azure-native.securityinsights.ActivityCustomEntityQuery
Explore with Pulumi AI
Represents Activity entity query. API Version: 2021-03-01-preview.
Example Usage
Creates or updates an Activity entity query.
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var activityCustomEntityQuery = new AzureNative.SecurityInsights.ActivityCustomEntityQuery("activityCustomEntityQuery", new()
{
Content = "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
Description = "Account deleted on host",
Enabled = true,
EntitiesFilter =
{
{ "Host_OsFamily", new[]
{
"Windows",
} },
},
EntityQueryId = "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
InputEntityType = "Host",
Kind = "Activity",
OperationalInsightsResourceProvider = "Microsoft.OperationalIinsights",
QueryDefinitions = new AzureNative.SecurityInsights.Inputs.ActivityEntityQueriesPropertiesQueryDefinitionsArgs
{
Query = @"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', tostring(split(Computer, '.')[-2]),
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'),
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain)
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain)
or v_Host_AzureID =~ _ResourceId
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
| where EventID == 4726 ",
},
RequiredInputFieldsSets = new[]
{
new[]
{
"Host_HostName",
"Host_NTDomain",
},
new[]
{
"Host_HostName",
"Host_DnsDomain",
},
new[]
{
"Host_AzureID",
},
new[]
{
"Host_OMSAgentID",
},
},
ResourceGroupName = "myRg",
Title = "An account was deleted on this host",
WorkspaceName = "myWorkspace",
});
});
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewActivityCustomEntityQuery(ctx, "activityCustomEntityQuery", &securityinsights.ActivityCustomEntityQueryArgs{
Content: pulumi.String("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'"),
Description: pulumi.String("Account deleted on host"),
Enabled: pulumi.Bool(true),
EntitiesFilter: pulumi.StringArrayMap{
"Host_OsFamily": pulumi.StringArray{
pulumi.String("Windows"),
},
},
EntityQueryId: pulumi.String("07da3cc8-c8ad-4710-a44e-334cdcb7882b"),
InputEntityType: pulumi.String("Host"),
Kind: pulumi.String("Activity"),
OperationalInsightsResourceProvider: pulumi.String("Microsoft.OperationalIinsights"),
QueryDefinitions: &securityinsights.ActivityEntityQueriesPropertiesQueryDefinitionsArgs{
Query: pulumi.String("let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 "),
},
RequiredInputFieldsSets: pulumi.StringArrayArray{
pulumi.StringArray{
pulumi.String("Host_HostName"),
pulumi.String("Host_NTDomain"),
},
pulumi.StringArray{
pulumi.String("Host_HostName"),
pulumi.String("Host_DnsDomain"),
},
pulumi.StringArray{
pulumi.String("Host_AzureID"),
},
pulumi.StringArray{
pulumi.String("Host_OMSAgentID"),
},
},
ResourceGroupName: pulumi.String("myRg"),
Title: pulumi.String("An account was deleted on this host"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQuery;
import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQueryArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var activityCustomEntityQuery = new ActivityCustomEntityQuery("activityCustomEntityQuery", ActivityCustomEntityQueryArgs.builder()
.content("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'")
.description("Account deleted on host")
.enabled(true)
.entitiesFilter(Map.of("Host_OsFamily", "Windows"))
.entityQueryId("07da3cc8-c8ad-4710-a44e-334cdcb7882b")
.inputEntityType("Host")
.kind("Activity")
.operationalInsightsResourceProvider("Microsoft.OperationalIinsights")
.queryDefinitions(Map.of("query", """
let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', tostring(split(Computer, '.')[-2]),
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'),
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain)
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain)
or v_Host_AzureID =~ _ResourceId
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
| where EventID == 4726 """))
.requiredInputFieldsSets(
"Host_HostName",
"Host_NTDomain",
"Host_HostName",
"Host_DnsDomain",
"Host_AzureID",
"Host_OMSAgentID")
.resourceGroupName("myRg")
.title("An account was deleted on this host")
.workspaceName("myWorkspace")
.build());
}
}
import pulumi
import pulumi_azure_native as azure_native
activity_custom_entity_query = azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQuery",
content="On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
