azure-native.securityinsights.ActivityCustomEntityQuery

Explore with Pulumi AI

Represents Activity entity query. API Version: 2021-03-01-preview.

Example Usage

Creates or updates an Activity entity query.

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var activityCustomEntityQuery = new AzureNative.SecurityInsights.ActivityCustomEntityQuery("activityCustomEntityQuery", new()
    {
        Content = "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
        Description = "Account deleted on host",
        Enabled = true,
        EntitiesFilter = 
        {
            { "Host_OsFamily", new[]
            {
                "Windows",
            } },
        },
        EntityQueryId = "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
        InputEntityType = "Host",
        Kind = "Activity",
        OperationalInsightsResourceProvider = "Microsoft.OperationalIinsights",
        QueryDefinitions = new AzureNative.SecurityInsights.Inputs.ActivityEntityQueriesPropertiesQueryDefinitionsArgs
        {
            Query = @"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726 ",
        },
        RequiredInputFieldsSets = new[]
        {
            new[]
            {
                "Host_HostName",
                "Host_NTDomain",
            },
            new[]
            {
                "Host_HostName",
                "Host_DnsDomain",
            },
            new[]
            {
                "Host_AzureID",
            },
            new[]
            {
                "Host_OMSAgentID",
            },
        },
        ResourceGroupName = "myRg",
        Title = "An account was deleted on this host",
        WorkspaceName = "myWorkspace",
    });

});
package main

import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewActivityCustomEntityQuery(ctx, "activityCustomEntityQuery", &securityinsights.ActivityCustomEntityQueryArgs{
			Content:     pulumi.String("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'"),
			Description: pulumi.String("Account deleted on host"),
			Enabled:     pulumi.Bool(true),
			EntitiesFilter: pulumi.StringArrayMap{
				"Host_OsFamily": pulumi.StringArray{
					pulumi.String("Windows"),
				},
			},
			EntityQueryId:                       pulumi.String("07da3cc8-c8ad-4710-a44e-334cdcb7882b"),
			InputEntityType:                     pulumi.String("Host"),
			Kind:                                pulumi.String("Activity"),
			OperationalInsightsResourceProvider: pulumi.String("Microsoft.OperationalIinsights"),
			QueryDefinitions: &securityinsights.ActivityEntityQueriesPropertiesQueryDefinitionsArgs{
				Query: pulumi.String("let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 "),
			},
			RequiredInputFieldsSets: pulumi.StringArrayArray{
				pulumi.StringArray{
					pulumi.String("Host_HostName"),
					pulumi.String("Host_NTDomain"),
				},
				pulumi.StringArray{
					pulumi.String("Host_HostName"),
					pulumi.String("Host_DnsDomain"),
				},
				pulumi.StringArray{
					pulumi.String("Host_AzureID"),
				},
				pulumi.StringArray{
					pulumi.String("Host_OMSAgentID"),
				},
			},
			ResourceGroupName: pulumi.String("myRg"),
			Title:             pulumi.String("An account was deleted on this host"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQuery;
import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQueryArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var activityCustomEntityQuery = new ActivityCustomEntityQuery("activityCustomEntityQuery", ActivityCustomEntityQueryArgs.builder()        
            .content("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'")
            .description("Account deleted on host")
            .enabled(true)
            .entitiesFilter(Map.of("Host_OsFamily", "Windows"))
            .entityQueryId("07da3cc8-c8ad-4710-a44e-334cdcb7882b")
            .inputEntityType("Host")
            .kind("Activity")
            .operationalInsightsResourceProvider("Microsoft.OperationalIinsights")
            .queryDefinitions(Map.of("query", """
let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726             """))
            .requiredInputFieldsSets(            
                                
                    "Host_HostName",
                    "Host_NTDomain",
                                
                    "Host_HostName",
                    "Host_DnsDomain",
                "Host_AzureID",
                "Host_OMSAgentID")
            .resourceGroupName("myRg")
            .title("An account was deleted on this host")
            .workspaceName("myWorkspace")
            .build());

