityType Type The type of the query's source entity
- query
Definitions ActivityEntity Queries Properties Query Definitions Args The Activity query definitions
- required
Input List<List<String>>Fields Sets List of the fields of the source entity that are required to run the query
- template
Name String The template id this activity was created from
- title String
The entity query title
- operational
Insights stringResource Provider The namespace of workspaces resource provider- Microsoft.OperationalInsights.
- resource
Group stringName The name of the resource group. The name is case insensitive.
- workspace
Name string The name of the workspace.
- content string
The entity query content to display in timeline
- description string
The entity query description
- enabled boolean
Determines whether this activity is enabled or disabled.
- entities
Filter {[key: string]: string[]} The query applied only to entities matching to all filters
- entity
Query stringId entity query ID
- input
Entity string | EntityType Type The type of the query's source entity
- query
Definitions ActivityEntity Queries Properties Query Definitions Args The Activity query definitions
- required
Input string[][]Fields Sets List of the fields of the source entity that are required to run the query
- template
Name string The template id this activity was created from
- title string
The entity query title
- operational_
insights_ strresource_ provider The namespace of workspaces resource provider- Microsoft.OperationalInsights.
- resource_
group_ strname The name of the resource group. The name is case insensitive.
- workspace_
name str The name of the workspace.
- content str
The entity query content to display in timeline
- description str
The entity query description
- enabled bool
Determines whether this activity is enabled or disabled.
- entities_
filter Mapping[str, Sequence[str]] The query applied only to entities matching to all filters
- entity_
query_ strid entity query ID
- input_
entity_ str | Entitytype Type The type of the query's source entity
- query_
definitions ActivityEntity Queries Properties Query Definitions Args The Activity query definitions
- required_
input_ Sequence[Sequence[str]]fields_ sets List of the fields of the source entity that are required to run the query
- template_
name str The template id this activity was created from
- title str
The entity query title
- operational
Insights StringResource Provider The namespace of workspaces resource provider- Microsoft.OperationalInsights.
- resource
Group StringName The name of the resource group. The name is case insensitive.
- workspace
Name String The name of the workspace.
- content String
The entity query content to display in timeline
- description String
The entity query description
- enabled Boolean
Determines whether this activity is enabled or disabled.
- entities
Filter Map<List<String>> The query applied only to entities matching to all filters
- entity
Query StringId entity query ID
- input
Entity String | "Account" | "Host" | "File" | "AzureType Resource" | "Cloud Application" | "DNS" | "File Hash" | "IP" | "Malware" | "Process" | "Registry Key" | "Registry Value" | "Security Group" | "URL" | "Io TDevice" | "Security Alert" | "Hunting Bookmark" | "Mail Cluster" | "Mail Message" | "Mailbox" | "Submission Mail" The type of the query's source entity
- query
Definitions Property Map The Activity query definitions
- required
Input List<List<String>>Fields Sets List of the fields of the source entity that are required to run the query
- template
Name String The template id this activity was created from
- title String
The entity query title
Outputs
All input properties are implicitly available as output properties. Additionally, the ActivityCustomEntityQuery resource produces the following output properties:
- Created
Time stringUtc The time the activity was created
- Id string
The provider-assigned unique ID for this managed resource.
- Last
Modified stringTime Utc The last time the activity was updated
- Name string
Azure resource name
- System
Data Pulumi.Azure Native. Security Insights. Outputs. System Data Response Azure Resource Manager metadata containing createdBy and modifiedBy information.
- Type string
Azure resource type
- Etag string
Etag of the azure resource
- Created
Time stringUtc The time the activity was created
- Id string
The provider-assigned unique ID for this managed resource.
- Last
Modified stringTime Utc The last time the activity was updated
- Name string
Azure resource name
- System
Data SystemData Response Azure Resource Manager metadata containing createdBy and modifiedBy information.
- Type string
Azure resource type
- Etag string
Etag of the azure resource
- created
Time StringUtc The time the activity was created
- id String
The provider-assigned unique ID for this managed resource.
- last
Modified StringTime Utc The last time the activity was updated
- name String
Azure resource name
- system
Data SystemData Response Azure Resource Manager metadata containing createdBy and modifiedBy information.
