Azure Native v2 v2.90.0, Mar 27 25

These are the docs for Azure Native v2. We recommenend using the latest version, Azure Native v3.

Azure Native v2 v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi

azure-native-v2.securityinsights.ActivityCustomEntityQuery

Explore with Pulumi AI

These are the docs for Azure Native v2. We recommenend using the latest version, Azure Native v3.

Azure Native v2 v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi

pulumi/pulumi-azure-native

Creates or updates an Activity entity query.

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var activityCustomEntityQuery = new AzureNative.SecurityInsights.ActivityCustomEntityQuery("activityCustomEntityQuery", new()
    {
        Content = "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
        Description = "Account deleted on host",
        Enabled = true,
        EntitiesFilter = 
        {
            { "Host_OsFamily", new[]
            {
                "Windows",
            } },
        },
        EntityQueryId = "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
        InputEntityType = AzureNative.SecurityInsights.EntityType.Host,
        Kind = "Activity",
        QueryDefinitions = new AzureNative.SecurityInsights.Inputs.ActivityEntityQueriesPropertiesQueryDefinitionsArgs
        {
            Query = @"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726 ",
        },
        RequiredInputFieldsSets = new[]
        {
            new[]
            {
                "Host_HostName",
                "Host_NTDomain",
            },
            new[]
            {
                "Host_HostName",
                "Host_DnsDomain",
            },
            new[]
            {
                "Host_AzureID",
            },
            new[]
            {
                "Host_OMSAgentID",
            },
        },
        ResourceGroupName = "myRg",
        Title = "An account was deleted on this host",
        WorkspaceName = "myWorkspace",
    });

});

package main

import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewActivityCustomEntityQuery(ctx, "activityCustomEntityQuery", &securityinsights.ActivityCustomEntityQueryArgs{
			Content:     pulumi.String("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'"),
			Description: pulumi.String("Account deleted on host"),
			Enabled:     pulumi.Bool(true),
			EntitiesFilter: pulumi.StringArrayMap{
				"Host_OsFamily": pulumi.StringArray{
					pulumi.String("Windows"),
				},
			},
			EntityQueryId:   pulumi.String("07da3cc8-c8ad-4710-a44e-334cdcb7882b"),
			InputEntityType: pulumi.String(securityinsights.EntityTypeHost),
			Kind:            pulumi.String("Activity"),
			QueryDefinitions: &securityinsights.ActivityEntityQueriesPropertiesQueryDefinitionsArgs{
				Query: pulumi.String(`let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726 `),
			},
			RequiredInputFieldsSets: pulumi.StringArrayArray{
				pulumi.StringArray{
					pulumi.String("Host_HostName"),
					pulumi.String("Host_NTDomain"),
				},
				pulumi.StringArray{
					pulumi.String("Host_HostName"),
					pulumi.String("Host_DnsDomain"),
				},
				pulumi.StringArray{
					pulumi.String("Host_AzureID"),
				},
				pulumi.StringArray{
					pulumi.String("Host_OMSAgentID"),
				},
			},
			ResourceGroupName: pulumi.String("myRg"),
			Title:             pulumi.String("An account was deleted on this host"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQuery;
import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQueryArgs;
import com.pulumi.azurenative.securityinsights.inputs.ActivityEntityQueriesPropertiesQueryDefinitionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var activityCustomEntityQuery = new ActivityCustomEntityQuery("activityCustomEntityQuery", ActivityCustomEntityQueryArgs.builder()
            .content("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'")
            .description("Account deleted on host")
            .enabled(true)
            .entitiesFilter(Map.of("Host_OsFamily", "Windows"))
            .entityQueryId("07da3cc8-c8ad-4710-a44e-334cdcb7882b")
            .inputEntityType("Host")
            .kind("Activity")
            .queryDefinitions(ActivityEntityQueriesPropertiesQueryDefinitionsArgs.builder()
                .query("""
let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726                 """)
                .build())
            .requiredInputFieldsSets(            
                                