description="Account deleted on host",
enabled=True,
entities_filter={
"Host_OsFamily": ["Windows"],
},
entity_query_id="07da3cc8-c8ad-4710-a44e-334cdcb7882b",
input_entity_type="Host",
kind="Activity",
operational_insights_resource_provider="Microsoft.OperationalIinsights",
query_definitions=azure_native.securityinsights.ActivityEntityQueriesPropertiesQueryDefinitionsArgs(
query="""let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', tostring(split(Computer, '.')[-2]),
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'),
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain)
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain)
or v_Host_AzureID =~ _ResourceId
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
| where EventID == 4726 """,
),
required_input_fields_sets=[
[
"Host_HostName",
"Host_NTDomain",
],
[
"Host_HostName",
"Host_DnsDomain",
],
["Host_AzureID"],
["Host_OMSAgentID"],
],
resource_group_name="myRg",
title="An account was deleted on this host",
workspace_name="myWorkspace")
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const activityCustomEntityQuery = new azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQuery", {
content: "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
description: "Account deleted on host",
enabled: true,
entitiesFilter: {
Host_OsFamily: ["Windows"],
},
entityQueryId: "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
inputEntityType: "Host",
kind: "Activity",
operationalInsightsResourceProvider: "Microsoft.OperationalIinsights",
queryDefinitions: {
query: `let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\\\', tostring(split(Computer, '\\\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\\\', tostring(split(Computer, '\\\\')[0]),
Computer has '.', tostring(split(Computer, '.')[-2]),
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\\\', tostring(split(Computer, '\\\\')[0]),
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'),
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain)
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain)
or v_Host_AzureID =~ _ResourceId
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
| where EventID == 4726 `,
},
requiredInputFieldsSets: [
[
"Host_HostName",
"Host_NTDomain",
],
[
"Host_HostName",
"Host_DnsDomain",
],
["Host_AzureID"],
["Host_OMSAgentID"],
],
resourceGroupName: "myRg",
title: "An account was deleted on this host",
workspaceName: "myWorkspace",
});
resources:
activityCustomEntityQuery:
type: azure-native:securityinsights:ActivityCustomEntityQuery
properties:
content: On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'
description: Account deleted on host
enabled: true
entitiesFilter:
Host_OsFamily:
- Windows
entityQueryId: 07da3cc8-c8ad-4710-a44e-334cdcb7882b
inputEntityType: Host
kind: Activity
operationalInsightsResourceProvider: Microsoft.OperationalIinsights
queryDefinitions:
query: "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 "
requiredInputFieldsSets:
- - Host_HostName
- Host_NTDomain
- - Host_HostName
- Host_DnsDomain
- - Host_AzureID
- - Host_OMSAgentID
resourceGroupName: myRg
title: An account was deleted on this host
workspaceName: myWorkspace
Create ActivityCustomEntityQuery Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ActivityCustomEntityQuery(name: string, args: ActivityCustomEntityQueryArgs, opts?: CustomResourceOptions);
@overload
def ActivityCustomEntityQuery(resource_name: str,
args: ActivityCustomEntityQueryArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ActivityCustomEntityQuery(resource_name: str,
opts: Optional[ResourceOptions] = None,
workspace_name: Optional[str] = None,
resource_group_name: Optional[str] = None,
operational_insights_resource_provider: Optional[str] = None,
entities_filter: Optional[Mapping[str, Sequence[str]]] = None,
input_entity_type: Optional[Union[str, EntityType]] = None,
entity_query_id: Optional[str] = None,
content: Optional[str] = None,
query_definitions: Optional[ActivityEntityQueriesPropertiesQueryDefinitionsArgs] = None,
required_input_fields_sets: Optional[Sequence[Sequence[str]]] = None,
enabled: Optional[bool] = None,
template_name: Optional[str] = None,
title: Optional[str] = None,
description: Optional[str] = None)
func NewActivityCustomEntityQuery(ctx *Context, name string, args ActivityCustomEntityQueryArgs, opts ...ResourceOption) (*ActivityCustomEntityQuery, error)
