1. Packages
  2. Azure Native v2
  3. API Docs
  4. securityinsights
  5. ActivityCustomEntityQuery
These are the docs for Azure Native v2. We recommenend using the latest version, Azure Native v3.
Azure Native v2 v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi

azure-native-v2.securityinsights.ActivityCustomEntityQuery

Explore with Pulumi AI

Represents Activity entity query. Azure REST API version: 2023-06-01-preview. Prior API version in Azure Native 1.x: 2021-03-01-preview.

Example Usage

Creates or updates an Activity entity query.

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var activityCustomEntityQuery = new AzureNative.SecurityInsights.ActivityCustomEntityQuery("activityCustomEntityQuery", new()
    {
        Content = "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
        Description = "Account deleted on host",
        Enabled = true,
        EntitiesFilter = 
        {
            { "Host_OsFamily", new[]
            {
                "Windows",
            } },
        },
        EntityQueryId = "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
        InputEntityType = AzureNative.SecurityInsights.EntityType.Host,
        Kind = "Activity",
        QueryDefinitions = new AzureNative.SecurityInsights.Inputs.ActivityEntityQueriesPropertiesQueryDefinitionsArgs
        {
            Query = @"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726 ",
        },
        RequiredInputFieldsSets = new[]
        {
            new[]
            {
                "Host_HostName",
                "Host_NTDomain",
            },
            new[]
            {
                "Host_HostName",
                "Host_DnsDomain",
            },
            new[]
            {
                "Host_AzureID",
            },
            new[]
            {
                "Host_OMSAgentID",
            },
        },
        ResourceGroupName = "myRg",
        Title = "An account was deleted on this host",
        WorkspaceName = "myWorkspace",
    });

});
Copy
package main

import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewActivityCustomEntityQuery(ctx, "activityCustomEntityQuery", &securityinsights.ActivityCustomEntityQueryArgs{
			Content:     pulumi.String("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'"),
			Description: pulumi.String("Account deleted on host"),
			Enabled:     pulumi.Bool(true),
			EntitiesFilter: pulumi.StringArrayMap{
				"Host_OsFamily": pulumi.StringArray{
					pulumi.String("Windows"),
				},
			},
			EntityQueryId:   pulumi.String("07da3cc8-c8ad-4710-a44e-334cdcb7882b"),
			InputEntityType: pulumi.String(securityinsights.EntityTypeHost),
			Kind:            pulumi.String("Activity"),
			QueryDefinitions: &securityinsights.ActivityEntityQueriesPropertiesQueryDefinitionsArgs{
				Query: pulumi.String(`let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726 `),
			},
			RequiredInputFieldsSets: pulumi.StringArrayArray{
				pulumi.StringArray{
					pulumi.String("Host_HostName"),
					pulumi.String("Host_NTDomain"),
				},
				pulumi.StringArray{
					pulumi.String("Host_HostName"),
					pulumi.String("Host_DnsDomain"),
				},
				pulumi.StringArray{
					pulumi.String("Host_AzureID"),
				},
				pulumi.StringArray{
					pulumi.String("Host_OMSAgentID"),
				},
			},
			ResourceGroupName: pulumi.String("myRg"),
			Title:             pulumi.String("An account was deleted on this host"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQuery;
import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQueryArgs;
import com.pulumi.azurenative.securityinsights.inputs.ActivityEntityQueriesPropertiesQueryDefinitionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var activityCustomEntityQuery = new ActivityCustomEntityQuery("activityCustomEntityQuery", ActivityCustomEntityQueryArgs.builder()
            .content("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'")
            .description("Account deleted on host")
            .enabled(true)
            .entitiesFilter(Map.of("Host_OsFamily", "Windows"))
            .entityQueryId("07da3cc8-c8ad-4710-a44e-334cdcb7882b")
            .inputEntityType("Host")
            .kind("Activity")
            .queryDefinitions(ActivityEntityQueriesPropertiesQueryDefinitionsArgs.builder()
                .query("""
let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726                 """)
                .build())
            .requiredInputFieldsSets(            
                                