                    "Host_HostName",
                    "Host_NTDomain",
                                
                    "Host_HostName",
                    "Host_DnsDomain",
                "Host_AzureID",
                "Host_OMSAgentID")
            .resourceGroupName("myRg")
            .title("An account was deleted on this host")
            .workspaceName("myWorkspace")
            .build());

    }
}

import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const activityCustomEntityQuery = new azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQuery", {
    content: "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
    description: "Account deleted on host",
    enabled: true,
    entitiesFilter: {
        Host_OsFamily: ["Windows"],
    },
    entityQueryId: "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
    inputEntityType: azure_native.securityinsights.EntityType.Host,
    kind: "Activity",
    queryDefinitions: {
        query: `let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\\\', tostring(split(Computer, '\\\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\\\', tostring(split(Computer, '\\\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\\\', tostring(split(Computer, '\\\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726 `,
    },
    requiredInputFieldsSets: [
        [
            "Host_HostName",
            "Host_NTDomain",
        ],
        [
            "Host_HostName",
            "Host_DnsDomain",
        ],
        ["Host_AzureID"],
        ["Host_OMSAgentID"],
    ],
    resourceGroupName: "myRg",
    title: "An account was deleted on this host",
    workspaceName: "myWorkspace",
});

import pulumi
import pulumi_azure_native as azure_native

activity_custom_entity_query = azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQuery",
    content="On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
    description="Account deleted on host",
    enabled=True,
    entities_filter={
        "Host_OsFamily": ["Windows"],
    },
    entity_query_id="07da3cc8-c8ad-4710-a44e-334cdcb7882b",
    input_entity_type=azure_native.securityinsights.EntityType.HOST,
    kind="Activity",
    query_definitions={
        "query": """let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726 """,
    },
    required_input_fields_sets=[
        [
            "Host_HostName",
            "Host_NTDomain",
        ],
        [
            "Host_HostName",
            "Host_DnsDomain",
        ],
        ["Host_AzureID"],
        ["Host_OMSAgentID"],
    ],
    resource_group_name="myRg",
    title="An account was deleted on this host",
    workspace_name="myWorkspace")

resources:
  activityCustomEntityQuery:
    type: azure-native:securityinsights:ActivityCustomEntityQuery
    properties:
      content: On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'
      description: Account deleted on host
      enabled: true
      entitiesFilter:
        Host_OsFamily:
          - Windows
      entityQueryId: 07da3cc8-c8ad-4710-a44e-334cdcb7882b
      inputEntityType: Host
      kind: Activity
      queryDefinitions:
        query: "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 "
      requiredInputFieldsSets:
        - - Host_HostName
          - Host_NTDomain
        - - Host_HostName
          - Host_DnsDomain
        - - Host_AzureID
        - - Host_OMSAgentID
      resourceGroupName: myRg
      title: An account was deleted on this host
      workspaceName: myWorkspace

Create ActivityCustomEntityQuery Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

TypeScript
Python
Go
C#
Java
YAML

new ActivityCustomEntityQuery(name: string, args: ActivityCustomEntityQueryArgs, opts?: CustomResourceOptions);

@overload
def ActivityCustomEntityQuery(resource_name: str,
                              args: ActivityCustomEntityQueryArgs,
                              opts: Optional[ResourceOptions] = None)

@overload
def ActivityCustomEntityQuery(resource_name: str,
                              opts: Optional[ResourceOptions] = None,
                              resource_group_name: Optional[str] = None,
                              workspace_name: Optional[str] = None,
                              description: Optional[str] = None,
                              enabled: Optional[bool] = None,
                              entities_filter: Optional[Mapping[str, Sequence[str]]] = None,
                              entity_query_id: Optional[str] = None,
                              input_entity_type: Optional[Union[str, EntityType]] = None,
                              query_definitions: Optional[ActivityEntityQueriesPropertiesQueryDefinitionsArgs] = None,
                              required_input_fields_sets: Optional[Sequence[Sequence[str]]] = None,
                              content: Optional[str] = None,
                              template_name: Optional[str] = None,
                              title: Optional[str] = None)