public ActivityCustomEntityQuery(string name, ActivityCustomEntityQueryArgs args, CustomResourceOptions? opts = null)
public ActivityCustomEntityQuery(String name, ActivityCustomEntityQueryArgs args)
public ActivityCustomEntityQuery(String name, ActivityCustomEntityQueryArgs args, CustomResourceOptions options)
type: azure-native:securityinsights:ActivityCustomEntityQuery
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ActivityCustomEntityQueryArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ActivityCustomEntityQueryArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ActivityCustomEntityQueryArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ActivityCustomEntityQueryArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ActivityCustomEntityQueryArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var activityCustomEntityQueryResource = new AzureNative.Securityinsights.ActivityCustomEntityQuery("activityCustomEntityQueryResource", new()
{
Kind = "string",
WorkspaceName = "string",
ResourceGroupName = "string",
OperationalInsightsResourceProvider = "string",
EntitiesFilter =
{
{ "string", new[]
{
"string",
} },
},
InputEntityType = "string",
EntityQueryId = "string",
Content = "string",
QueryDefinitions =
{
{ "query", "string" },
},
RequiredInputFieldsSets = new[]
{
new[]
{
"string",
},
},
Enabled = false,
TemplateName = "string",
Title = "string",
Description = "string",
});
example, err := securityinsights.NewActivityCustomEntityQuery(ctx, "activityCustomEntityQueryResource", &securityinsights.ActivityCustomEntityQueryArgs{
Kind: "string",
WorkspaceName: "string",
ResourceGroupName: "string",
OperationalInsightsResourceProvider: "string",
EntitiesFilter: map[string]interface{}{
"string": []string{
"string",
},
},
InputEntityType: "string",
EntityQueryId: "string",
Content: "string",
QueryDefinitions: map[string]interface{}{
"query": "string",
},
RequiredInputFieldsSets: [][]string{
[]string{
"string",
},
},
Enabled: false,
TemplateName: "string",
Title: "string",
Description: "string",
})
var activityCustomEntityQueryResource = new ActivityCustomEntityQuery("activityCustomEntityQueryResource", ActivityCustomEntityQueryArgs.builder()
.kind("string")
.workspaceName("string")
.resourceGroupName("string")
.operationalInsightsResourceProvider("string")
.entitiesFilter(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.inputEntityType("string")
.entityQueryId("string")
.content("string")
.queryDefinitions(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.requiredInputFieldsSets("string")
.enabled(false)
.templateName("string")
.title("string")
.description("string")
.build());
activity_custom_entity_query_resource = azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQueryResource",
kind=string,
workspace_name=string,
resource_group_name=string,
operational_insights_resource_provider=string,
entities_filter={
string: [string],
},
input_entity_type=string,
entity_query_id=string,
content=string,
query_definitions={
query: string,
},
required_input_fields_sets=[[string]],
enabled=False,
template_name=string,
title=string,
description=string)
const activityCustomEntityQueryResource = new azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQueryResource", {
kind: "string",
workspaceName: "string",
resourceGroupName: "string",
operationalInsightsResourceProvider: "string",
entitiesFilter: {
string: ["string"],
},
inputEntityType: "string",
entityQueryId: "string",
content: "string",
queryDefinitions: {
query: "string",
},
requiredInputFieldsSets: [["string"]],
enabled: false,
templateName: "string",
title: "string",
description: "string",
});
type: azure-native:securityinsights:ActivityCustomEntityQuery
properties:
content: string
description: string
enabled: false
entitiesFilter:
string:
- string
entityQueryId: string
inputEntityType: string
kind: string
operationalInsightsResourceProvider: string
queryDefinitions:
query: string
requiredInputFieldsSets:
- - string
resourceGroupName: string
templateName: string
title: string
workspaceName: string
ActivityCustomEntityQuery Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ActivityCustomEntityQuery resource accepts the following input properties:
- Operational
Insights stringResource Provider - The namespace of workspaces resource provider- Microsoft.OperationalInsights.