                    "Host_HostName",
                    "Host_NTDomain",
                                
                    "Host_HostName",
                    "Host_DnsDomain",
                "Host_AzureID",
                "Host_OMSAgentID")
            .resourceGroupName("myRg")
            .title("An account was deleted on this host")
            .workspaceName("myWorkspace")
            .build());

    }
}
Copy
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const activityCustomEntityQuery = new azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQuery", {
    content: "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
    description: "Account deleted on host",
    enabled: true,
    entitiesFilter: {
        Host_OsFamily: ["Windows"],
    },
    entityQueryId: "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
    inputEntityType: azure_native.securityinsights.EntityType.Host,
    kind: "Activity",
    queryDefinitions: {
        query: `let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\\\', tostring(split(Computer, '\\\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\\\', tostring(split(Computer, '\\\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\\\', tostring(split(Computer, '\\\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726 `,
    },
    requiredInputFieldsSets: [
        [
            "Host_HostName",
            "Host_NTDomain",
        ],
        [
            "Host_HostName",
            "Host_DnsDomain",
        ],
        ["Host_AzureID"],
        ["Host_OMSAgentID"],
    ],
    resourceGroupName: "myRg",
    title: "An account was deleted on this host",
    workspaceName: "myWorkspace",
});
Copy
import pulumi
import pulumi_azure_native as azure_native

activity_custom_entity_query = azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQuery",
    content="On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
    description="Account deleted on host",
    enabled=True,
    entities_filter={
        "Host_OsFamily": ["Windows"],
    },
    entity_query_id="07da3cc8-c8ad-4710-a44e-334cdcb7882b",
    input_entity_type=azure_native.securityinsights.EntityType.HOST,
    kind="Activity",
    query_definitions={
        "query": """let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', tostring(split(Computer, '.')[-2]), 
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]), 
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), 
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) 
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) 
or v_Host_AzureID =~ _ResourceId 
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
 
| where EventID == 4726 """,
    },
    required_input_fields_sets=[
        [
            "Host_HostName",
            "Host_NTDomain",
        ],
        [
            "Host_HostName",
            "Host_DnsDomain",
        ],
        ["Host_AzureID"],
        ["Host_OMSAgentID"],
    ],
    resource_group_name="myRg",
    title="An account was deleted on this host",
    workspace_name="myWorkspace")
Copy
resources:
  activityCustomEntityQuery:
    type: azure-native:securityinsights:ActivityCustomEntityQuery
    properties:
      content: On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'
      description: Account deleted on host
      enabled: true
      entitiesFilter:
        Host_OsFamily:
          - Windows
      entityQueryId: 07da3cc8-c8ad-4710-a44e-334cdcb7882b
      inputEntityType: Host
      kind: Activity
      queryDefinitions:
        query: "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 "
      requiredInputFieldsSets:
        - - Host_HostName
          - Host_NTDomain
        - - Host_HostName
          - Host_DnsDomain
        - - Host_AzureID
        - - Host_OMSAgentID
      resourceGroupName: myRg
      title: An account was deleted on this host
      workspaceName: myWorkspace
Copy

Create ActivityCustomEntityQuery Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ActivityCustomEntityQuery(name: string, args: ActivityCustomEntityQueryArgs, opts?: CustomResourceOptions);
@overload
def ActivityCustomEntityQuery(resource_name: str,
                              args: ActivityCustomEntityQueryArgs,
                              opts: Optional[ResourceOptions] = None)