func NewActivityCustomEntityQuery(ctx *Context, name string, args ActivityCustomEntityQueryArgs, opts ...ResourceOption) (*ActivityCustomEntityQuery, error)

public ActivityCustomEntityQuery(string name, ActivityCustomEntityQueryArgs args, CustomResourceOptions? opts = null)

public ActivityCustomEntityQuery(String name, ActivityCustomEntityQueryArgs args)
public ActivityCustomEntityQuery(String name, ActivityCustomEntityQueryArgs args, CustomResourceOptions options)

type: azure-native:securityinsights:ActivityCustomEntityQuery
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ActivityCustomEntityQueryArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ActivityCustomEntityQueryArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ActivityCustomEntityQueryArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ActivityCustomEntityQueryArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ActivityCustomEntityQueryArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var activityCustomEntityQueryResource = new AzureNative.Securityinsights.ActivityCustomEntityQuery("activityCustomEntityQueryResource", new()
{
    ResourceGroupName = "string",
    Kind = "string",
    WorkspaceName = "string",
    Description = "string",
    Enabled = false,
    EntitiesFilter = 
    {
        { "string", new[]
        {
            "string",
        } },
    },
    EntityQueryId = "string",
    InputEntityType = "string",
    QueryDefinitions = 
    {
        { "query", "string" },
    },
    RequiredInputFieldsSets = new[]
    {
        new[]
        {
            "string",
        },
    },
    Content = "string",
    TemplateName = "string",
    Title = "string",
});

example, err := securityinsights.NewActivityCustomEntityQuery(ctx, "activityCustomEntityQueryResource", &securityinsights.ActivityCustomEntityQueryArgs{
	ResourceGroupName: "string",
	Kind:              "string",
	WorkspaceName:     "string",
	Description:       "string",
	Enabled:           false,
	EntitiesFilter: map[string]interface{}{
		"string": []string{
			"string",
		},
	},
	EntityQueryId:   "string",
	InputEntityType: "string",
	QueryDefinitions: map[string]interface{}{
		"query": "string",
	},
	RequiredInputFieldsSets: [][]string{
		[]string{
			"string",
		},
	},
	Content:      "string",
	TemplateName: "string",
	Title:        "string",
})

var activityCustomEntityQueryResource = new ActivityCustomEntityQuery("activityCustomEntityQueryResource", ActivityCustomEntityQueryArgs.builder()
    .resourceGroupName("string")
    .kind("string")
    .workspaceName("string")
    .description("string")
    .enabled(false)
    .entitiesFilter(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
    .entityQueryId("string")
    .inputEntityType("string")
    .queryDefinitions(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
    .requiredInputFieldsSets("string")
    .content("string")
    .templateName("string")
    .title("string")
    .build());

activity_custom_entity_query_resource = azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQueryResource",
    resource_group_name=string,
    kind=string,
    workspace_name=string,
    description=string,
    enabled=False,
    entities_filter={
        string: [string],
    },
    entity_query_id=string,
    input_entity_type=string,
    query_definitions={
        query: string,
    },
    required_input_fields_sets=[[string]],
    content=string,
    template_name=string,
    title=string)

const activityCustomEntityQueryResource = new azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQueryResource", {
    resourceGroupName: "string",
    kind: "string",
    workspaceName: "string",
    description: "string",
    enabled: false,
    entitiesFilter: {
        string: ["string"],
    },
    entityQueryId: "string",
    inputEntityType: "string",
    queryDefinitions: {
        query: "string",
    },
    requiredInputFieldsSets: [["string"]],
    content: "string",
    templateName: "string",
    title: "string",
});

type: azure-native:securityinsights:ActivityCustomEntityQuery
properties:
    content: string
    description: string
    enabled: false
    entitiesFilter:
        string:
            - string
    entityQueryId: string
    inputEntityType: string
    kind: string
    queryDefinitions:
        query: string
    requiredInputFieldsSets:
        - - string
    resourceGroupName: string
    templateName: string
    title: string
    workspaceName: string