- Resource
Group stringName - The name of the resource group. The name is case insensitive.
- Workspace
Name string - The name of the workspace.
- Content string
- The entity query content to display in timeline
- Description string
- The entity query description
- Enabled bool
- Determines whether this activity is enabled or disabled.
- Entities
Filter Dictionary<string, ImmutableArray<string>> - The query applied only to entities matching to all filters
- Entity
Query stringId - entity query ID
- Input
Entity string | Pulumi.Type Azure Native. Security Insights. Entity Type - The type of the query's source entity
- Query
Definitions Pulumi.Azure Native. Security Insights. Inputs. Activity Entity Queries Properties Query Definitions - The Activity query definitions
- Required
Input List<ImmutableFields Sets Array<string>> - List of the fields of the source entity that are required to run the query
- Template
Name string - The template id this activity was created from
- Title string
- The entity query title
- Operational
Insights stringResource Provider - The namespace of workspaces resource provider- Microsoft.OperationalInsights.
- Resource
Group stringName - The name of the resource group. The name is case insensitive.
- Workspace
Name string - The name of the workspace.
- Content string
- The entity query content to display in timeline
- Description string
- The entity query description
- Enabled bool
- Determines whether this activity is enabled or disabled.
- Entities
Filter map[string][]string - The query applied only to entities matching to all filters
- Entity
Query stringId - entity query ID
- Input
Entity string | EntityType Type - The type of the query's source entity
- Query
Definitions ActivityEntity Queries Properties Query Definitions Args - The Activity query definitions
- Required
Input [][]stringFields Sets - List of the fields of the source entity that are required to run the query
- Template
Name string - The template id this activity was created from
- Title string
- The entity query title
- operational
Insights StringResource Provider - The namespace of workspaces resource provider- Microsoft.OperationalInsights.
- resource
Group StringName - The name of the resource group. The name is case insensitive.
- workspace
Name String - The name of the workspace.
- content String
- The entity query content to display in timeline
- description String
- The entity query description
- enabled Boolean
- Determines whether this activity is enabled or disabled.
- entities
Filter Map<String,List<String>> - The query applied only to entities matching to all filters
- entity
Query StringId - entity query ID
- input
Entity String | EntityType Type - The type of the query's source entity
- query
Definitions ActivityEntity Queries Properties Query Definitions - The Activity query definitions
- required
Input List<List<String>>Fields Sets - List of the fields of the source entity that are required to run the query
- template
Name String - The template id this activity was created from
- title String
- The entity query title
- operational
Insights stringResource Provider - The namespace of workspaces resource provider- Microsoft.OperationalInsights.
- resource
Group stringName - The name of the resource group. The name is case insensitive.
- workspace
Name string - The name of the workspace.
- content string
- The entity query content to display in timeline
- description string
- The entity query description
- enabled boolean
- Determines whether this activity is enabled or disabled.
- entities
Filter {[key: string]: string[]} - The query applied only to entities matching to all filters
- entity
Query stringId - entity query ID
- input
Entity string | EntityType Type - The type of the query's source entity
- query
Definitions ActivityEntity Queries Properties Query Definitions - The Activity query definitions
- required
Input string[][]Fields Sets - List of the fields of the source entity that are required to run the query
- template
Name string - The template id this activity was created from
- title string
- The entity query title
- operational_
insights_ strresource_ provider - The namespace of workspaces resource provider- Microsoft.OperationalInsights.
- resource_
group_ strname - The name of the resource group. The name is case insensitive.
- workspace_
name str - The name of the workspace.