- type String
Azure resource type
- etag String
Etag of the azure resource
- created
Time stringUtc The time the activity was created
- id string
The provider-assigned unique ID for this managed resource.
- last
Modified stringTime Utc The last time the activity was updated
- name string
Azure resource name
- system
Data SystemData Response Azure Resource Manager metadata containing createdBy and modifiedBy information.
- type string
Azure resource type
- etag string
Etag of the azure resource
- created_
time_ strutc The time the activity was created
- id str
The provider-assigned unique ID for this managed resource.
- last_
modified_ strtime_ utc The last time the activity was updated
- name str
Azure resource name
- system_
data SystemData Response Azure Resource Manager metadata containing createdBy and modifiedBy information.
- type str
Azure resource type
- etag str
Etag of the azure resource
- created
Time StringUtc The time the activity was created
- id String
The provider-assigned unique ID for this managed resource.
- last
Modified StringTime Utc The last time the activity was updated
- name String
Azure resource name
- system
Data Property Map Azure Resource Manager metadata containing createdBy and modifiedBy information.
- type String
Azure resource type
- etag String
Etag of the azure resource
Supporting Types
ActivityEntityQueriesPropertiesQueryDefinitions
- Query string
The Activity query to run on a given entity
- Query string
The Activity query to run on a given entity
- query String
The Activity query to run on a given entity
- query string
The Activity query to run on a given entity
- query str
The Activity query to run on a given entity
- query String
The Activity query to run on a given entity
ActivityEntityQueriesPropertiesResponseQueryDefinitions
- Query string
The Activity query to run on a given entity
- Query string
The Activity query to run on a given entity
- query String
The Activity query to run on a given entity
- query string
The Activity query to run on a given entity
- query str
The Activity query to run on a given entity
- query String
The Activity query to run on a given entity
EntityType
- Account
- Account
Entity represents account in the system.
- Host
- Host
Entity represents host in the system.
- File
- File
Entity represents file in the system.
- Azure
Resource - AzureResource
Entity represents azure resource in the system.
- Cloud
Application - CloudApplication
Entity represents cloud application in the system.
- DNS
- DNS
Entity represents dns in the system.
- File
Hash - FileHash
Entity represents file hash in the system.
- IP
- IP
Entity represents ip in the system.
- Malware
- Malware
Entity represents malware in the system.
- Process
- Process
Entity represents process in the system.
- Registry
Key - RegistryKey
Entity represents registry key in the system.
- Registry
Value - RegistryValue
Entity represents registry value in the system.
- Security
Group - SecurityGroup
Entity represents security group in the system.
- URL
- URL
Entity represents url in the system.
- Io
TDevice - IoTDevice
Entity represents IoT device in the system.
- Security
Alert - SecurityAlert
Entity represents security alert in the system.
- Hunting
Bookmark - HuntingBookmark
Entity represents HuntingBookmark in the system.
- Mail
Cluster - MailCluster
Entity represents mail cluster in the system.
- Mail
Message - MailMessage
Entity represents mail message in the system.
- Mailbox
- Mailbox
Entity represents mailbox in the system.
- Submission
Mail - SubmissionMail
Entity represents submission mail in the system.
- Entity
Type Account - Account
Entity represents account in the system.
- Entity
Type Host - Host
Entity represents host in the system.
- Entity
Type File - File
Entity represents file in the system.
- Entity
Type Azure Resource - AzureResource
Entity represents azure resource in the system.
- Entity
Type Cloud Application - CloudApplication
Entity represents cloud application in the system.
- Entity
Type DNS - DNS
Entity represents dns in the system.
- Entity
Type File Hash - FileHash
Entity represents file hash in the system.
- Entity
Type IP - IP
Entity represents ip in the system.
- Entity
Type Malware - Malware
Entity represents malware in the system.
- Entity
Type Process - Process
Entity represents process in the system.
- Entity
Type Registry Key - RegistryKey
Entity represents registry key in the system.
- Entity
Type Registry Value - RegistryValue
Entity represents registry value in the system.
- Entity
Type Security Group - SecurityGroup
Entity represents security group in the system.
- Entity
Type URL - URL
Entity represents url in the system.
- Entity
Type Io TDevice - IoTDevice
Entity represents IoT device in the system.
- Entity
Type Security Alert - SecurityAlert
Entity represents security alert in the system.