    }
}
import pulumi
import pulumi_azure_native as azure_native

activity_custom_entity_query = azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQuery",
    content="On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
    description="Account deleted on host",
    enabled=True,
    entities_filter={
        "Host_OsFamily": ["Windows"],
    },
    entity_query_id="07da3cc8-c8ad-4710-a44e-334cdcb7882b",
    input_entity_type="Host",
    kind="Activity",
    operational_insights_resource_provider="Microsoft.OperationalIinsights",
    query_definitions=azure_native.securityinsights.ActivityEntityQueriesPropertiesQueryDefinitionsArgs(
        query="""let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726 """,
    ),
    required_input_fields_sets=[
        [
            "Host_HostName",
            "Host_NTDomain",
        ],
        [
            "Host_HostName",
            "Host_DnsDomain",
        ],
        ["Host_AzureID"],
        ["Host_OMSAgentID"],
    ],
    resource_group_name="myRg",
    title="An account was deleted on this host",
    workspace_name="myWorkspace")
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const activityCustomEntityQuery = new azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQuery", {
    content: "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
    description: "Account deleted on host",
    enabled: true,
    entitiesFilter: {
        Host_OsFamily: ["Windows"],
    },
    entityQueryId: "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
    inputEntityType: "Host",
    kind: "Activity",
    operationalInsightsResourceProvider: "Microsoft.OperationalIinsights",
    queryDefinitions: {
        query: `let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\\\', tostring(split(Computer, '\\\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\\\', tostring(split(Computer, '\\\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\\\', tostring(split(Computer, '\\\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726 `,
    },
    requiredInputFieldsSets: [
        [
            "Host_HostName",
            "Host_NTDomain",
        ],
        [
            "Host_HostName",
            "Host_DnsDomain",
        ],
        ["Host_AzureID"],
        ["Host_OMSAgentID"],
    ],
    resourceGroupName: "myRg",
    title: "An account was deleted on this host",
    workspaceName: "myWorkspace",
});
resources:
  activityCustomEntityQuery:
    type: azure-native:securityinsights:ActivityCustomEntityQuery
    properties:
      content: On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'
      description: Account deleted on host
      enabled: true
      entitiesFilter:
        Host_OsFamily:
          - Windows
      entityQueryId: 07da3cc8-c8ad-4710-a44e-334cdcb7882b
      inputEntityType: Host
      kind: Activity
      operationalInsightsResourceProvider: Microsoft.OperationalIinsights
      queryDefinitions:
        query: "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 "
      requiredInputFieldsSets:
        - - Host_HostName
          - Host_NTDomain
        - - Host_HostName
          - Host_DnsDomain
        - - Host_AzureID
        - - Host_OMSAgentID
      resourceGroupName: myRg
      title: An account was deleted on this host
      workspaceName: myWorkspace

