1. Packages
  2. Azure Native
  3. API Docs
  4. securityinsights
  5. ActivityCustomEntityQuery
This is the latest version of Azure Native. Use the Azure Native v1 docs if using the v1 version of this package.
Azure Native v2.29.0 published on Friday, Feb 16, 2024 by Pulumi

azure-native.securityinsights.ActivityCustomEntityQuery

Explore with Pulumi AI

azure-native logo
This is the latest version of Azure Native. Use the Azure Native v1 docs if using the v1 version of this package.
Azure Native v2.29.0 published on Friday, Feb 16, 2024 by Pulumi

    Represents Activity entity query. Azure REST API version: 2023-06-01-preview. Prior API version in Azure Native 1.x: 2021-03-01-preview.

    Example Usage

    Creates or updates an Activity entity query.

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureNative = Pulumi.AzureNative;
    
    return await Deployment.RunAsync(() => 
    {
        var activityCustomEntityQuery = new AzureNative.SecurityInsights.ActivityCustomEntityQuery("activityCustomEntityQuery", new()
        {
            Content = "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
            Description = "Account deleted on host",
            Enabled = true,
            EntitiesFilter = 
            {
                { "Host_OsFamily", new[]
                {
                    "Windows",
                } },
            },
            EntityQueryId = "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
            InputEntityType = "Host",
            Kind = "Activity",
            QueryDefinitions = new AzureNative.SecurityInsights.Inputs.ActivityEntityQueriesPropertiesQueryDefinitionsArgs
            {
                Query = @"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
    SecurityEvent
    | where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
    // parsing for Host to handle variety of conventions coming from data
    | extend Host_HostName = case(
    Computer has '@', tostring(split(Computer, '@')[0]),
    Computer has '\\', tostring(split(Computer, '\\')[1]),
    Computer has '.', tostring(split(Computer, '.')[0]),
    Computer
    )
    | extend Host_NTDomain = case(
    Computer has '\\', tostring(split(Computer, '\\')[0]), 
    Computer has '.', tostring(split(Computer, '.')[-2]), 
    Computer
    )
    | extend Host_DnsDomain = case(
    Computer has '\\', tostring(split(Computer, '\\')[0]), 
    Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
    Computer
    )
    | where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
    or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
    or v_Host_AzureID =~ _ResourceId 
    or v_Host_OMSAgentID == SourceComputerId
    | project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
    | extend AddedBy = SubjectUserName
    // Future support for Activities
    | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
    };
    GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
     
    | where EventID == 4726 ",
            },
            RequiredInputFieldsSets = new[]
            {
                new[]
                {
                    "Host_HostName",
                    "Host_NTDomain",
                },
                new[]
                {
                    "Host_HostName",
                    "Host_DnsDomain",
                },
                new[]
                {
                    "Host_AzureID",
                },
                new[]
                {
                    "Host_OMSAgentID",
                },
            },
            ResourceGroupName = "myRg",
            Title = "An account was deleted on this host",
            WorkspaceName = "myWorkspace",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := securityinsights.NewActivityCustomEntityQuery(ctx, "activityCustomEntityQuery", &securityinsights.ActivityCustomEntityQueryArgs{
    			Content:     pulumi.String("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'"),
    			Description: pulumi.String("Account deleted on host"),
    			Enabled:     pulumi.Bool(true),
    			EntitiesFilter: pulumi.StringArrayMap{
    				"Host_OsFamily": pulumi.StringArray{
    					pulumi.String("Windows"),
    				},
    			},
    			EntityQueryId:   pulumi.String("07da3cc8-c8ad-4710-a44e-334cdcb7882b"),
    			InputEntityType: pulumi.String("Host"),
    			Kind:            pulumi.String("Activity"),
    			QueryDefinitions: &securityinsights.ActivityEntityQueriesPropertiesQueryDefinitionsArgs{
    				Query: pulumi.String(`let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
    SecurityEvent
    | where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
    // parsing for Host to handle variety of conventions coming from data
    | extend Host_HostName = case(
    Computer has '@', tostring(split(Computer, '@')[0]),
    Computer has '\\', tostring(split(Computer, '\\')[1]),
    Computer has '.', tostring(split(Computer, '.')[0]),
    Computer
    )
    | extend Host_NTDomain = case(
    Computer has '\\', tostring(split(Computer, '\\')[0]), 
    Computer has '.', tostring(split(Computer, '.')[-2]), 
    Computer
    )
    | extend Host_DnsDomain = case(
    Computer has '\\', tostring(split(Computer, '\\')[0]), 
    Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
    Computer
    )
    | where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
    or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
    or v_Host_AzureID =~ _ResourceId 
    or v_Host_OMSAgentID == SourceComputerId
    | project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
    | extend AddedBy = SubjectUserName
    // Future support for Activities
    | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
    };
    GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
     