- Entity
Type Hunting Bookmark - HuntingBookmark
Entity represents HuntingBookmark in the system.
- Entity
Type Mail Cluster - MailCluster
Entity represents mail cluster in the system.
- Entity
Type Mail Message - MailMessage
Entity represents mail message in the system.
- Entity
Type Mailbox - Mailbox
Entity represents mailbox in the system.
- Entity
Type Submission Mail - SubmissionMail
Entity represents submission mail in the system.
- Account
- Account
Entity represents account in the system.
- Host
- Host
Entity represents host in the system.
- File
- File
Entity represents file in the system.
- Azure
Resource - AzureResource
Entity represents azure resource in the system.
- Cloud
Application - CloudApplication
Entity represents cloud application in the system.
- DNS
- DNS
Entity represents dns in the system.
- File
Hash - FileHash
Entity represents file hash in the system.
- IP
- IP
Entity represents ip in the system.
- Malware
- Malware
Entity represents malware in the system.
- Process
- Process
Entity represents process in the system.
- Registry
Key - RegistryKey
Entity represents registry key in the system.
- Registry
Value - RegistryValue
Entity represents registry value in the system.
- Security
Group - SecurityGroup
Entity represents security group in the system.
- URL
- URL
Entity represents url in the system.
- Io
TDevice - IoTDevice
Entity represents IoT device in the system.
- Security
Alert - SecurityAlert
Entity represents security alert in the system.
- Hunting
Bookmark - HuntingBookmark
Entity represents HuntingBookmark in the system.
- Mail
Cluster - MailCluster
Entity represents mail cluster in the system.
- Mail
Message - MailMessage
Entity represents mail message in the system.
- Mailbox
- Mailbox
Entity represents mailbox in the system.
- Submission
Mail - SubmissionMail
Entity represents submission mail in the system.
- Account
- Account
Entity represents account in the system.
- Host
- Host
Entity represents host in the system.
- File
- File
Entity represents file in the system.
- Azure
Resource - AzureResource
Entity represents azure resource in the system.
- Cloud
Application - CloudApplication
Entity represents cloud application in the system.
- DNS
- DNS
Entity represents dns in the system.
- File
Hash - FileHash
Entity represents file hash in the system.
- IP
- IP
Entity represents ip in the system.
- Malware
- Malware
Entity represents malware in the system.
- Process
- Process
Entity represents process in the system.
- Registry
Key - RegistryKey
Entity represents registry key in the system.
- Registry
Value - RegistryValue
Entity represents registry value in the system.
- Security
Group - SecurityGroup
Entity represents security group in the system.
- URL
- URL
Entity represents url in the system.
- Io
TDevice - IoTDevice
Entity represents IoT device in the system.
- Security
Alert - SecurityAlert
Entity represents security alert in the system.
- Hunting
Bookmark - HuntingBookmark
Entity represents HuntingBookmark in the system.
- Mail
Cluster - MailCluster
Entity represents mail cluster in the system.
- Mail
Message - MailMessage
Entity represents mail message in the system.
- Mailbox
- Mailbox
Entity represents mailbox in the system.
- Submission
Mail - SubmissionMail
Entity represents submission mail in the system.
- ACCOUNT
- Account
Entity represents account in the system.
- HOST
- Host
Entity represents host in the system.
- FILE
- File
Entity represents file in the system.
- AZURE_RESOURCE
- AzureResource
Entity represents azure resource in the system.
- CLOUD_APPLICATION
- CloudApplication
Entity represents cloud application in the system.
- DNS
- DNS
Entity represents dns in the system.
- FILE_HASH
- FileHash
Entity represents file hash in the system.
- IP
- IP
Entity represents ip in the system.
- MALWARE
- Malware
Entity represents malware in the system.
- PROCESS
- Process
Entity represents process in the system.
- REGISTRY_KEY
- RegistryKey
Entity represents registry key in the system.
- REGISTRY_VALUE
- RegistryValue
Entity represents registry value in the system.
- SECURITY_GROUP
- SecurityGroup
Entity represents security group in the system.
- URL
- URL
Entity represents url in the system.
- IO_T_DEVICE
- IoTDevice
Entity represents IoT device in the system.