@overload
def ActivityCustomEntityQuery(resource_name: str,
                              opts: Optional[ResourceOptions] = None,
                              resource_group_name: Optional[str] = None,
                              workspace_name: Optional[str] = None,
                              description: Optional[str] = None,
                              enabled: Optional[bool] = None,
                              entities_filter: Optional[Mapping[str, Sequence[str]]] = None,
                              entity_query_id: Optional[str] = None,
                              input_entity_type: Optional[Union[str, EntityType]] = None,
                              query_definitions: Optional[ActivityEntityQueriesPropertiesQueryDefinitionsArgs] = None,
                              required_input_fields_sets: Optional[Sequence[Sequence[str]]] = None,
                              content: Optional[str] = None,
                              template_name: Optional[str] = None,
                              title: Optional[str] = None)
func NewActivityCustomEntityQuery(ctx *Context, name string, args ActivityCustomEntityQueryArgs, opts ...ResourceOption) (*ActivityCustomEntityQuery, error)
public ActivityCustomEntityQuery(string name, ActivityCustomEntityQueryArgs args, CustomResourceOptions? opts = null)
public ActivityCustomEntityQuery(String name, ActivityCustomEntityQueryArgs args)
public ActivityCustomEntityQuery(String name, ActivityCustomEntityQueryArgs args, CustomResourceOptions options)
type: azure-native:securityinsights:ActivityCustomEntityQuery
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. ActivityCustomEntityQueryArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. ActivityCustomEntityQueryArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. ActivityCustomEntityQueryArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. ActivityCustomEntityQueryArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. ActivityCustomEntityQueryArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var activityCustomEntityQueryResource = new AzureNative.Securityinsights.ActivityCustomEntityQuery("activityCustomEntityQueryResource", new()
{
    ResourceGroupName = "string",
    Kind = "string",
    WorkspaceName = "string",
    Description = "string",
    Enabled = false,
    EntitiesFilter = 
    {
        { "string", new[]
        {
            "string",
        } },
    },
    EntityQueryId = "string",
    InputEntityType = "string",
    QueryDefinitions = 
    {
        { "query", "string" },
    },
    RequiredInputFieldsSets = new[]
    {
        new[]
        {
            "string",
        },
    },
    Content = "string",
    TemplateName = "string",
    Title = "string",
});
Copy
example, err := securityinsights.NewActivityCustomEntityQuery(ctx, "activityCustomEntityQueryResource", &securityinsights.ActivityCustomEntityQueryArgs{
	ResourceGroupName: "string",
	Kind:              "string",
	WorkspaceName:     "string",
	Description:       "string",
	Enabled:           false,
	EntitiesFilter: map[string]interface{}{
		"string": []string{
			"string",
		},
	},
	EntityQueryId:   "string",
	InputEntityType: "string",
	QueryDefinitions: map[string]interface{}{
		"query": "string",
	},
	RequiredInputFieldsSets: [][]string{
		[]string{
			"string",
		},
	},
	Content:      "string",
	TemplateName: "string",
	Title:        "string",
})
Copy
var activityCustomEntityQueryResource = new ActivityCustomEntityQuery("activityCustomEntityQueryResource", ActivityCustomEntityQueryArgs.builder()
    .resourceGroupName("string")
    .kind("string")
    .workspaceName("string")
    .description("string")
    .enabled(false)
    .entitiesFilter(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
    .entityQueryId("string")
    .inputEntityType("string")
    .queryDefinitions(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
    .requiredInputFieldsSets("string")
    .content("string")
    .templateName("string")
    .title("string")
    .build());
Copy
activity_custom_entity_query_resource = azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQueryResource",
    resource_group_name=string,
    kind=string,
    workspace_name=string,
    description=string,
    enabled=False,
    entities_filter={
        string: [string],
    },
    entity_query_id=string,
    input_entity_type=string,
    query_definitions={
        query: string,
    },
    required_input_fields_sets=[[string]],
    content=string,
    template_name=string,
    title=string)
Copy
const activityCustomEntityQueryResource = new azure_native.securityinsights.ActivityCustomEntityQuery("activityCustomEntityQueryResource", {
    resourceGroupName: "string",
    kind: "string",
    workspaceName: "string",
    description: "string",
    enabled: false,
    entitiesFilter: {
        string: ["string"],
    },
    entityQueryId: "string",
    inputEntityType: "string",
    queryDefinitions: {
        query: "string",
    },
    requiredInputFieldsSets: [["string"]],
    content: "string",
    templateName: "string",
    title: "string",
});
Copy
type: azure-native:securityinsights:ActivityCustomEntityQuery
properties:
    content: string
    description: string
    enabled: false
    entitiesFilter:
        string:
            - string
    entityQueryId: string
    inputEntityType: string
    kind: string
    queryDefinitions:
        query: string
    requiredInputFieldsSets:
        - - string
    resourceGroupName: string
    templateName: string
    title: string
    workspaceName: string
Copy