    | where EventID == 4726 `),
    			},
    			RequiredInputFieldsSets: pulumi.StringArrayArray{
    				pulumi.StringArray{
    					pulumi.String("Host_HostName"),
    					pulumi.String("Host_NTDomain"),
    				},
    				pulumi.StringArray{
    					pulumi.String("Host_HostName"),
    					pulumi.String("Host_DnsDomain"),
    				},
    				pulumi.StringArray{
    					pulumi.String("Host_AzureID"),
    				},
    				pulumi.StringArray{
    					pulumi.String("Host_OMSAgentID"),
    				},
    			},
    			ResourceGroupName: pulumi.String("myRg"),
    			Title:             pulumi.String("An account was deleted on this host"),
    			WorkspaceName:     pulumi.String("myWorkspace"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQuery;
    import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQueryArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var activityCustomEntityQuery = new ActivityCustomEntityQuery("activityCustomEntityQuery", ActivityCustomEntityQueryArgs.builder()        
                .content("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'")
                .description("Account deleted on host")
                .enabled(true)
                .entitiesFilter(Map.of("Host_OsFamily", "Windows"))
                .entityQueryId("07da3cc8-c8ad-4710-a44e-334cdcb7882b")
                .inputEntityType("Host")
                .kind("Activity")
                .queryDefinitions(Map.of("query", """
    let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
    SecurityEvent
    | where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
    // parsing for Host to handle variety of conventions coming from data
    | extend Host_HostName = case(
    Computer has '@', tostring(split(Computer, '@')[0]),
    Computer has '\\', tostring(split(Computer, '\\')[1]),
    Computer has '.', tostring(split(Computer, '.')[0]),
    Computer
    )
    | extend Host_NTDomain = case(
    Computer has '\\', tostring(split(Computer, '\\')[0]), 
    Computer has '.', tostring(split(Computer, '.')[-2]), 
    Computer
    )
    | extend Host_DnsDomain = case(
    Computer has '\\', tostring(split(Computer, '\\')[0]), 
    Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
    Computer
    )
    | where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
    or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
    or v_Host_AzureID =~ _ResourceId 
    or v_Host_OMSAgentID == SourceComputerId
    | project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
    | extend AddedBy = SubjectUserName
    // Future support for Activities
    | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
    };
    GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
     
    | where EventID == 4726             """))
                .requiredInputFieldsSets(            
                                    
                        "Host_HostName",
                        "Host_NTDomain",
                                    
                        "Host_HostName",
                        "Host_DnsDomain",
                    "Host_AzureID",
                    "Host_OMSAgentID")
                .resourceGroupName("myRg")
                .title("An account was deleted on this host")
                .workspaceName("myWorkspace")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_azure_native as azure_native
    
    activity_custom_entity_query = azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQuery",
        content="On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
        description="Account deleted on host",
        enabled=True,
        entities_filter={
            "Host_OsFamily": ["Windows"],
        },
        entity_query_id="07da3cc8-c8ad-4710-a44e-334cdcb7882b",
        input_entity_type="Host",
        kind="Activity",
        query_definitions=azure_native.securityinsights.ActivityEntityQueriesPropertiesQueryDefinitionsArgs(
            query="""let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
    SecurityEvent
    | where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
    // parsing for Host to handle variety of conventions coming from data
    | extend Host_HostName = case(
    Computer has '@', tostring(split(Computer, '@')[0]),
    Computer has '\\', tostring(split(Computer, '\\')[1]),
    Computer has '.', tostring(split(Computer, '.')[0]),
    Computer
    )
    | extend Host_NTDomain = case(
    Computer has '\\', tostring(split(Computer, '\\')[0]), 
    Computer has '.', tostring(split(Computer, '.')[-2]), 
    Computer
    )
    | extend Host_DnsDomain = case(
    Computer has '\\', tostring(split(Computer, '\\')[0]), 
    Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
    Computer
    )
    | where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
    or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
    or v_Host_AzureID =~ _ResourceId 
    or v_Host_OMSAgentID == SourceComputerId
    | project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
    | extend AddedBy = SubjectUserName
    // Future support for Activities
    | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
    };
    GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
     