- SECURITY_ALERT
- SecurityAlert
Entity represents security alert in the system.
- HUNTING_BOOKMARK
- HuntingBookmark
Entity represents HuntingBookmark in the system.
- MAIL_CLUSTER
- MailCluster
Entity represents mail cluster in the system.
- MAIL_MESSAGE
- MailMessage
Entity represents mail message in the system.
- MAILBOX
- Mailbox
Entity represents mailbox in the system.
- SUBMISSION_MAIL
- SubmissionMail
Entity represents submission mail in the system.
- "Account"
- Account
Entity represents account in the system.
- "Host"
- Host
Entity represents host in the system.
- "File"
- File
Entity represents file in the system.
- "Azure
Resource" - AzureResource
Entity represents azure resource in the system.
- "Cloud
Application" - CloudApplication
Entity represents cloud application in the system.
- "DNS"
- DNS
Entity represents dns in the system.
- "File
Hash" - FileHash
Entity represents file hash in the system.
- "IP"
- IP
Entity represents ip in the system.
- "Malware"
- Malware
Entity represents malware in the system.
- "Process"
- Process
Entity represents process in the system.
- "Registry
Key" - RegistryKey
Entity represents registry key in the system.
- "Registry
Value" - RegistryValue
Entity represents registry value in the system.
- "Security
Group" - SecurityGroup
Entity represents security group in the system.
- "URL"
- URL
Entity represents url in the system.
- "Io
TDevice" - IoTDevice
Entity represents IoT device in the system.
- "Security
Alert" - SecurityAlert
Entity represents security alert in the system.
- "Hunting
Bookmark" - HuntingBookmark
Entity represents HuntingBookmark in the system.
- "Mail
Cluster" - MailCluster
Entity represents mail cluster in the system.
- "Mail
Message" - MailMessage
Entity represents mail message in the system.
- "Mailbox"
- Mailbox
Entity represents mailbox in the system.
- "Submission
Mail" - SubmissionMail
Entity represents submission mail in the system.
SystemDataResponse
- Created
At string The timestamp of resource creation (UTC).
- Created
By string The identity that created the resource.
- Created
By stringType The type of identity that created the resource.
- Last
Modified stringAt The timestamp of resource last modification (UTC)
- Last
Modified stringBy The identity that last modified the resource.
- Last
Modified stringBy Type The type of identity that last modified the resource.
- Created
At string The timestamp of resource creation (UTC).
- Created
By string The identity that created the resource.
- Created
By stringType The type of identity that created the resource.
- Last
Modified stringAt The timestamp of resource last modification (UTC)
- Last
Modified stringBy The identity that last modified the resource.
- Last
Modified stringBy Type The type of identity that last modified the resource.
- created
At String The timestamp of resource creation (UTC).
- created
By String The identity that created the resource.
- created
By StringType The type of identity that created the resource.
- last
Modified StringAt The timestamp of resource last modification (UTC)
- last
Modified StringBy The identity that last modified the resource.
- last
Modified StringBy Type The type of identity that last modified the resource.
- created
At string The timestamp of resource creation (UTC).
- created
By string The identity that created the resource.
- created
By stringType The type of identity that created the resource.
- last
Modified stringAt The timestamp of resource last modification (UTC)
- last
Modified stringBy The identity that last modified the resource.
- last
Modified stringBy Type The type of identity that last modified the resource.
- created_
at str The timestamp of resource creation (UTC).
- created_
by str The identity that created the resource.
- created_
by_ strtype The type of identity that created the resource.
- last_
modified_ strat The timestamp of resource last modification (UTC)
- last_
modified_ strby The identity that last modified the resource.
- last_
modified_ strby_ type The type of identity that last modified the resource.
- created
At String The timestamp of resource creation (UTC).
- created
By String The identity that created the resource.
- created
By StringType The type of identity that created the resource.
- last
Modified StringAt The timestamp of resource last modification (UTC)
- last
Modified StringBy The identity that last modified the resource.
- last
Modified StringBy Type The type of identity that last modified the resource.
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:securityinsights:ActivityCustomEntityQuery 07da3cc8-c8ad-4710-a44e-334cdcb7882b /subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b
Package Details
- Repository
- Azure Native pulumi/pulumi-azure-native
- License
- Apache-2.0