Create ActivityCustomEntityQuery Resource

new ActivityCustomEntityQuery(name: string, args: ActivityCustomEntityQueryArgs, opts?: CustomResourceOptions);
@overload
def ActivityCustomEntityQuery(resource_name: str,
                              opts: Optional[ResourceOptions] = None,
                              content: Optional[str] = None,
                              description: Optional[str] = None,
                              enabled: Optional[bool] = None,
                              entities_filter: Optional[Mapping[str, Sequence[str]]] = None,
                              entity_query_id: Optional[str] = None,
                              input_entity_type: Optional[Union[str, EntityType]] = None,
                              operational_insights_resource_provider: Optional[str] = None,
                              query_definitions: Optional[ActivityEntityQueriesPropertiesQueryDefinitionsArgs] = None,
                              required_input_fields_sets: Optional[Sequence[Sequence[str]]] = None,
                              resource_group_name: Optional[str] = None,
                              template_name: Optional[str] = None,
                              title: Optional[str] = None,
                              workspace_name: Optional[str] = None)
@overload
def ActivityCustomEntityQuery(resource_name: str,
                              args: ActivityCustomEntityQueryArgs,
                              opts: Optional[ResourceOptions] = None)
func NewActivityCustomEntityQuery(ctx *Context, name string, args ActivityCustomEntityQueryArgs, opts ...ResourceOption) (*ActivityCustomEntityQuery, error)
public ActivityCustomEntityQuery(string name, ActivityCustomEntityQueryArgs args, CustomResourceOptions? opts = null)
public ActivityCustomEntityQuery(String name, ActivityCustomEntityQueryArgs args)
public ActivityCustomEntityQuery(String name, ActivityCustomEntityQueryArgs args, CustomResourceOptions options)
type: azure-native:securityinsights:ActivityCustomEntityQuery
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args ActivityCustomEntityQueryArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args ActivityCustomEntityQueryArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args ActivityCustomEntityQueryArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args ActivityCustomEntityQueryArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args ActivityCustomEntityQueryArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

ActivityCustomEntityQuery Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The ActivityCustomEntityQuery resource accepts the following input properties:

OperationalInsightsResourceProvider string

The namespace of workspaces resource provider- Microsoft.OperationalInsights.

ResourceGroupName string

The name of the resource group. The name is case insensitive.

WorkspaceName string

The name of the workspace.

Content string

The entity query content to display in timeline

Description string

The entity query description

Enabled bool

Determines whether this activity is enabled or disabled.

EntitiesFilter Dictionary<string, ImmutableArray<string>>

The query applied only to entities matching to all filters

EntityQueryId string

entity query ID

InputEntityType string | Pulumi.AzureNative.SecurityInsights.EntityType

The type of the query's source entity

QueryDefinitions Pulumi.AzureNative.SecurityInsights.Inputs.ActivityEntityQueriesPropertiesQueryDefinitionsArgs

The Activity query definitions

RequiredInputFieldsSets List<ImmutableArray<string>>

List of the fields of the source entity that are required to run the query

TemplateName string

The template id this activity was created from

Title string

The entity query title

OperationalInsightsResourceProvider string

The namespace of workspaces resource provider- Microsoft.OperationalInsights.

ResourceGroupName string

The name of the resource group. The name is case insensitive.

WorkspaceName string

The name of the workspace.

Content string

The entity query content to display in timeline

Description string

The entity query description

Enabled bool

Determines whether this activity is enabled or disabled.

EntitiesFilter map[string][]string

The query applied only to entities matching to all filters

EntityQueryId string

entity query ID

InputEntityType string | EntityType

The type of the query's source entity

QueryDefinitions ActivityEntityQueriesPropertiesQueryDefinitionsArgs

The Activity query definitions

RequiredInputFieldsSets [][]string

List of the fields of the source entity that are required to run the query

TemplateName string

The template id this activity was created from

Title string

The entity query title

operationalInsightsResourceProvider String

The namespace of workspaces resource provider- Microsoft.OperationalInsights.

resourceGroupName String

The name of the resource group. The name is case insensitive.

workspaceName String

The name of the workspace.

content String

The entity query content to display in timeline

description String

The entity query description

enabled Boolean

Determines whether this activity is enabled or disabled.

entitiesFilter Map<String,List<String>>

The query applied only to entities matching to all filters

entityQueryId String

entity query ID

inputEntityType String | EntityType

The type of the query's source entity

queryDefinitions ActivityEntityQueriesPropertiesQueryDefinitionsArgs

The Activity query definitions

requiredInputFieldsSets List<List<String>>

List of the fields of the source entity that are required to run the query

templateName String

The template id this activity was created from

title String

The entity query title

operationalInsightsResourceProvider string

The namespace of workspaces resource provider- Microsoft.OperationalInsights.

resourceGroupName string

The name of the resource group. The name is case insensitive.

workspaceName string

The name of the workspace.