    | where EventID == 4726 """,
        ),
        required_input_fields_sets=[
            [
                "Host_HostName",
                "Host_NTDomain",
            ],
            [
                "Host_HostName",
                "Host_DnsDomain",
            ],
            ["Host_AzureID"],
            ["Host_OMSAgentID"],
        ],
        resource_group_name="myRg",
        title="An account was deleted on this host",
        workspace_name="myWorkspace")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as azure_native from "@pulumi/azure-native";
    
    const activityCustomEntityQuery = new azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQuery", {
        content: "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
        description: "Account deleted on host",
        enabled: true,
        entitiesFilter: {
            Host_OsFamily: ["Windows"],
        },
        entityQueryId: "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
        inputEntityType: "Host",
        kind: "Activity",
        queryDefinitions: {
            query: `let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
    SecurityEvent
    | where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
    // parsing for Host to handle variety of conventions coming from data
    | extend Host_HostName = case(
    Computer has '@', tostring(split(Computer, '@')[0]),
    Computer has '\\\\', tostring(split(Computer, '\\\\')[1]),
    Computer has '.', tostring(split(Computer, '.')[0]),
    Computer
    )
    | extend Host_NTDomain = case(
    Computer has '\\\\', tostring(split(Computer, '\\\\')[0]), 
    Computer has '.', tostring(split(Computer, '.')[-2]), 
    Computer
    )
    | extend Host_DnsDomain = case(
    Computer has '\\\\', tostring(split(Computer, '\\\\')[0]), 
    Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
    Computer
    )
    | where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
    or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
    or v_Host_AzureID =~ _ResourceId 
    or v_Host_OMSAgentID == SourceComputerId
    | project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
    | extend AddedBy = SubjectUserName
    // Future support for Activities
    | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
    };
    GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
     
    | where EventID == 4726 `,
        },
        requiredInputFieldsSets: [
            [
                "Host_HostName",
                "Host_NTDomain",
            ],
            [
                "Host_HostName",
                "Host_DnsDomain",
            ],
            ["Host_AzureID"],
            ["Host_OMSAgentID"],
        ],
        resourceGroupName: "myRg",
        title: "An account was deleted on this host",
        workspaceName: "myWorkspace",
    });
    
    resources:
      activityCustomEntityQuery:
        type: azure-native:securityinsights:ActivityCustomEntityQuery
        properties:
          content: On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'
          description: Account deleted on host
          enabled: true
          entitiesFilter:
            Host_OsFamily:
              - Windows
          entityQueryId: 07da3cc8-c8ad-4710-a44e-334cdcb7882b
          inputEntityType: Host
          kind: Activity
          queryDefinitions:
            query: "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 "
          requiredInputFieldsSets:
            - - Host_HostName
              - Host_NTDomain
            - - Host_HostName
              - Host_DnsDomain
            - - Host_AzureID
            - - Host_OMSAgentID
          resourceGroupName: myRg
          title: An account was deleted on this host
          workspaceName: myWorkspace
    