ActivityCustomEntityQuery Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ActivityCustomEntityQuery resource accepts the following input properties:

ResourceGroupName string: The name of the resource group. The name is case insensitive.
WorkspaceName string: The name of the workspace.
Content string: The entity query content to display in timeline
Description string: The entity query description
Enabled bool: Determines whether this activity is enabled or disabled.
EntitiesFilter Dictionary<string, ImmutableArray<string>>: The query applied only to entities matching to all filters
EntityQueryId string: entity query ID
InputEntityType string | Pulumi.AzureNative.SecurityInsights.EntityType: The type of the query's source entity
QueryDefinitions Pulumi.AzureNative.SecurityInsights.Inputs.ActivityEntityQueriesPropertiesQueryDefinitions: The Activity query definitions
RequiredInputFieldsSets List<ImmutableArray<string>>: List of the fields of the source entity that are required to run the query
TemplateName string: The template id this activity was created from
Title string: The entity query title

ResourceGroupName string: The name of the resource group. The name is case insensitive.
WorkspaceName string: The name of the workspace.
Content string: The entity query content to display in timeline
Description string: The entity query description
Enabled bool: Determines whether this activity is enabled or disabled.
EntitiesFilter map[string][]string: The query applied only to entities matching to all filters
EntityQueryId string: entity query ID
InputEntityType string | EntityType: The type of the query's source entity
QueryDefinitions ActivityEntityQueriesPropertiesQueryDefinitionsArgs: The Activity query definitions
RequiredInputFieldsSets [][]string: List of the fields of the source entity that are required to run the query
TemplateName string: The template id this activity was created from
Title string: The entity query title

resourceGroupName String: The name of the resource group. The name is case insensitive.
workspaceName String: The name of the workspace.
content String: The entity query content to display in timeline
description String: The entity query description
enabled Boolean: Determines whether this activity is enabled or disabled.
entitiesFilter Map<String,List<String>>: The query applied only to entities matching to all filters
entityQueryId String: entity query ID
inputEntityType String | EntityType: The type of the query's source entity
queryDefinitions ActivityEntityQueriesPropertiesQueryDefinitions: The Activity query definitions
requiredInputFieldsSets List<List<String>>: List of the fields of the source entity that are required to run the query
templateName String: The template id this activity was created from
title String: The entity query title

resourceGroupName string: The name of the resource group. The name is case insensitive.
workspaceName string: The name of the workspace.
content string: The entity query content to display in timeline
description string: The entity query description
enabled boolean: Determines whether this activity is enabled or disabled.
entitiesFilter {[key: string]: string[]}: The query applied only to entities matching to all filters
entityQueryId string: entity query ID
inputEntityType string | EntityType: The type of the query's source entity
queryDefinitions ActivityEntityQueriesPropertiesQueryDefinitions: The Activity query definitions
requiredInputFieldsSets string[][]: List of the fields of the source entity that are required to run the query
templateName string: The template id this activity was created from
title string: The entity query title

resource_group_name str: The name of the resource group. The name is case insensitive.
workspace_name str: The name of the workspace.
content str: The entity query content to display in timeline
description str: The entity query description
enabled bool: Determines whether this activity is enabled or disabled.
entities_filter Mapping[str, Sequence[str]]: The query applied only to entities matching to all filters
entity_query_id str: entity query ID
input_entity_type str | EntityType: The type of the query's source entity
query_definitions ActivityEntityQueriesPropertiesQueryDefinitionsArgs: The Activity query definitions
required_input_fields_sets Sequence[Sequence[str]]: List of the fields of the source entity that are required to run the query
template_name str: The template id this activity was created from
title str: The entity query title