ActivityCustomEntityQuery Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ActivityCustomEntityQuery resource accepts the following input properties:

ResourceGroupName
This property is required.
Changes to this property will trigger replacement.
string
The name of the resource group. The name is case insensitive.
WorkspaceName
This property is required.
Changes to this property will trigger replacement.
string
The name of the workspace.
Content string
The entity query content to display in timeline
Description string
The entity query description
Enabled bool
Determines whether this activity is enabled or disabled.
EntitiesFilter Dictionary<string, ImmutableArray<string>>
The query applied only to entities matching to all filters
EntityQueryId Changes to this property will trigger replacement. string
entity query ID
InputEntityType string | Pulumi.AzureNative.SecurityInsights.EntityType
The type of the query's source entity
QueryDefinitions Pulumi.AzureNative.SecurityInsights.Inputs.ActivityEntityQueriesPropertiesQueryDefinitions
The Activity query definitions
RequiredInputFieldsSets List<ImmutableArray<string>>
List of the fields of the source entity that are required to run the query
TemplateName string
The template id this activity was created from
Title string
The entity query title
ResourceGroupName
This property is required.
Changes to this property will trigger replacement.
string
The name of the resource group. The name is case insensitive.
WorkspaceName
This property is required.
Changes to this property will trigger replacement.
string
The name of the workspace.
Content string
The entity query content to display in timeline
Description string
The entity query description
Enabled bool
Determines whether this activity is enabled or disabled.
EntitiesFilter map[string][]string
The query applied only to entities matching to all filters
EntityQueryId Changes to this property will trigger replacement. string
entity query ID
InputEntityType string | EntityType
The type of the query's source entity
QueryDefinitions ActivityEntityQueriesPropertiesQueryDefinitionsArgs
The Activity query definitions
RequiredInputFieldsSets [][]string
List of the fields of the source entity that are required to run the query
TemplateName string
The template id this activity was created from
Title string
The entity query title
resourceGroupName
This property is required.
Changes to this property will trigger replacement.
String
The name of the resource group. The name is case insensitive.
workspaceName
This property is required.
Changes to this property will trigger replacement.
String
The name of the workspace.
content String
The entity query content to display in timeline
description String
The entity query description
enabled Boolean
Determines whether this activity is enabled or disabled.
entitiesFilter Map<String,List<String>>
The query applied only to entities matching to all filters
entityQueryId Changes to this property will trigger replacement. String
entity query ID
inputEntityType String | EntityType
The type of the query's source entity
queryDefinitions ActivityEntityQueriesPropertiesQueryDefinitions
The Activity query definitions
requiredInputFieldsSets List<List<String>>
List of the fields of the source entity that are required to run the query
templateName String
The template id this activity was created from
title String
The entity query title
resourceGroupName
This property is required.
Changes to this property will trigger replacement.
string
The name of the resource group. The name is case insensitive.
workspaceName
This property is required.
Changes to this property will trigger replacement.
string
The name of the workspace.
content string
The entity query content to display in timeline
description string
The entity query description
enabled boolean
Determines whether this activity is enabled or disabled.
entitiesFilter {[key: string]: string[]}
The query applied only to entities matching to all filters
entityQueryId Changes to this property will trigger replacement. string
entity query ID
inputEntityType string | EntityType
The type of the query's source entity
queryDefinitions ActivityEntityQueriesPropertiesQueryDefinitions
The Activity query definitions
requiredInputFieldsSets string[][]
List of the fields of the source entity that are required to run the query
templateName string
The template id this activity was created from
title string
The entity query title
resource_group_name
This property is required.
Changes to this property will trigger replacement.
str
The name of the resource group. The name is case insensitive.
workspace_name
This property is required.
Changes to this property will trigger replacement.
str
The name of the workspace.
content str
The entity query content to display in timeline
description str
The entity query description
enabled bool
Determines whether this activity is enabled or disabled.
entities_filter Mapping[str, Sequence[str]]
The query applied only to entities matching to all filters
entity_query_id Changes to this property will trigger replacement. str
entity query ID
input_entity_type str | EntityType
The type of the query's source entity
query_definitions ActivityEntityQueriesPropertiesQueryDefinitionsArgs
The Activity query definitions
required_input_fields_sets Sequence[Sequence[str]]
List of the fields of the source entity that are required to run the query
template_name str
The template id this activity was created from
title str
The entity query title
resourceGroupName
This property is required.
Changes to this property will trigger replacement.
String
The name of the resource group. The name is case insensitive.
workspaceName
This property is required.
Changes to this property will trigger replacement.
String
The name of the workspace.
content String
The entity query content to display in timeline
description String
The entity query description
enabled Boolean
Determines whether this activity is enabled or disabled.
entitiesFilter Map<List<String>>
The query applied only to entities matching to all filters
entityQueryId Changes to this property will trigger replacement. String
entity query ID
inputEntityType String | "Account" | "Host" | "File" | "AzureResource" | "CloudApplication" | "DNS" | "FileHash" | "IP" | "Malware" | "Process" | "RegistryKey" | "RegistryValue" | "SecurityGroup" | "URL" | "IoTDevice" | "SecurityAlert" | "HuntingBookmark" | "MailCluster" | "MailMessage" | "Mailbox" | "SubmissionMail" | "Nic"
The type of the query's source entity
queryDefinitions Property Map
The Activity query definitions
requiredInputFieldsSets List<List<String>>
List of the fields of the source entity that are required to run the query
templateName String
The template id this activity was created from
title String
The entity query title