    Create ActivityCustomEntityQuery Resource

    new ActivityCustomEntityQuery(name: string, args: ActivityCustomEntityQueryArgs, opts?: CustomResourceOptions);
    @overload
    def ActivityCustomEntityQuery(resource_name: str,
                                  opts: Optional[ResourceOptions] = None,
                                  content: Optional[str] = None,
                                  description: Optional[str] = None,
                                  enabled: Optional[bool] = None,
                                  entities_filter: Optional[Mapping[str, Sequence[str]]] = None,
                                  entity_query_id: Optional[str] = None,
                                  input_entity_type: Optional[Union[str, EntityType]] = None,
                                  query_definitions: Optional[ActivityEntityQueriesPropertiesQueryDefinitionsArgs] = None,
                                  required_input_fields_sets: Optional[Sequence[Sequence[str]]] = None,
                                  resource_group_name: Optional[str] = None,
                                  template_name: Optional[str] = None,
                                  title: Optional[str] = None,
                                  workspace_name: Optional[str] = None)
    @overload
    def ActivityCustomEntityQuery(resource_name: str,
                                  args: ActivityCustomEntityQueryArgs,
                                  opts: Optional[ResourceOptions] = None)
    func NewActivityCustomEntityQuery(ctx *Context, name string, args ActivityCustomEntityQueryArgs, opts ...ResourceOption) (*ActivityCustomEntityQuery, error)
    public ActivityCustomEntityQuery(string name, ActivityCustomEntityQueryArgs args, CustomResourceOptions? opts = null)
    public ActivityCustomEntityQuery(String name, ActivityCustomEntityQueryArgs args)
    public ActivityCustomEntityQuery(String name, ActivityCustomEntityQueryArgs args, CustomResourceOptions options)
    
    type: azure-native:securityinsights:ActivityCustomEntityQuery
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args ActivityCustomEntityQueryArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ActivityCustomEntityQueryArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ActivityCustomEntityQueryArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ActivityCustomEntityQueryArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ActivityCustomEntityQueryArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    ActivityCustomEntityQuery Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The ActivityCustomEntityQuery resource accepts the following input properties:

    ResourceGroupName string
    The name of the resource group. The name is case insensitive.
    WorkspaceName string
    The name of the workspace.
    Content string
    The entity query content to display in timeline
    Description string
    The entity query description
    Enabled bool
    Determines whether this activity is enabled or disabled.
    EntitiesFilter Dictionary<string, ImmutableArray<string>>
    The query applied only to entities matching to all filters
    EntityQueryId string
    entity query ID
    InputEntityType string | Pulumi.AzureNative.SecurityInsights.EntityType
    The type of the query's source entity
    QueryDefinitions Pulumi.AzureNative.SecurityInsights.Inputs.ActivityEntityQueriesPropertiesQueryDefinitions
    The Activity query definitions
    RequiredInputFieldsSets List<ImmutableArray<string>>
    List of the fields of the source entity that are required to run the query
    TemplateName string
    The template id this activity was created from
    Title string
    The entity query title
    ResourceGroupName string
    The name of the resource group. The name is case insensitive.
    WorkspaceName string
    The name of the workspace.
    Content string
    The entity query content to display in timeline
    Description string
    The entity query description
    Enabled bool
    Determines whether this activity is enabled or disabled.
    EntitiesFilter map[string][]string
    The query applied only to entities matching to all filters
    EntityQueryId string
    entity query ID
    InputEntityType string | EntityType
    The type of the query's source entity
    QueryDefinitions ActivityEntityQueriesPropertiesQueryDefinitionsArgs
    The Activity query definitions
    RequiredInputFieldsSets [][]string
    List of the fields of the source entity that are required to run the query
    TemplateName string
    The template id this activity was created from
    Title string
    The entity query title
    resourceGroupName String
    The name of the resource group. The name is case insensitive.
    workspaceName String
    The name of the workspace.
    content String
    The entity query content to display in timeline
    description String
    The entity query description
    enabled Boolean
    Determines whether this activity is enabled or disabled.
    entitiesFilter Map<String,List<String>>
    The query applied only to entities matching to all filters
    entityQueryId String
    entity query ID
    inputEntityType String | EntityType
    The type of the query's source entity
    queryDefinitions ActivityEntityQueriesPropertiesQueryDefinitions
    The Activity query definitions
    requiredInputFieldsSets List<List<String>>
    List of the fields of the source entity that are required to run the query
    templateName String
    The template id this activity was created from
    title String
    The entity query title
    resourceGroupName string
    The name of the resource group. The name is case insensitive.
    workspaceName string
    The name of the workspace.
    content string
    The entity query content to display in timeline
    description string
    The entity query description
    enabled boolean
    Determines whether this activity is enabled or disabled.
    entitiesFilter {[key: string]: string[]}
    The query applied only to entities matching to all filters
    entityQueryId string
    entity query ID
    inputEntityType string | EntityType
    The type of the query's source entity
    queryDefinitions ActivityEntityQueriesPropertiesQueryDefinitions
    The Activity query definitions
    requiredInputFieldsSets string[][]
    List of the fields of the source entity that are required to run the query
    templateName string
    The template id this activity was created from
    title string
    The entity query title
    resource_group_name str
    The name of the resource group. The name is case insensitive.
    workspace_name str
    The name of the workspace.
    content str
    The entity query content to display in timeline
    description str
    The entity query description
    enabled bool
    Determines whether this activity is enabled or disabled.
    entities_filter Mapping[str, Sequence[str]]
    The query applied only to entities matching to all filters
    entity_query_id str
    entity query ID
    input_entity_type str | EntityType
    The type of the query's source entity
    query_definitions ActivityEntityQueriesPropertiesQueryDefinitionsArgs
    The Activity query definitions
    required_input_fields_sets Sequence[Sequence[str]]
    List of the fields of the source entity that are required to run the query
    template_name str
    The template id this activity was created from
    title str
    The entity query title
    resourceGroupName String
    The name of the resource group. The name is case insensitive.
    workspaceName String
    The name of the workspace.
    content String
    The entity query content to display in timeline
    description String
    The entity query description
    enabled Boolean
    Determines whether this activity is enabled or disabled.
    entitiesFilter Map<List<String>>
    The query applied only to entities matching to all filters
    entityQueryId String
    entity query ID
    inputEntityType String | "Account" | "Host" | "File" | "AzureResource" | "CloudApplication" | "DNS" | "FileHash" | "IP" | "Malware" | "Process" | "RegistryKey" | "RegistryValue" | "SecurityGroup" | "URL" | "IoTDevice" | "SecurityAlert" | "HuntingBookmark" | "MailCluster" | "MailMessage" | "Mailbox" | "SubmissionMail" | "Nic"
    The type of the query's source entity
    queryDefinitions Property Map
    The Activity query definitions
    requiredInputFieldsSets List<List<String>>
    List of the fields of the source entity that are required to run the query
    templateName String
    The template id this activity was created from
    title String
    The entity query title