resourceGroupName String: The name of the resource group. The name is case insensitive.
workspaceName String: The name of the workspace.
content String: The entity query content to display in timeline
description String: The entity query description
enabled Boolean: Determines whether this activity is enabled or disabled.
entitiesFilter Map<List<String>>: The query applied only to entities matching to all filters
entityQueryId String: entity query ID
inputEntityType String | "Account" | "Host" | "File" | "AzureResource" | "CloudApplication" | "DNS" | "FileHash" | "IP" | "Malware" | "Process" | "RegistryKey" | "RegistryValue" | "SecurityGroup" | "URL" | "IoTDevice" | "SecurityAlert" | "HuntingBookmark" | "MailCluster" | "MailMessage" | "Mailbox" | "SubmissionMail" | "Nic": The type of the query's source entity
queryDefinitions Property Map: The Activity query definitions
requiredInputFieldsSets List<List<String>>: List of the fields of the source entity that are required to run the query
templateName String: The template id this activity was created from
title String: The entity query title

Outputs

All input properties are implicitly available as output properties. Additionally, the ActivityCustomEntityQuery resource produces the following output properties:

CreatedTimeUtc string: The time the activity was created
Id string: The provider-assigned unique ID for this managed resource.
LastModifiedTimeUtc string: The last time the activity was updated
Name string: The name of the resource
SystemData Pulumi.AzureNative.SecurityInsights.Outputs.SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
Type string: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
Etag string: Etag of the azure resource

CreatedTimeUtc string: The time the activity was created
Id string: The provider-assigned unique ID for this managed resource.
LastModifiedTimeUtc string: The last time the activity was updated
Name string: The name of the resource
SystemData SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
Type string: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
Etag string: Etag of the azure resource

createdTimeUtc String: The time the activity was created
id String: The provider-assigned unique ID for this managed resource.
lastModifiedTimeUtc String: The last time the activity was updated
name String: The name of the resource
systemData SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
type String: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
etag String: Etag of the azure resource

createdTimeUtc string: The time the activity was created
id string: The provider-assigned unique ID for this managed resource.
lastModifiedTimeUtc string: The last time the activity was updated
name string: The name of the resource
systemData SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
type string: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
etag string: Etag of the azure resource

created_time_utc str: The time the activity was created
id str: The provider-assigned unique ID for this managed resource.
last_modified_time_utc str: The last time the activity was updated
name str: The name of the resource
system_data SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
type str: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
etag str: Etag of the azure resource

createdTimeUtc String: The time the activity was created
id String: The provider-assigned unique ID for this managed resource.
lastModifiedTimeUtc String: The last time the activity was updated
name String: The name of the resource
systemData Property Map: Azure Resource Manager metadata containing createdBy and modifiedBy information.
type String: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
etag String: Etag of the azure resource

Supporting Types

ActivityEntityQueriesPropertiesQueryDefinitions
, ActivityEntityQueriesPropertiesQueryDefinitionsArgs

Query string: The Activity query to run on a given entity

Query string: The Activity query to run on a given entity

query String: The Activity query to run on a given entity

query string: The Activity query to run on a given entity

query str: The Activity query to run on a given entity

query String: The Activity query to run on a given entity

ActivityEntityQueriesPropertiesResponseQueryDefinitions
, ActivityEntityQueriesPropertiesResponseQueryDefinitionsArgs

Query string: The Activity query to run on a given entity

Query string: The Activity query to run on a given entity

query String: The Activity query to run on a given entity

query string: The Activity query to run on a given entity

query str: The Activity query to run on a given entity

query String: The Activity query to run on a given entity

EntityType
, EntityTypeArgs

Account: AccountEntity represents account in the system.
Host: HostEntity represents host in the system.
File: FileEntity represents file in the system.
AzureResource: AzureResourceEntity represents azure resource in the system.
CloudApplication: CloudApplicationEntity represents cloud application in the system.
DNS: DNSEntity represents dns in the system.
FileHash: FileHashEntity represents file hash in the system.
IP: IPEntity represents ip in the system.
Malware: MalwareEntity represents malware in the system.
Process: ProcessEntity represents process in the system.
RegistryKey: RegistryKeyEntity represents registry key in the system.
RegistryValue: RegistryValueEntity represents registry value in the system.
SecurityGroup: SecurityGroupEntity represents security group in the system.
URL: URLEntity represents url in the system.
IoTDevice: IoTDeviceEntity represents IoT device in the system.
SecurityAlert: SecurityAlertEntity represents security alert in the system.
HuntingBookmark: HuntingBookmarkEntity represents HuntingBookmark in the system.
MailCluster: MailClusterEntity represents mail cluster in the system.
MailMessage: MailMessageEntity represents mail message in the system.
Mailbox: MailboxEntity represents mailbox in the system.
SubmissionMail: SubmissionMailEntity represents submission mail in the system.
Nic: NicEntity represents network interface in the system.