- content str
- The entity query content to display in timeline
- description str
- The entity query description
- enabled bool
- Determines whether this activity is enabled or disabled.
- entities_
filter Mapping[str, Sequence[str]] - The query applied only to entities matching to all filters
- entity_
query_ strid - entity query ID
- input_
entity_ str | Entitytype Type - The type of the query's source entity
- query_
definitions ActivityEntity Queries Properties Query Definitions Args - The Activity query definitions
- required_
input_ Sequence[Sequence[str]]fields_ sets - List of the fields of the source entity that are required to run the query
- template_
name str - The template id this activity was created from
- title str
- The entity query title
- operational
Insights StringResource Provider - The namespace of workspaces resource provider- Microsoft.OperationalInsights.
- resource
Group StringName - The name of the resource group. The name is case insensitive.
- workspace
Name String - The name of the workspace.
- content String
- The entity query content to display in timeline
- description String
- The entity query description
- enabled Boolean
- Determines whether this activity is enabled or disabled.
- entities
Filter Map<List<String>> - The query applied only to entities matching to all filters
- entity
Query StringId - entity query ID
- input
Entity String | "Account" | "Host" | "File" | "AzureType Resource" | "Cloud Application" | "DNS" | "File Hash" | "IP" | "Malware" | "Process" | "Registry Key" | "Registry Value" | "Security Group" | "URL" | "Io TDevice" | "Security Alert" | "Hunting Bookmark" | "Mail Cluster" | "Mail Message" | "Mailbox" | "Submission Mail" - The type of the query's source entity
- query
Definitions Property Map - The Activity query definitions
- required
Input List<List<String>>Fields Sets - List of the fields of the source entity that are required to run the query
- template
Name String - The template id this activity was created from
- title String
- The entity query title
Outputs
All input properties are implicitly available as output properties. Additionally, the ActivityCustomEntityQuery resource produces the following output properties:
- Created
Time stringUtc - The time the activity was created
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Modified stringTime Utc - The last time the activity was updated
- Name string
- Azure resource name
- System
Data Pulumi.Azure Native. Security Insights. Outputs. System Data Response - Azure Resource Manager metadata containing createdBy and modifiedBy information.
- Type string
- Azure resource type
- Etag string
- Etag of the azure resource
- Created
Time stringUtc - The time the activity was created
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Modified stringTime Utc - The last time the activity was updated
- Name string
- Azure resource name
- System
Data SystemData Response - Azure Resource Manager metadata containing createdBy and modifiedBy information.
- Type string
- Azure resource type
- Etag string
- Etag of the azure resource
- created
Time StringUtc - The time the activity was created
- id String
- The provider-assigned unique ID for this managed resource.
- last
Modified StringTime Utc - The last time the activity was updated
- name String
- Azure resource name
- system
Data SystemData Response - Azure Resource Manager metadata containing createdBy and modifiedBy information.
- type String
- Azure resource type
- etag String
- Etag of the azure resource
- created
Time stringUtc - The time the activity was created
- id string
- The provider-assigned unique ID for this managed resource.
- last
Modified stringTime Utc - The last time the activity was updated
- name string
- Azure resource name
- system
Data SystemData Response - Azure Resource Manager metadata containing createdBy and modifiedBy information.
- type string
- Azure resource type
- etag string
- Etag of the azure resource
- created_
time_ strutc - The time the activity was created
- id str
- The provider-assigned unique ID for this managed resource.
- last_
modified_ strtime_ utc - The last time the activity was updated
- name str
- Azure resource name
- system_
data SystemData Response - Azure Resource Manager metadata containing createdBy and modifiedBy information.
- type str
- Azure resource type
- etag str
- Etag of the azure resource
- created
Time StringUtc - The time the activity was created
- id String
- The provider-assigned unique ID for this managed resource.
- last
Modified StringTime Utc - The last time the activity was updated
- name String
- Azure resource name
- system
Data Property Map - Azure Resource Manager metadata containing createdBy and modifiedBy information.