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ActivityCustomEntityQuery resource produces the following output properties:

    CreatedTimeUtc string
    The time the activity was created
    Id string
    The provider-assigned unique ID for this managed resource.
    LastModifiedTimeUtc string
    The last time the activity was updated
    Name string
    The name of the resource
    SystemData Pulumi.AzureNative.SecurityInsights.Outputs.SystemDataResponse
    Azure Resource Manager metadata containing createdBy and modifiedBy information.
    Type string
    The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
    Etag string
    Etag of the azure resource
    CreatedTimeUtc string
    The time the activity was created
    Id string
    The provider-assigned unique ID for this managed resource.
    LastModifiedTimeUtc string
    The last time the activity was updated
    Name string
    The name of the resource
    SystemData SystemDataResponse
    Azure Resource Manager metadata containing createdBy and modifiedBy information.
    Type string
    The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
    Etag string
    Etag of the azure resource
    createdTimeUtc String
    The time the activity was created
    id String
    The provider-assigned unique ID for this managed resource.
    lastModifiedTimeUtc String
    The last time the activity was updated
    name String
    The name of the resource
    systemData SystemDataResponse
    Azure Resource Manager metadata containing createdBy and modifiedBy information.
    type String
    The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
    etag String
    Etag of the azure resource
    createdTimeUtc string
    The time the activity was created
    id string
    The provider-assigned unique ID for this managed resource.
    lastModifiedTimeUtc string
    The last time the activity was updated
    name string
    The name of the resource
    systemData SystemDataResponse
    Azure Resource Manager metadata containing createdBy and modifiedBy information.
    type string
    The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
    etag string
    Etag of the azure resource
    created_time_utc str
    The time the activity was created
    id str
    The provider-assigned unique ID for this managed resource.
    last_modified_time_utc str
    The last time the activity was updated
    name str
    The name of the resource
    system_data SystemDataResponse
    Azure Resource Manager metadata containing createdBy and modifiedBy information.
    type str
    The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
    etag str
    Etag of the azure resource
    createdTimeUtc String
    The time the activity was created
    id String
    The provider-assigned unique ID for this managed resource.
    lastModifiedTimeUtc String
    The last time the activity was updated
    name String
    The name of the resource
    systemData Property Map
    Azure Resource Manager metadata containing createdBy and modifiedBy information.
    type String
    The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
    etag String
    Etag of the azure resource