content string

The entity query content to display in timeline

description string

The entity query description

enabled boolean

Determines whether this activity is enabled or disabled.

entitiesFilter {[key: string]: string[]}

The query applied only to entities matching to all filters

entityQueryId string

entity query ID

inputEntityType string | EntityType

The type of the query's source entity

queryDefinitions ActivityEntityQueriesPropertiesQueryDefinitionsArgs

The Activity query definitions

requiredInputFieldsSets string[][]

List of the fields of the source entity that are required to run the query

templateName string

The template id this activity was created from

title string

The entity query title

operational_insights_resource_provider str

The namespace of workspaces resource provider- Microsoft.OperationalInsights.

resource_group_name str

The name of the resource group. The name is case insensitive.

workspace_name str

The name of the workspace.

content str

The entity query content to display in timeline

description str

The entity query description

enabled bool

Determines whether this activity is enabled or disabled.

entities_filter Mapping[str, Sequence[str]]

The query applied only to entities matching to all filters

entity_query_id str

entity query ID

input_entity_type str | EntityType

The type of the query's source entity

query_definitions ActivityEntityQueriesPropertiesQueryDefinitionsArgs

The Activity query definitions

required_input_fields_sets Sequence[Sequence[str]]

List of the fields of the source entity that are required to run the query

template_name str

The template id this activity was created from

title str

The entity query title

operationalInsightsResourceProvider String

The namespace of workspaces resource provider- Microsoft.OperationalInsights.

resourceGroupName String

The name of the resource group. The name is case insensitive.

workspaceName String

The name of the workspace.

content String

The entity query content to display in timeline

description String

The entity query description

enabled Boolean

Determines whether this activity is enabled or disabled.

entitiesFilter Map<List<String>>

The query applied only to entities matching to all filters

entityQueryId String

entity query ID

inputEntityType String | "Account" | "Host" | "File" | "AzureResource" | "CloudApplication" | "DNS" | "FileHash" | "IP" | "Malware" | "Process" | "RegistryKey" | "RegistryValue" | "SecurityGroup" | "URL" | "IoTDevice" | "SecurityAlert" | "HuntingBookmark" | "MailCluster" | "MailMessage" | "Mailbox" | "SubmissionMail"

The type of the query's source entity

queryDefinitions Property Map

The Activity query definitions

requiredInputFieldsSets List<List<String>>

List of the fields of the source entity that are required to run the query

templateName String

The template id this activity was created from

title String

The entity query title

Outputs

All input properties are implicitly available as output properties. Additionally, the ActivityCustomEntityQuery resource produces the following output properties:

CreatedTimeUtc string

The time the activity was created

Id string

The provider-assigned unique ID for this managed resource.

LastModifiedTimeUtc string

The last time the activity was updated

Name string

Azure resource name

SystemData Pulumi.AzureNative.SecurityInsights.Outputs.SystemDataResponse

Azure Resource Manager metadata containing createdBy and modifiedBy information.

Type string

Azure resource type

Etag string

Etag of the azure resource

CreatedTimeUtc string

The time the activity was created

Id string

The provider-assigned unique ID for this managed resource.

LastModifiedTimeUtc string

The last time the activity was updated

Name string

Azure resource name

SystemData SystemDataResponse

Azure Resource Manager metadata containing createdBy and modifiedBy information.

Type string

Azure resource type

Etag string

Etag of the azure resource

createdTimeUtc String

The time the activity was created

id String

The provider-assigned unique ID for this managed resource.

lastModifiedTimeUtc String

The last time the activity was updated

name String

Azure resource name

systemData SystemDataResponse

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type String

Azure resource type

etag String

Etag of the azure resource

createdTimeUtc string

The time the activity was created

id string

The provider-assigned unique ID for this managed resource.

lastModifiedTimeUtc string

The last time the activity was updated

name string

Azure resource name

systemData SystemDataResponse

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type string

Azure resource type

etag string

Etag of the azure resource

created_time_utc str

The time the activity was created

id str

The provider-assigned unique ID for this managed resource.