- type String
- Azure resource type
- etag String
- Etag of the azure resource
Supporting Types
ActivityEntityQueriesPropertiesQueryDefinitions, ActivityEntityQueriesPropertiesQueryDefinitionsArgs
- Query string
- The Activity query to run on a given entity
- Query string
- The Activity query to run on a given entity
- query String
- The Activity query to run on a given entity
- query string
- The Activity query to run on a given entity
- query str
- The Activity query to run on a given entity
- query String
- The Activity query to run on a given entity
ActivityEntityQueriesPropertiesResponseQueryDefinitions, ActivityEntityQueriesPropertiesResponseQueryDefinitionsArgs
- Query string
- The Activity query to run on a given entity
- Query string
- The Activity query to run on a given entity
- query String
- The Activity query to run on a given entity
- query string
- The Activity query to run on a given entity
- query str
- The Activity query to run on a given entity
- query String
- The Activity query to run on a given entity
EntityType, EntityTypeArgs
- Account
- AccountEntity represents account in the system.
- Host
- HostEntity represents host in the system.
- File
- FileEntity represents file in the system.
- Azure
Resource - AzureResourceEntity represents azure resource in the system.
- Cloud
Application - CloudApplicationEntity represents cloud application in the system.
- DNS
- DNSEntity represents dns in the system.
- File
Hash - FileHashEntity represents file hash in the system.
- IP
- IPEntity represents ip in the system.
- Malware
- MalwareEntity represents malware in the system.
- Process
- ProcessEntity represents process in the system.
- Registry
Key - RegistryKeyEntity represents registry key in the system.
- Registry
Value - RegistryValueEntity represents registry value in the system.
- Security
Group - SecurityGroupEntity represents security group in the system.
- URL
- URLEntity represents url in the system.
- Io
TDevice - IoTDeviceEntity represents IoT device in the system.
- Security
Alert - SecurityAlertEntity represents security alert in the system.
- Hunting
Bookmark - HuntingBookmarkEntity represents HuntingBookmark in the system.
- Mail
Cluster - MailClusterEntity represents mail cluster in the system.
- Mail
Message - MailMessageEntity represents mail message in the system.
- Mailbox
- MailboxEntity represents mailbox in the system.
- Submission
Mail - SubmissionMailEntity represents submission mail in the system.
- Entity
Type Account - AccountEntity represents account in the system.
- Entity
Type Host - HostEntity represents host in the system.
- Entity
Type File - FileEntity represents file in the system.
- Entity
Type Azure Resource - AzureResourceEntity represents azure resource in the system.
- Entity
Type Cloud Application - CloudApplicationEntity represents cloud application in the system.
- Entity
Type DNS - DNSEntity represents dns in the system.
- Entity
Type File Hash - FileHashEntity represents file hash in the system.
- Entity
Type IP - IPEntity represents ip in the system.
- Entity
Type Malware - MalwareEntity represents malware in the system.
- Entity
Type Process - ProcessEntity represents process in the system.
- Entity
Type Registry Key - RegistryKeyEntity represents registry key in the system.
- Entity
Type Registry Value - RegistryValueEntity represents registry value in the system.
- Entity
Type Security Group - SecurityGroupEntity represents security group in the system.
- Entity
Type URL - URLEntity represents url in the system.
- Entity
Type Io TDevice - IoTDeviceEntity represents IoT device in the system.
- Entity
Type Security Alert - SecurityAlertEntity represents security alert in the system.
- Entity
Type Hunting Bookmark - HuntingBookmarkEntity represents HuntingBookmark in the system.
- Entity
Type Mail Cluster - MailClusterEntity represents mail cluster in the system.
- Entity
Type Mail Message - MailMessageEntity represents mail message in the system.
- Entity
Type Mailbox - MailboxEntity represents mailbox in the system.
- Entity
Type Submission Mail - SubmissionMailEntity represents submission mail in the system.
- Account
- AccountEntity represents account in the system.
- Host
- HostEntity represents host in the system.