    Supporting Types

    ActivityEntityQueriesPropertiesQueryDefinitions, ActivityEntityQueriesPropertiesQueryDefinitionsArgs

    Query string
    The Activity query to run on a given entity
    Query string
    The Activity query to run on a given entity
    query String
    The Activity query to run on a given entity
    query string
    The Activity query to run on a given entity
    query str
    The Activity query to run on a given entity
    query String
    The Activity query to run on a given entity

    ActivityEntityQueriesPropertiesResponseQueryDefinitions, ActivityEntityQueriesPropertiesResponseQueryDefinitionsArgs

    Query string
    The Activity query to run on a given entity
    Query string
    The Activity query to run on a given entity
    query String
    The Activity query to run on a given entity
    query string
    The Activity query to run on a given entity
    query str
    The Activity query to run on a given entity
    query String
    The Activity query to run on a given entity

    EntityType, EntityTypeArgs

    Account
    AccountEntity represents account in the system.
    Host
    HostEntity represents host in the system.
    File
    FileEntity represents file in the system.
    AzureResource
    AzureResourceEntity represents azure resource in the system.
    CloudApplication
    CloudApplicationEntity represents cloud application in the system.
    DNS
    DNSEntity represents dns in the system.
    FileHash
    FileHashEntity represents file hash in the system.
    IP
    IPEntity represents ip in the system.
    Malware
    MalwareEntity represents malware in the system.
    Process
    ProcessEntity represents process in the system.
    RegistryKey
    RegistryKeyEntity represents registry key in the system.
    RegistryValue
    RegistryValueEntity represents registry value in the system.
    SecurityGroup
    SecurityGroupEntity represents security group in the system.
    URL
    URLEntity represents url in the system.
    IoTDevice
    IoTDeviceEntity represents IoT device in the system.
    SecurityAlert
    SecurityAlertEntity represents security alert in the system.
    HuntingBookmark
    HuntingBookmarkEntity represents HuntingBookmark in the system.
    MailCluster
    MailClusterEntity represents mail cluster in the system.
    MailMessage
    MailMessageEntity represents mail message in the system.
    Mailbox
    MailboxEntity represents mailbox in the system.
    SubmissionMail
    SubmissionMailEntity represents submission mail in the system.
    Nic
    NicEntity represents network interface in the system.
    EntityTypeAccount
    AccountEntity represents account in the system.
    EntityTypeHost
    HostEntity represents host in the system.
    EntityTypeFile
    FileEntity represents file in the system.
    EntityTypeAzureResource
    AzureResourceEntity represents azure resource in the system.
    EntityTypeCloudApplication
    CloudApplicationEntity represents cloud application in the system.
    EntityTypeDNS
    DNSEntity represents dns in the system.
    EntityTypeFileHash
    FileHashEntity represents file hash in the system.
    EntityTypeIP
    IPEntity represents ip in the system.
    EntityTypeMalware
    MalwareEntity represents malware in the system.
    EntityTypeProcess
    ProcessEntity represents process in the system.
    EntityTypeRegistryKey
    RegistryKeyEntity represents registry key in the system.
    EntityTypeRegistryValue
    RegistryValueEntity represents registry value in the system.
    EntityTypeSecurityGroup
    SecurityGroupEntity represents security group in the system.
    EntityTypeURL
    URLEntity represents url in the system.
    EntityTypeIoTDevice
    IoTDeviceEntity represents IoT device in the system.
    EntityTypeSecurityAlert
    SecurityAlertEntity represents security alert in the system.
    EntityTypeHuntingBookmark
    HuntingBookmarkEntity represents HuntingBookmark in the system.
    EntityTypeMailCluster
    MailClusterEntity represents mail cluster in the system.
    EntityTypeMailMessage
    MailMessageEntity represents mail message in the system.
    EntityTypeMailbox
    MailboxEntity represents mailbox in the system.
    EntityTypeSubmissionMail
    SubmissionMailEntity represents submission mail in the system.
    EntityTypeNic
    NicEntity represents network interface in the system.
    Account
    AccountEntity represents account in the system.
    Host
    HostEntity represents host in the system.
    File
    FileEntity represents file in the system.
    AzureResource
    AzureResourceEntity represents azure resource in the system.
    CloudApplication
    CloudApplicationEntity represents cloud application in the system.
    DNS
    DNSEntity represents dns in the system.
    FileHash
    FileHashEntity represents file hash in the system.
    IP
    IPEntity represents ip in the system.
    Malware
    MalwareEntity represents malware in the system.
    Process
    ProcessEntity represents process in the system.
    RegistryKey
    RegistryKeyEntity represents registry key in the system.
    RegistryValue
    RegistryValueEntity represents registry value in the system.
    SecurityGroup
    SecurityGroupEntity represents security group in the system.
    URL
    URLEntity represents url in the system.