EntityTypeAccount: AccountEntity represents account in the system.
EntityTypeHost: HostEntity represents host in the system.
EntityTypeFile: FileEntity represents file in the system.
EntityTypeAzureResource: AzureResourceEntity represents azure resource in the system.
EntityTypeCloudApplication: CloudApplicationEntity represents cloud application in the system.
EntityTypeDNS: DNSEntity represents dns in the system.
EntityTypeFileHash: FileHashEntity represents file hash in the system.
EntityTypeIP: IPEntity represents ip in the system.
EntityTypeMalware: MalwareEntity represents malware in the system.
EntityTypeProcess: ProcessEntity represents process in the system.
EntityTypeRegistryKey: RegistryKeyEntity represents registry key in the system.
EntityTypeRegistryValue: RegistryValueEntity represents registry value in the system.
EntityTypeSecurityGroup: SecurityGroupEntity represents security group in the system.
EntityTypeURL: URLEntity represents url in the system.
EntityTypeIoTDevice: IoTDeviceEntity represents IoT device in the system.
EntityTypeSecurityAlert: SecurityAlertEntity represents security alert in the system.
EntityTypeHuntingBookmark: HuntingBookmarkEntity represents HuntingBookmark in the system.
EntityTypeMailCluster: MailClusterEntity represents mail cluster in the system.
EntityTypeMailMessage: MailMessageEntity represents mail message in the system.
EntityTypeMailbox: MailboxEntity represents mailbox in the system.
EntityTypeSubmissionMail: SubmissionMailEntity represents submission mail in the system.
EntityTypeNic: NicEntity represents network interface in the system.

Account: AccountEntity represents account in the system.
Host: HostEntity represents host in the system.
File: FileEntity represents file in the system.
AzureResource: AzureResourceEntity represents azure resource in the system.
CloudApplication: CloudApplicationEntity represents cloud application in the system.
DNS: DNSEntity represents dns in the system.
FileHash: FileHashEntity represents file hash in the system.
IP: IPEntity represents ip in the system.
Malware: MalwareEntity represents malware in the system.
Process: ProcessEntity represents process in the system.
RegistryKey: RegistryKeyEntity represents registry key in the system.
RegistryValue: RegistryValueEntity represents registry value in the system.
SecurityGroup: SecurityGroupEntity represents security group in the system.
URL: URLEntity represents url in the system.
IoTDevice: IoTDeviceEntity represents IoT device in the system.
SecurityAlert: SecurityAlertEntity represents security alert in the system.
HuntingBookmark: HuntingBookmarkEntity represents HuntingBookmark in the system.
MailCluster: MailClusterEntity represents mail cluster in the system.
MailMessage: MailMessageEntity represents mail message in the system.
Mailbox: MailboxEntity represents mailbox in the system.
SubmissionMail: SubmissionMailEntity represents submission mail in the system.
Nic: NicEntity represents network interface in the system.