- File
- FileEntity represents file in the system.
- Azure
Resource - AzureResourceEntity represents azure resource in the system.
- Cloud
Application - CloudApplicationEntity represents cloud application in the system.
- DNS
- DNSEntity represents dns in the system.
- File
Hash - FileHashEntity represents file hash in the system.
- IP
- IPEntity represents ip in the system.
- Malware
- MalwareEntity represents malware in the system.
- Process
- ProcessEntity represents process in the system.
- Registry
Key - RegistryKeyEntity represents registry key in the system.
- Registry
Value - RegistryValueEntity represents registry value in the system.
- Security
Group - SecurityGroupEntity represents security group in the system.
- URL
- URLEntity represents url in the system.
- Io
TDevice - IoTDeviceEntity represents IoT device in the system.
- Security
Alert - SecurityAlertEntity represents security alert in the system.
- Hunting
Bookmark - HuntingBookmarkEntity represents HuntingBookmark in the system.
- Mail
Cluster - MailClusterEntity represents mail cluster in the system.
- Mail
Message - MailMessageEntity represents mail message in the system.
- Mailbox
- MailboxEntity represents mailbox in the system.
- Submission
Mail - SubmissionMailEntity represents submission mail in the system.
- Account
- AccountEntity represents account in the system.
- Host
- HostEntity represents host in the system.
- File
- FileEntity represents file in the system.
- Azure
Resource - AzureResourceEntity represents azure resource in the system.
- Cloud
Application - CloudApplicationEntity represents cloud application in the system.
- DNS
- DNSEntity represents dns in the system.
- File
Hash - FileHashEntity represents file hash in the system.
- IP
- IPEntity represents ip in the system.
- Malware
- MalwareEntity represents malware in the system.
- Process
- ProcessEntity represents process in the system.
- Registry
Key - RegistryKeyEntity represents registry key in the system.
- Registry
Value - RegistryValueEntity represents registry value in the system.
- Security
Group - SecurityGroupEntity represents security group in the system.
- URL
- URLEntity represents url in the system.
- Io
TDevice - IoTDeviceEntity represents IoT device in the system.
- Security
Alert - SecurityAlertEntity represents security alert in the system.
- Hunting
Bookmark - HuntingBookmarkEntity represents HuntingBookmark in the system.
- Mail
Cluster - MailClusterEntity represents mail cluster in the system.
- Mail
Message - MailMessageEntity represents mail message in the system.
- Mailbox
- MailboxEntity represents mailbox in the system.
- Submission
Mail - SubmissionMailEntity represents submission mail in the system.
- ACCOUNT
- AccountEntity represents account in the system.
- HOST
- HostEntity represents host in the system.
- FILE
- FileEntity represents file in the system.
- AZURE_RESOURCE
- AzureResourceEntity represents azure resource in the system.
- CLOUD_APPLICATION
- CloudApplicationEntity represents cloud application in the system.
- DNS
- DNSEntity represents dns in the system.
- FILE_HASH
- FileHashEntity represents file hash in the system.
- IP
- IPEntity represents ip in the system.
- MALWARE
- MalwareEntity represents malware in the system.
- PROCESS
- ProcessEntity represents process in the system.
- REGISTRY_KEY
- RegistryKeyEntity represents registry key in the system.
- REGISTRY_VALUE
- RegistryValueEntity represents registry value in the system.
- SECURITY_GROUP
- SecurityGroupEntity represents security group in the system.
- URL
- URLEntity represents url in the system.
- IO_T_DEVICE
- IoTDeviceEntity represents IoT device in the system.
- SECURITY_ALERT
- SecurityAlertEntity represents security alert in the system.
- HUNTING_BOOKMARK
- HuntingBookmarkEntity represents HuntingBookmark in the system.
- MAIL_CLUSTER
- MailClusterEntity represents mail cluster in the system.
- MAIL_MESSAGE
- MailMessageEntity represents mail message in the system.