    IoTDevice
    IoTDeviceEntity represents IoT device in the system.
    SecurityAlert
    SecurityAlertEntity represents security alert in the system.
    HuntingBookmark
    HuntingBookmarkEntity represents HuntingBookmark in the system.
    MailCluster
    MailClusterEntity represents mail cluster in the system.
    MailMessage
    MailMessageEntity represents mail message in the system.
    Mailbox
    MailboxEntity represents mailbox in the system.
    SubmissionMail
    SubmissionMailEntity represents submission mail in the system.
    Nic
    NicEntity represents network interface in the system.
    Account
    AccountEntity represents account in the system.
    Host
    HostEntity represents host in the system.
    File
    FileEntity represents file in the system.
    AzureResource
    AzureResourceEntity represents azure resource in the system.
    CloudApplication
    CloudApplicationEntity represents cloud application in the system.
    DNS
    DNSEntity represents dns in the system.
    FileHash
    FileHashEntity represents file hash in the system.
    IP
    IPEntity represents ip in the system.
    Malware
    MalwareEntity represents malware in the system.
    Process
    ProcessEntity represents process in the system.
    RegistryKey
    RegistryKeyEntity represents registry key in the system.
    RegistryValue
    RegistryValueEntity represents registry value in the system.
    SecurityGroup
    SecurityGroupEntity represents security group in the system.
    URL
    URLEntity represents url in the system.
    IoTDevice
    IoTDeviceEntity represents IoT device in the system.
    SecurityAlert
    SecurityAlertEntity represents security alert in the system.
    HuntingBookmark
    HuntingBookmarkEntity represents HuntingBookmark in the system.
    MailCluster
    MailClusterEntity represents mail cluster in the system.
    MailMessage
    MailMessageEntity represents mail message in the system.
    Mailbox
    MailboxEntity represents mailbox in the system.
    SubmissionMail
    SubmissionMailEntity represents submission mail in the system.
    Nic
    NicEntity represents network interface in the system.
    ACCOUNT
    AccountEntity represents account in the system.
    HOST
    HostEntity represents host in the system.
    FILE
    FileEntity represents file in the system.
    AZURE_RESOURCE
    AzureResourceEntity represents azure resource in the system.
    CLOUD_APPLICATION
    CloudApplicationEntity represents cloud application in the system.
    DNS
    DNSEntity represents dns in the system.
    FILE_HASH
    FileHashEntity represents file hash in the system.
    IP
    IPEntity represents ip in the system.
    MALWARE
    MalwareEntity represents malware in the system.
    PROCESS
    ProcessEntity represents process in the system.
    REGISTRY_KEY
    RegistryKeyEntity represents registry key in the system.
    REGISTRY_VALUE
    RegistryValueEntity represents registry value in the system.
    SECURITY_GROUP
    SecurityGroupEntity represents security group in the system.
    URL
    URLEntity represents url in the system.
    IO_T_DEVICE
    IoTDeviceEntity represents IoT device in the system.
    SECURITY_ALERT
    SecurityAlertEntity represents security alert in the system.
    HUNTING_BOOKMARK
    HuntingBookmarkEntity represents HuntingBookmark in the system.
    MAIL_CLUSTER
    MailClusterEntity represents mail cluster in the system.
    MAIL_MESSAGE
    MailMessageEntity represents mail message in the system.
    MAILBOX
    MailboxEntity represents mailbox in the system.
    SUBMISSION_MAIL
    SubmissionMailEntity represents submission mail in the system.
    NIC
    NicEntity represents network interface in the system.
    "Account"
    AccountEntity represents account in the system.
    "Host"
    HostEntity represents host in the system.
    "File"
    FileEntity represents file in the system.
    "AzureResource"
    AzureResourceEntity represents azure resource in the system.
    "CloudApplication"
    CloudApplicationEntity represents cloud application in the system.
    "DNS"
    DNSEntity represents dns in the system.
    "FileHash"
    FileHashEntity represents file hash in the system.
    "IP"
    IPEntity represents ip in the system.
    "Malware"
    MalwareEntity represents malware in the system.
    "Process"
    ProcessEntity represents process in the system.
    "RegistryKey"
    RegistryKeyEntity represents registry key in the system.
    "RegistryValue"
    RegistryValueEntity represents registry value in the system.
    "SecurityGroup"
    SecurityGroupEntity represents security group in the system.
    "URL"
    URLEntity represents url in the system.
    "IoTDevice"
    IoTDeviceEntity represents IoT device in the system.
    "SecurityAlert"
    SecurityAlertEntity represents security alert in the system.
    "HuntingBookmark"
    HuntingBookmarkEntity represents HuntingBookmark in the system.
    "MailCluster"
    MailClusterEntity represents mail cluster in the system.
    "MailMessage"
    MailMessageEntity represents mail message in the system.
    "Mailbox"
    MailboxEntity represents mailbox in the system.
    "SubmissionMail"
    SubmissionMailEntity represents submission mail in the system.
    "Nic"
    NicEntity represents network interface in the system.