last_modified_time_utc str

The last time the activity was updated

name str

Azure resource name

system_data SystemDataResponse

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type str

Azure resource type

etag str

Etag of the azure resource

createdTimeUtc String

The time the activity was created

id String

The provider-assigned unique ID for this managed resource.

lastModifiedTimeUtc String

The last time the activity was updated

name String

Azure resource name

systemData Property Map

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type String

Azure resource type

etag String

Etag of the azure resource

Supporting Types

ActivityEntityQueriesPropertiesQueryDefinitions

Query string

The Activity query to run on a given entity

Query string

The Activity query to run on a given entity

query String

The Activity query to run on a given entity

query string

The Activity query to run on a given entity

query str

The Activity query to run on a given entity

query String

The Activity query to run on a given entity

ActivityEntityQueriesPropertiesResponseQueryDefinitions

Query string

The Activity query to run on a given entity

Query string

The Activity query to run on a given entity

query String

The Activity query to run on a given entity

query string

The Activity query to run on a given entity

query str

The Activity query to run on a given entity

query String

The Activity query to run on a given entity

EntityType

Account
Account

Entity represents account in the system.

Host
Host

Entity represents host in the system.

File
File

Entity represents file in the system.

AzureResource
AzureResource

Entity represents azure resource in the system.

CloudApplication
CloudApplication

Entity represents cloud application in the system.

DNS
DNS

Entity represents dns in the system.

FileHash
FileHash

Entity represents file hash in the system.

IP
IP

Entity represents ip in the system.

Malware
Malware

Entity represents malware in the system.

Process
Process

Entity represents process in the system.

RegistryKey
RegistryKey

Entity represents registry key in the system.

RegistryValue
RegistryValue

Entity represents registry value in the system.

SecurityGroup
SecurityGroup

Entity represents security group in the system.

URL
URL

Entity represents url in the system.

IoTDevice
IoTDevice

Entity represents IoT device in the system.

SecurityAlert
SecurityAlert

Entity represents security alert in the system.

HuntingBookmark
HuntingBookmark

Entity represents HuntingBookmark in the system.

MailCluster
MailCluster

Entity represents mail cluster in the system.

MailMessage
MailMessage

Entity represents mail message in the system.

Mailbox
Mailbox

Entity represents mailbox in the system.

SubmissionMail
SubmissionMail

Entity represents submission mail in the system.

EntityTypeAccount
Account

Entity represents account in the system.

EntityTypeHost
Host

Entity represents host in the system.

EntityTypeFile
File

Entity represents file in the system.

EntityTypeAzureResource
AzureResource

Entity represents azure resource in the system.

EntityTypeCloudApplication
CloudApplication

Entity represents cloud application in the system.

EntityTypeDNS
DNS

Entity represents dns in the system.

EntityTypeFileHash
FileHash

Entity represents file hash in the system.

EntityTypeIP
IP

Entity represents ip in the system.

EntityTypeMalware
Malware

Entity represents malware in the system.

EntityTypeProcess
Process

Entity represents process in the system.

EntityTypeRegistryKey
RegistryKey

Entity represents registry key in the system.

EntityTypeRegistryValue
RegistryValue

Entity represents registry value in the system.

EntityTypeSecurityGroup
SecurityGroup

Entity represents security group in the system.

EntityTypeURL
URL

Entity represents url in the system.

EntityTypeIoTDevice
IoTDevice

Entity represents IoT device in the system.

EntityTypeSecurityAlert
SecurityAlert

Entity represents security alert in the system.

EntityTypeHuntingBookmark
HuntingBookmark

Entity represents HuntingBookmark in the system.

EntityTypeMailCluster
MailCluster

Entity represents mail cluster in the system.

EntityTypeMailMessage
MailMessage

Entity represents mail message in the system.