Outputs

All input properties are implicitly available as output properties. Additionally, the ActivityCustomEntityQuery resource produces the following output properties:

CreatedTimeUtc string
The time the activity was created
Id string
The provider-assigned unique ID for this managed resource.
LastModifiedTimeUtc string
The last time the activity was updated
Name string
The name of the resource
SystemData Pulumi.AzureNative.SecurityInsights.Outputs.SystemDataResponse
Azure Resource Manager metadata containing createdBy and modifiedBy information.
Type string
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
Etag string
Etag of the azure resource
CreatedTimeUtc string
The time the activity was created
Id string
The provider-assigned unique ID for this managed resource.
LastModifiedTimeUtc string
The last time the activity was updated
Name string
The name of the resource
SystemData SystemDataResponse
Azure Resource Manager metadata containing createdBy and modifiedBy information.
Type string
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
Etag string
Etag of the azure resource
createdTimeUtc String
The time the activity was created
id String
The provider-assigned unique ID for this managed resource.
lastModifiedTimeUtc String
The last time the activity was updated
name String
The name of the resource
systemData SystemDataResponse
Azure Resource Manager metadata containing createdBy and modifiedBy information.
type String
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
etag String
Etag of the azure resource
createdTimeUtc string
The time the activity was created
id string
The provider-assigned unique ID for this managed resource.
lastModifiedTimeUtc string
The last time the activity was updated
name string
The name of the resource
systemData SystemDataResponse
Azure Resource Manager metadata containing createdBy and modifiedBy information.
type string
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
etag string
Etag of the azure resource
created_time_utc str
The time the activity was created
id str
The provider-assigned unique ID for this managed resource.
last_modified_time_utc str
The last time the activity was updated
name str
The name of the resource
system_data SystemDataResponse
Azure Resource Manager metadata containing createdBy and modifiedBy information.
type str
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
etag str
Etag of the azure resource
createdTimeUtc String
The time the activity was created
id String
The provider-assigned unique ID for this managed resource.
lastModifiedTimeUtc String
The last time the activity was updated
name String
The name of the resource
systemData Property Map
Azure Resource Manager metadata containing createdBy and modifiedBy information.
type String
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
etag String
Etag of the azure resource