    SystemDataResponse, SystemDataResponseArgs

    CreatedAt string
    The timestamp of resource creation (UTC).
    CreatedBy string
    The identity that created the resource.
    CreatedByType string
    The type of identity that created the resource.
    LastModifiedAt string
    The timestamp of resource last modification (UTC)
    LastModifiedBy string
    The identity that last modified the resource.
    LastModifiedByType string
    The type of identity that last modified the resource.
    CreatedAt string
    The timestamp of resource creation (UTC).
    CreatedBy string
    The identity that created the resource.
    CreatedByType string
    The type of identity that created the resource.
    LastModifiedAt string
    The timestamp of resource last modification (UTC)
    LastModifiedBy string
    The identity that last modified the resource.
    LastModifiedByType string
    The type of identity that last modified the resource.
    createdAt String
    The timestamp of resource creation (UTC).
    createdBy String
    The identity that created the resource.
    createdByType String
    The type of identity that created the resource.
    lastModifiedAt String
    The timestamp of resource last modification (UTC)
    lastModifiedBy String
    The identity that last modified the resource.
    lastModifiedByType String
    The type of identity that last modified the resource.
    createdAt string
    The timestamp of resource creation (UTC).
    createdBy string
    The identity that created the resource.
    createdByType string
    The type of identity that created the resource.
    lastModifiedAt string
    The timestamp of resource last modification (UTC)
    lastModifiedBy string
    The identity that last modified the resource.
    lastModifiedByType string
    The type of identity that last modified the resource.
    created_at str
    The timestamp of resource creation (UTC).
    created_by str
    The identity that created the resource.
    created_by_type str
    The type of identity that created the resource.
    last_modified_at str
    The timestamp of resource last modification (UTC)
    last_modified_by str
    The identity that last modified the resource.
    last_modified_by_type str
    The type of identity that last modified the resource.
    createdAt String
    The timestamp of resource creation (UTC).
    createdBy String
    The identity that created the resource.
    createdByType String
    The type of identity that created the resource.
    lastModifiedAt String
    The timestamp of resource last modification (UTC)
    lastModifiedBy String
    The identity that last modified the resource.
    lastModifiedByType String
    The type of identity that last modified the resource.

    Import

    An existing resource can be imported using its type token, name, and identifier, e.g.

    $ pulumi import azure-native:securityinsights:ActivityCustomEntityQuery 07da3cc8-c8ad-4710-a44e-334cdcb7882b /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId} 
    

    Package Details

    Repository
    Azure Native pulumi/pulumi-azure-native
    License
    Apache-2.0
    azure-native logo
    This is the latest version of Azure Native. Use the Azure Native v1 docs if using the v1 version of this package.
    Azure Native v2.29.0 published on Friday, Feb 16, 2024 by Pulumi