Account: AccountEntity represents account in the system.
Host: HostEntity represents host in the system.
File: FileEntity represents file in the system.
AzureResource: AzureResourceEntity represents azure resource in the system.
CloudApplication: CloudApplicationEntity represents cloud application in the system.
DNS: DNSEntity represents dns in the system.
FileHash: FileHashEntity represents file hash in the system.
IP: IPEntity represents ip in the system.
Malware: MalwareEntity represents malware in the system.
Process: ProcessEntity represents process in the system.
RegistryKey: RegistryKeyEntity represents registry key in the system.
RegistryValue: RegistryValueEntity represents registry value in the system.
SecurityGroup: SecurityGroupEntity represents security group in the system.
URL: URLEntity represents url in the system.
IoTDevice: IoTDeviceEntity represents IoT device in the system.
SecurityAlert: SecurityAlertEntity represents security alert in the system.
HuntingBookmark: HuntingBookmarkEntity represents HuntingBookmark in the system.
MailCluster: MailClusterEntity represents mail cluster in the system.
MailMessage: MailMessageEntity represents mail message in the system.
Mailbox: MailboxEntity represents mailbox in the system.
SubmissionMail: SubmissionMailEntity represents submission mail in the system.
Nic: NicEntity represents network interface in the system.

ACCOUNT: AccountEntity represents account in the system.
HOST: HostEntity represents host in the system.
FILE: FileEntity represents file in the system.
AZURE_RESOURCE: AzureResourceEntity represents azure resource in the system.
CLOUD_APPLICATION: CloudApplicationEntity represents cloud application in the system.
DNS: DNSEntity represents dns in the system.
FILE_HASH: FileHashEntity represents file hash in the system.
IP: IPEntity represents ip in the system.
MALWARE: MalwareEntity represents malware in the system.
PROCESS: ProcessEntity represents process in the system.
REGISTRY_KEY: RegistryKeyEntity represents registry key in the system.
REGISTRY_VALUE: RegistryValueEntity represents registry value in the system.
SECURITY_GROUP: SecurityGroupEntity represents security group in the system.
URL: URLEntity represents url in the system.
IO_T_DEVICE: IoTDeviceEntity represents IoT device in the system.
SECURITY_ALERT: SecurityAlertEntity represents security alert in the system.
HUNTING_BOOKMARK: HuntingBookmarkEntity represents HuntingBookmark in the system.
MAIL_CLUSTER: MailClusterEntity represents mail cluster in the system.
MAIL_MESSAGE: MailMessageEntity represents mail message in the system.
MAILBOX: MailboxEntity represents mailbox in the system.
SUBMISSION_MAIL: SubmissionMailEntity represents submission mail in the system.
NIC: NicEntity represents network interface in the system.

"Account": AccountEntity represents account in the system.
"Host": HostEntity represents host in the system.
"File": FileEntity represents file in the system.
"AzureResource": AzureResourceEntity represents azure resource in the system.
"CloudApplication": CloudApplicationEntity represents cloud application in the system.
"DNS": DNSEntity represents dns in the system.
"FileHash": FileHashEntity represents file hash in the system.
"IP": IPEntity represents ip in the system.
"Malware": MalwareEntity represents malware in the system.
"Process": ProcessEntity represents process in the system.
"RegistryKey": RegistryKeyEntity represents registry key in the system.
"RegistryValue": RegistryValueEntity represents registry value in the system.
"SecurityGroup": SecurityGroupEntity represents security group in the system.
"URL": URLEntity represents url in the system.
"IoTDevice": IoTDeviceEntity represents IoT device in the system.
"SecurityAlert": SecurityAlertEntity represents security alert in the system.
"HuntingBookmark": HuntingBookmarkEntity represents HuntingBookmark in the system.
"MailCluster": MailClusterEntity represents mail cluster in the system.
"MailMessage": MailMessageEntity represents mail message in the system.
"Mailbox": MailboxEntity represents mailbox in the system.
"SubmissionMail": SubmissionMailEntity represents submission mail in the system.
"Nic": NicEntity represents network interface in the system.

SystemDataResponse
, SystemDataResponseArgs

CreatedAt string: The timestamp of resource creation (UTC).
CreatedBy string: The identity that created the resource.
CreatedByType string: The type of identity that created the resource.
LastModifiedAt string: The timestamp of resource last modification (UTC)
LastModifiedBy string: The identity that last modified the resource.
LastModifiedByType string: The type of identity that last modified the resource.