- MAILBOX
- MailboxEntity represents mailbox in the system.
- SUBMISSION_MAIL
- SubmissionMailEntity represents submission mail in the system.
- "Account"
- AccountEntity represents account in the system.
- "Host"
- HostEntity represents host in the system.
- "File"
- FileEntity represents file in the system.
- "Azure
Resource" - AzureResourceEntity represents azure resource in the system.
- "Cloud
Application" - CloudApplicationEntity represents cloud application in the system.
- "DNS"
- DNSEntity represents dns in the system.
- "File
Hash" - FileHashEntity represents file hash in the system.
- "IP"
- IPEntity represents ip in the system.
- "Malware"
- MalwareEntity represents malware in the system.
- "Process"
- ProcessEntity represents process in the system.
- "Registry
Key" - RegistryKeyEntity represents registry key in the system.
- "Registry
Value" - RegistryValueEntity represents registry value in the system.
- "Security
Group" - SecurityGroupEntity represents security group in the system.
- "URL"
- URLEntity represents url in the system.
- "Io
TDevice" - IoTDeviceEntity represents IoT device in the system.
- "Security
Alert" - SecurityAlertEntity represents security alert in the system.
- "Hunting
Bookmark" - HuntingBookmarkEntity represents HuntingBookmark in the system.
- "Mail
Cluster" - MailClusterEntity represents mail cluster in the system.
- "Mail
Message" - MailMessageEntity represents mail message in the system.
- "Mailbox"
- MailboxEntity represents mailbox in the system.
- "Submission
Mail" - SubmissionMailEntity represents submission mail in the system.
SystemDataResponse, SystemDataResponseArgs
- Created
At string - The timestamp of resource creation (UTC).
- Created
By string - The identity that created the resource.
- Created
By stringType - The type of identity that created the resource.
- Last
Modified stringAt - The timestamp of resource last modification (UTC)
- Last
Modified stringBy - The identity that last modified the resource.
- Last
Modified stringBy Type - The type of identity that last modified the resource.
- Created
At string - The timestamp of resource creation (UTC).
- Created
By string - The identity that created the resource.
- Created
By stringType - The type of identity that created the resource.
- Last
Modified stringAt - The timestamp of resource last modification (UTC)
- Last
Modified stringBy - The identity that last modified the resource.
- Last
Modified stringBy Type - The type of identity that last modified the resource.
- created
At String - The timestamp of resource creation (UTC).
- created
By String - The identity that created the resource.
- created
By StringType - The type of identity that created the resource.
- last
Modified StringAt - The timestamp of resource last modification (UTC)
- last
Modified StringBy - The identity that last modified the resource.
- last
Modified StringBy Type - The type of identity that last modified the resource.
- created
At string - The timestamp of resource creation (UTC).
- created
By string - The identity that created the resource.
- created
By stringType - The type of identity that created the resource.
- last
Modified stringAt - The timestamp of resource last modification (UTC)
- last
Modified stringBy - The identity that last modified the resource.
- last
Modified stringBy Type - The type of identity that last modified the resource.
- created_
at str - The timestamp of resource creation (UTC).
- created_
by str - The identity that created the resource.
- created_
by_ strtype - The type of identity that created the resource.
- last_
modified_ strat - The timestamp of resource last modification (UTC)
- last_
modified_ strby - The identity that last modified the resource.
- last_
modified_ strby_ type - The type of identity that last modified the resource.
- created
At String - The timestamp of resource creation (UTC).
- created
By String - The identity that created the resource.
- created
By StringType - The type of identity that created the resource.
- last
Modified StringAt - The timestamp of resource last modification (UTC)
- last
Modified StringBy - The identity that last modified the resource.
- last
Modified StringBy Type - The type of identity that last modified the resource.
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:securityinsights:ActivityCustomEntityQuery 07da3cc8-c8ad-4710-a44e-334cdcb7882b /subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- azure-native-v1 pulumi/pulumi-azure-native
- License
- Apache-2.0