EntityTypeMailbox
Mailbox

Entity represents mailbox in the system.

EntityTypeSubmissionMail
SubmissionMail

Entity represents submission mail in the system.

Account
Account

Entity represents account in the system.

Host
Host

Entity represents host in the system.

File
File

Entity represents file in the system.

AzureResource
AzureResource

Entity represents azure resource in the system.

CloudApplication
CloudApplication

Entity represents cloud application in the system.

DNS
DNS

Entity represents dns in the system.

FileHash
FileHash

Entity represents file hash in the system.

IP
IP

Entity represents ip in the system.

Malware
Malware

Entity represents malware in the system.

Process
Process

Entity represents process in the system.

RegistryKey
RegistryKey

Entity represents registry key in the system.

RegistryValue
RegistryValue

Entity represents registry value in the system.

SecurityGroup
SecurityGroup

Entity represents security group in the system.

URL
URL

Entity represents url in the system.

IoTDevice
IoTDevice

Entity represents IoT device in the system.

SecurityAlert
SecurityAlert

Entity represents security alert in the system.

HuntingBookmark
HuntingBookmark

Entity represents HuntingBookmark in the system.

MailCluster
MailCluster

Entity represents mail cluster in the system.

MailMessage
MailMessage

Entity represents mail message in the system.

Mailbox
Mailbox

Entity represents mailbox in the system.

SubmissionMail
SubmissionMail

Entity represents submission mail in the system.

Account
Account

Entity represents account in the system.

Host
Host

Entity represents host in the system.

File
File

Entity represents file in the system.

AzureResource
AzureResource

Entity represents azure resource in the system.

CloudApplication
CloudApplication

Entity represents cloud application in the system.

DNS
DNS

Entity represents dns in the system.

FileHash
FileHash

Entity represents file hash in the system.

IP
IP

Entity represents ip in the system.

Malware
Malware

Entity represents malware in the system.

Process
Process

Entity represents process in the system.

RegistryKey
RegistryKey

Entity represents registry key in the system.

RegistryValue
RegistryValue

Entity represents registry value in the system.

SecurityGroup
SecurityGroup

Entity represents security group in the system.

URL
URL

Entity represents url in the system.

IoTDevice
IoTDevice

Entity represents IoT device in the system.

SecurityAlert
SecurityAlert

Entity represents security alert in the system.

HuntingBookmark
HuntingBookmark

Entity represents HuntingBookmark in the system.

MailCluster
MailCluster

Entity represents mail cluster in the system.

MailMessage
MailMessage

Entity represents mail message in the system.

Mailbox
Mailbox

Entity represents mailbox in the system.

SubmissionMail
SubmissionMail

Entity represents submission mail in the system.

ACCOUNT
Account

Entity represents account in the system.

HOST
Host

Entity represents host in the system.

FILE
File

Entity represents file in the system.

AZURE_RESOURCE
AzureResource

Entity represents azure resource in the system.

CLOUD_APPLICATION
CloudApplication

Entity represents cloud application in the system.

DNS
DNS

Entity represents dns in the system.

FILE_HASH
FileHash

Entity represents file hash in the system.

IP
IP

Entity represents ip in the system.

MALWARE
Malware

Entity represents malware in the system.

PROCESS
Process

Entity represents process in the system.

REGISTRY_KEY
RegistryKey

Entity represents registry key in the system.

REGISTRY_VALUE
RegistryValue

Entity represents registry value in the system.

SECURITY_GROUP
SecurityGroup

Entity represents security group in the system.

URL
URL

Entity represents url in the system.

IO_T_DEVICE
IoTDevice

Entity represents IoT device in the system.

SECURITY_ALERT
SecurityAlert

Entity represents security alert in the system.

HUNTING_BOOKMARK
HuntingBookmark

Entity represents HuntingBookmark in the system.

MAIL_CLUSTER
MailCluster

Entity represents mail cluster in the system.