CreatedAt string: The timestamp of resource creation (UTC).
CreatedBy string: The identity that created the resource.
CreatedByType string: The type of identity that created the resource.
LastModifiedAt string: The timestamp of resource last modification (UTC)
LastModifiedBy string: The identity that last modified the resource.
LastModifiedByType string: The type of identity that last modified the resource.

createdAt String: The timestamp of resource creation (UTC).
createdBy String: The identity that created the resource.
createdByType String: The type of identity that created the resource.
lastModifiedAt String: The timestamp of resource last modification (UTC)
lastModifiedBy String: The identity that last modified the resource.
lastModifiedByType String: The type of identity that last modified the resource.

createdAt string: The timestamp of resource creation (UTC).
createdBy string: The identity that created the resource.
createdByType string: The type of identity that created the resource.
lastModifiedAt string: The timestamp of resource last modification (UTC)
lastModifiedBy string: The identity that last modified the resource.
lastModifiedByType string: The type of identity that last modified the resource.

created_at str: The timestamp of resource creation (UTC).
created_by str: The identity that created the resource.
created_by_type str: The type of identity that created the resource.
last_modified_at str: The timestamp of resource last modification (UTC)
last_modified_by str: The identity that last modified the resource.
last_modified_by_type str: The type of identity that last modified the resource.

createdAt String: The timestamp of resource creation (UTC).
createdBy String: The identity that created the resource.
createdByType String: The type of identity that created the resource.
lastModifiedAt String: The timestamp of resource last modification (UTC)
lastModifiedBy String: The identity that last modified the resource.
lastModifiedByType String: The type of identity that last modified the resource.

Import

An existing resource can be imported using its type token, name, and identifier, e.g.

$ pulumi import azure-native:securityinsights:ActivityCustomEntityQuery 07da3cc8-c8ad-4710-a44e-334cdcb7882b /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: azure-native-v2 pulumi/pulumi-azure-native
License: Apache-2.0

These are the docs for Azure Native v2. We recommenend using the latest version, Azure Native v3.

Azure Native v2 v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi

pulumi/pulumi-azure-native

azure-native-v2.securityinsights.ActivityCustomEntityQuery

On this page

On this page

Example Usage

Creates or updates an Activity entity query.

Create ActivityCustomEntityQuery Resource

Constructor syntax

Parameters

Constructor example

ActivityCustomEntityQuery Resource Properties

Inputs

Outputs

Supporting Types

ActivityEntityQueriesPropertiesQueryDefinitions
, ActivityEntityQueriesPropertiesQueryDefinitionsArgs

ActivityEntityQueriesPropertiesResponseQueryDefinitions
, ActivityEntityQueriesPropertiesResponseQueryDefinitionsArgs

EntityType
, EntityTypeArgs

SystemDataResponse
, SystemDataResponseArgs

Import

Package Details

On this page

On this page

azure-native-v2.securityinsights.ActivityCustomEntityQuery

On this page

On this page

Example Usage

Creates or updates an Activity entity query.

Create ActivityCustomEntityQuery Resource

Constructor syntax

Parameters

Constructor example

ActivityCustomEntityQuery Resource Properties

Inputs

Outputs

Supporting Types

ActivityEntityQueriesPropertiesQueryDefinitions, ActivityEntityQueriesPropertiesQueryDefinitionsArgs

ActivityEntityQueriesPropertiesResponseQueryDefinitions, ActivityEntityQueriesPropertiesResponseQueryDefinitionsArgs

EntityType, EntityTypeArgs

SystemDataResponse, SystemDataResponseArgs

Import

Package Details

On this page

On this page

ActivityEntityQueriesPropertiesQueryDefinitions
, ActivityEntityQueriesPropertiesQueryDefinitionsArgs

ActivityEntityQueriesPropertiesResponseQueryDefinitions
, ActivityEntityQueriesPropertiesResponseQueryDefinitionsArgs

EntityType
, EntityTypeArgs

SystemDataResponse
, SystemDataResponseArgs