Supporting Types

ActivityEntityQueriesPropertiesQueryDefinitions
, ActivityEntityQueriesPropertiesQueryDefinitionsArgs

Query string
The Activity query to run on a given entity
Query string
The Activity query to run on a given entity
query String
The Activity query to run on a given entity
query string
The Activity query to run on a given entity
query str
The Activity query to run on a given entity
query String
The Activity query to run on a given entity

ActivityEntityQueriesPropertiesResponseQueryDefinitions
, ActivityEntityQueriesPropertiesResponseQueryDefinitionsArgs

Query string
The Activity query to run on a given entity
Query string
The Activity query to run on a given entity
query String
The Activity query to run on a given entity
query string
The Activity query to run on a given entity
query str
The Activity query to run on a given entity
query String
The Activity query to run on a given entity

EntityType
, EntityTypeArgs

Account
AccountEntity represents account in the system.
Host
HostEntity represents host in the system.
File
FileEntity represents file in the system.
AzureResource
AzureResourceEntity represents azure resource in the system.
CloudApplication
CloudApplicationEntity represents cloud application in the system.
DNS
DNSEntity represents dns in the system.
FileHash
FileHashEntity represents file hash in the system.
IP
IPEntity represents ip in the system.
Malware
MalwareEntity represents malware in the system.
Process
ProcessEntity represents process in the system.
RegistryKey
RegistryKeyEntity represents registry key in the system.
RegistryValue
RegistryValueEntity represents registry value in the system.
SecurityGroup
SecurityGroupEntity represents security group in the system.
URL
URLEntity represents url in the system.
IoTDevice
IoTDeviceEntity represents IoT device in the system.
SecurityAlert
SecurityAlertEntity represents security alert in the system.
HuntingBookmark
HuntingBookmarkEntity represents HuntingBookmark in the system.
MailCluster
MailClusterEntity represents mail cluster in the system.
MailMessage
MailMessageEntity represents mail message in the system.
Mailbox
MailboxEntity represents mailbox in the system.
SubmissionMail
SubmissionMailEntity represents submission mail in the system.
Nic
NicEntity represents network interface in the system.
EntityTypeAccount
AccountEntity represents account in the system.
EntityTypeHost
HostEntity represents host in the system.
EntityTypeFile
FileEntity represents file in the system.
EntityTypeAzureResource
AzureResourceEntity represents azure resource in the system.
EntityTypeCloudApplication
CloudApplicationEntity represents cloud application in the system.
EntityTypeDNS
DNSEntity represents dns in the system.
EntityTypeFileHash
FileHashEntity represents file hash in the system.
EntityTypeIP
IPEntity represents ip in the system.
EntityTypeMalware
MalwareEntity represents malware in the system.
EntityTypeProcess
ProcessEntity represents process in the system.
EntityTypeRegistryKey
RegistryKeyEntity represents registry key in the system.
EntityTypeRegistryValue
RegistryValueEntity represents registry value in the system.
EntityTypeSecurityGroup
SecurityGroupEntity represents security group in the system.
EntityTypeURL
URLEntity represents url in the system.
EntityTypeIoTDevice
IoTDeviceEntity represents IoT device in the system.
EntityTypeSecurityAlert
SecurityAlertEntity represents security alert in the system.
EntityTypeHuntingBookmark
HuntingBookmarkEntity represents HuntingBookmark in the system.
EntityTypeMailCluster
MailClusterEntity represents mail cluster in the system.
EntityTypeMailMessage
MailMessageEntity represents mail message in the system.
EntityTypeMailbox
MailboxEntity represents mailbox in the system.
EntityTypeSubmissionMail
SubmissionMailEntity represents submission mail in the system.
EntityTypeNic
NicEntity represents network interface in the system.
Account
AccountEntity represents account in the system.
Host
HostEntity represents host in the system.
File
FileEntity represents file in the system.
AzureResource
AzureResourceEntity represents azure resource in the system.
CloudApplication
CloudApplicationEntity represents cloud application in the system.
DNS
DNSEntity represents dns in the system.
FileHash
FileHashEntity represents file hash in the system.
IP
IPEntity represents ip in the system.
Malware
MalwareEntity represents malware in the system.
Process
ProcessEntity represents process in the system.
RegistryKey
RegistryKeyEntity represents registry key in the system.
RegistryValue
RegistryValueEntity represents registry value in the system.
SecurityGroup
SecurityGroupEntity represents security group in the system.
URL
URLEntity represents url in the system.