MAIL_MESSAGE
MailMessage

Entity represents mail message in the system.

MAILBOX
Mailbox

Entity represents mailbox in the system.

SUBMISSION_MAIL
SubmissionMail

Entity represents submission mail in the system.

"Account"
Account

Entity represents account in the system.

"Host"
Host

Entity represents host in the system.

"File"
File

Entity represents file in the system.

"AzureResource"
AzureResource

Entity represents azure resource in the system.

"CloudApplication"
CloudApplication

Entity represents cloud application in the system.

"DNS"
DNS

Entity represents dns in the system.

"FileHash"
FileHash

Entity represents file hash in the system.

"IP"
IP

Entity represents ip in the system.

"Malware"
Malware

Entity represents malware in the system.

"Process"
Process

Entity represents process in the system.

"RegistryKey"
RegistryKey

Entity represents registry key in the system.

"RegistryValue"
RegistryValue

Entity represents registry value in the system.

"SecurityGroup"
SecurityGroup

Entity represents security group in the system.

"URL"
URL

Entity represents url in the system.

"IoTDevice"
IoTDevice

Entity represents IoT device in the system.

"SecurityAlert"
SecurityAlert

Entity represents security alert in the system.

"HuntingBookmark"
HuntingBookmark

Entity represents HuntingBookmark in the system.

"MailCluster"
MailCluster

Entity represents mail cluster in the system.

"MailMessage"
MailMessage

Entity represents mail message in the system.

"Mailbox"
Mailbox

Entity represents mailbox in the system.

"SubmissionMail"
SubmissionMail

Entity represents submission mail in the system.

SystemDataResponse

CreatedAt string

The timestamp of resource creation (UTC).

CreatedBy string

The identity that created the resource.

CreatedByType string

The type of identity that created the resource.

LastModifiedAt string

The timestamp of resource last modification (UTC)

LastModifiedBy string

The identity that last modified the resource.

LastModifiedByType string

The type of identity that last modified the resource.

CreatedAt string

The timestamp of resource creation (UTC).

CreatedBy string

The identity that created the resource.

CreatedByType string

The type of identity that created the resource.

LastModifiedAt string

The timestamp of resource last modification (UTC)

LastModifiedBy string

The identity that last modified the resource.

LastModifiedByType string

The type of identity that last modified the resource.

createdAt String

The timestamp of resource creation (UTC).

createdBy String

The identity that created the resource.

createdByType String

The type of identity that created the resource.

lastModifiedAt String

The timestamp of resource last modification (UTC)

lastModifiedBy String

The identity that last modified the resource.

lastModifiedByType String

The type of identity that last modified the resource.

createdAt string

The timestamp of resource creation (UTC).

createdBy string

The identity that created the resource.

createdByType string

The type of identity that created the resource.

lastModifiedAt string

The timestamp of resource last modification (UTC)

lastModifiedBy string

The identity that last modified the resource.

lastModifiedByType string

The type of identity that last modified the resource.

created_at str

The timestamp of resource creation (UTC).

created_by str

The identity that created the resource.

created_by_type str

The type of identity that created the resource.

last_modified_at str

The timestamp of resource last modification (UTC)

last_modified_by str

The identity that last modified the resource.

last_modified_by_type str

The type of identity that last modified the resource.

createdAt String

The timestamp of resource creation (UTC).

createdBy String

The identity that created the resource.

createdByType String

The type of identity that created the resource.

lastModifiedAt String

The timestamp of resource last modification (UTC)

lastModifiedBy String

The identity that last modified the resource.

lastModifiedByType String

The type of identity that last modified the resource.

Import

An existing resource can be imported using its type token, name, and identifier, e.g.

$ pulumi import azure-native:securityinsights:ActivityCustomEntityQuery 07da3cc8-c8ad-4710-a44e-334cdcb7882b /subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b 

Package Details

Repository
Azure Native pulumi/pulumi-azure-native
License
Apache-2.0