IoTDevice
IoTDeviceEntity represents IoT device in the system.
SecurityAlert
SecurityAlertEntity represents security alert in the system.
HuntingBookmark
HuntingBookmarkEntity represents HuntingBookmark in the system.
MailCluster
MailClusterEntity represents mail cluster in the system.
MailMessage
MailMessageEntity represents mail message in the system.
Mailbox
MailboxEntity represents mailbox in the system.
SubmissionMail
SubmissionMailEntity represents submission mail in the system.
Nic
NicEntity represents network interface in the system.
Account
AccountEntity represents account in the system.
Host
HostEntity represents host in the system.
File
FileEntity represents file in the system.
AzureResource
AzureResourceEntity represents azure resource in the system.
CloudApplication
CloudApplicationEntity represents cloud application in the system.
DNS
DNSEntity represents dns in the system.
FileHash
FileHashEntity represents file hash in the system.
IP
IPEntity represents ip in the system.
Malware
MalwareEntity represents malware in the system.
Process
ProcessEntity represents process in the system.
RegistryKey
RegistryKeyEntity represents registry key in the system.
RegistryValue
RegistryValueEntity represents registry value in the system.
SecurityGroup
SecurityGroupEntity represents security group in the system.
URL
URLEntity represents url in the system.
IoTDevice
IoTDeviceEntity represents IoT device in the system.
SecurityAlert
SecurityAlertEntity represents security alert in the system.
HuntingBookmark
HuntingBookmarkEntity represents HuntingBookmark in the system.
MailCluster
MailClusterEntity represents mail cluster in the system.
MailMessage
MailMessageEntity represents mail message in the system.
Mailbox
MailboxEntity represents mailbox in the system.
SubmissionMail
SubmissionMailEntity represents submission mail in the system.
Nic
NicEntity represents network interface in the system.
ACCOUNT
AccountEntity represents account in the system.
HOST
HostEntity represents host in the system.
FILE
FileEntity represents file in the system.
AZURE_RESOURCE
AzureResourceEntity represents azure resource in the system.
CLOUD_APPLICATION
CloudApplicationEntity represents cloud application in the system.
DNS
DNSEntity represents dns in the system.
FILE_HASH
FileHashEntity represents file hash in the system.
IP
IPEntity represents ip in the system.
MALWARE
MalwareEntity represents malware in the system.
PROCESS
ProcessEntity represents process in the system.
REGISTRY_KEY
RegistryKeyEntity represents registry key in the system.
REGISTRY_VALUE
RegistryValueEntity represents registry value in the system.
SECURITY_GROUP
SecurityGroupEntity represents security group in the system.
URL
URLEntity represents url in the system.
IO_T_DEVICE
IoTDeviceEntity represents IoT device in the system.
SECURITY_ALERT
SecurityAlertEntity represents security alert in the system.
HUNTING_BOOKMARK
HuntingBookmarkEntity represents HuntingBookmark in the system.
MAIL_CLUSTER
MailClusterEntity represents mail cluster in the system.
MAIL_MESSAGE
MailMessageEntity represents mail message in the system.
MAILBOX
MailboxEntity represents mailbox in the system.
SUBMISSION_MAIL
SubmissionMailEntity represents submission mail in the system.
NIC
NicEntity represents network interface in the system.
"Account"
AccountEntity represents account in the system.
"Host"
HostEntity represents host in the system.
"File"
FileEntity represents file in the system.
"AzureResource"
AzureResourceEntity represents azure resource in the system.
"CloudApplication"
CloudApplicationEntity represents cloud application in the system.
"DNS"
DNSEntity represents dns in the system.
"FileHash"
FileHashEntity represents file hash in the system.
"IP"
IPEntity represents ip in the system.
"Malware"
MalwareEntity represents malware in the system.
"Process"
ProcessEntity represents process in the system.
"RegistryKey"
RegistryKeyEntity represents registry key in the system.
"RegistryValue"
RegistryValueEntity represents registry value in the system.
"SecurityGroup"
SecurityGroupEntity represents security group in the system.
"URL"
URLEntity represents url in the system.
"IoTDevice"
IoTDeviceEntity represents IoT device in the system.
"SecurityAlert"
SecurityAlertEntity represents security alert in the system.
"HuntingBookmark"
HuntingBookmarkEntity represents HuntingBookmark in the system.
"MailCluster"
MailClusterEntity represents mail cluster in the system.
"MailMessage"
MailMessageEntity represents mail message in the system.
"Mailbox"
MailboxEntity represents mailbox in the system.
"SubmissionMail"
SubmissionMailEntity represents submission mail in the system.
"Nic"
NicEntity represents network interface in the system.

SystemDataResponse
, SystemDataResponseArgs

CreatedAt string
The timestamp of resource creation (UTC).
CreatedBy string
The identity that created the resource.
CreatedByType string
The type of identity that created the resource.
LastModifiedAt string
The timestamp of resource last modification (UTC)
LastModifiedBy string
The identity that last modified the resource.
LastModifiedByType string
The type of identity that last modified the resource.
CreatedAt string
The timestamp of resource creation (UTC).
CreatedBy string
The identity that created the resource.
CreatedByType string
The type of identity that created the resource.
LastModifiedAt string
The timestamp of resource last modification (UTC)
LastModifiedBy string
The identity that last modified the resource.
LastModifiedByType string
The type of identity that last modified the resource.
createdAt String
The timestamp of resource creation (UTC).
createdBy String
The identity that created the resource.
createdByType String
The type of identity that created the resource.
lastModifiedAt String
The timestamp of resource last modification (UTC)
lastModifiedBy String
The identity that last modified the resource.
lastModifiedByType String
The type of identity that last modified the resource.
createdAt string
The timestamp of resource creation (UTC).
createdBy string
The identity that created the resource.
createdByType string
The type of identity that created the resource.
lastModifiedAt string
The timestamp of resource last modification (UTC)
lastModifiedBy string
The identity that last modified the resource.
lastModifiedByType string
The type of identity that last modified the resource.
created_at str
The timestamp of resource creation (UTC).
created_by str
The identity that created the resource.
created_by_type str
The type of identity that created the resource.
last_modified_at str
The timestamp of resource last modification (UTC)
last_modified_by str
The identity that last modified the resource.
last_modified_by_type str
The type of identity that last modified the resource.
createdAt String
The timestamp of resource creation (UTC).
createdBy String
The identity that created the resource.
createdByType String
The type of identity that created the resource.
lastModifiedAt String
The timestamp of resource last modification (UTC)
lastModifiedBy String
The identity that last modified the resource.
lastModifiedByType String
The type of identity that last modified the resource.

Import

An existing resource can be imported using its type token, name, and identifier, e.g.

$ pulumi import azure-native:securityinsights:ActivityCustomEntityQuery 07da3cc8-c8ad-4710-a44e-334cdcb7882b /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId} 
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
azure-native-v2 pulumi/pulumi-azure-native
License
Apache-2.0