Microsoft.SecurityInsights entityQueries 2022-01-01-preview

  • Article

Bicep resource definition

The entityQueries resource type can be deployed to:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/entityQueries resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.SecurityInsights/entityQueries@2022-01-01-preview' = {
  name: 'string'
  kind: 'string'
  etag: 'string'
  // For remaining properties, see entityQueries objects
}

entityQueries objects

Set the kind property to specify the type of object.

For Activity, use:

  kind: 'Activity'
  properties: {
    content: 'string'
    description: 'string'
    enabled: bool
    entitiesFilter: {}
    inputEntityType: 'string'
    queryDefinitions: {
      query: 'string'
    }
    requiredInputFieldsSets: [
      [
        'string'
      ]
    ]
    templateName: 'string'
    title: 'string'
  }

For Expansion, use:

  kind: 'Expansion'

Property values

entityQueries

Name Description Value
name The resource name string (required)
kind Set the object type Activity
Expansion (required)
etag Etag of the azure resource string

ActivityCustomEntityQueryOrActivityEntityQuery

Name Description Value
kind the entity query kind 'Activity' (required)
properties Activity entity query properties ActivityEntityQueriesProperties

ActivityEntityQueriesProperties

Name Description Value
content The entity query content to display in timeline string
description The entity query description string
enabled Determines whether this activity is enabled or disabled. bool
entitiesFilter The query applied only to entities matching to all filters object
inputEntityType The type of the query's source entity 'Account'
'AzureResource'
'CloudApplication'
'DNS'
'File'
'FileHash'
'Host'
'HuntingBookmark'
'IP'
'IoTDevice'
'MailCluster'
'MailMessage'
'Mailbox'
'Malware'
'Process'
'RegistryKey'
'RegistryValue'
'SecurityAlert'
'SecurityGroup'
'SubmissionMail'
'URL'
queryDefinitions The Activity query definitions ActivityEntityQueriesPropertiesQueryDefinitions
requiredInputFieldsSets List of the fields of the source entity that are required to run the query string[][]
templateName The template id this activity was created from string
title The entity query title string

ActivityEntityQueriesPropertiesQueryDefinitions

Name Description Value
query The Activity query to run on a given entity string

ExpansionEntityQuery

Name Description Value
kind the entity query kind 'Expansion' (required)

ARM template resource definition

The entityQueries resource type can be deployed to:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/entityQueries resource, add the following JSON to your template.

{
  "type": "Microsoft.SecurityInsights/entityQueries",
  "apiVersion": "2022-01-01-preview",
  "name": "string",
  "kind": "string",
  "etag": "string",
  // For remaining properties, see entityQueries objects
}

entityQueries objects

Set the kind property to specify the type of object.

For Activity, use:

  "kind": "Activity",
  "properties": {
    "content": "string",
    "description": "string",
    "enabled": "bool",
    "entitiesFilter": {},
    "inputEntityType": "string",
    "queryDefinitions": {
      "query": "string"
    },
    "requiredInputFieldsSets": [ [ "string" ] ],
    "templateName": "string",
    "title": "string"
  }

For Expansion, use:

  "kind": "Expansion"

Property values

entityQueries

Name Description Value
type The resource type 'Microsoft.SecurityInsights/entityQueries'
apiVersion The resource api version '2022-01-01-preview'
name The resource name string (required)
kind Set the object type Activity
Expansion (required)
etag Etag of the azure resource string

ActivityCustomEntityQueryOrActivityEntityQuery

Name Description Value
kind the entity query kind 'Activity' (required)
properties Activity entity query properties ActivityEntityQueriesProperties

ActivityEntityQueriesProperties

Name Description Value
content The entity query content to display in timeline string
description The entity query description string
enabled Determines whether this activity is enabled or disabled. bool
entitiesFilter The query applied only to entities matching to all filters object
inputEntityType The type of the query's source entity 'Account'
'AzureResource'
'CloudApplication'
'DNS'
'File'
'FileHash'
'Host'
'HuntingBookmark'
'IP'
'IoTDevice'
'MailCluster'
'MailMessage'
'Mailbox'
'Malware'
'Process'
'RegistryKey'
'RegistryValue'
'SecurityAlert'
'SecurityGroup'
'SubmissionMail'
'URL'
queryDefinitions The Activity query definitions ActivityEntityQueriesPropertiesQueryDefinitions
requiredInputFieldsSets List of the fields of the source entity that are required to run the query string[][]
templateName The template id this activity was created from string
title The entity query title string

ActivityEntityQueriesPropertiesQueryDefinitions

Name Description Value
query The Activity query to run on a given entity string

ExpansionEntityQuery

Name Description Value
kind the entity query kind 'Expansion' (required)

Terraform (AzAPI provider) resource definition

The entityQueries resource type can be deployed to:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/entityQueries resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.SecurityInsights/entityQueries@2022-01-01-preview"
  name = "string"
  parent_id = "string"
  // For remaining properties, see entityQueries objects
  body = jsonencode({
    kind = "string"
    etag = "string"
  })
}

entityQueries objects

Set the kind property to specify the type of object.

For Activity, use:

  kind = "Activity"
  properties = {
    content = "string"
    description = "string"
    enabled = bool
    entitiesFilter = {}
    inputEntityType = "string"
    queryDefinitions = {
      query = "string"
    }
    requiredInputFieldsSets = [
      [
        "string"
      ]
    ]
    templateName = "string"
    title = "string"
  }

For Expansion, use:

  kind = "Expansion"

Property values

entityQueries

Name Description Value
type The resource type "Microsoft.SecurityInsights/entityQueries@2022-01-01-preview"
name The resource name string (required)
parent_id string (required)
kind Set the object type Activity
Expansion (required)
etag Etag of the azure resource string

ActivityCustomEntityQueryOrActivityEntityQuery

Name Description Value
kind the entity query kind "Activity" (required)
properties Activity entity query properties ActivityEntityQueriesProperties

ActivityEntityQueriesProperties

Name Description Value
content The entity query content to display in timeline string
description The entity query description string
enabled Determines whether this activity is enabled or disabled. bool
entitiesFilter The query applied only to entities matching to all filters object
inputEntityType The type of the query's source entity "Account"
"AzureResource"
"CloudApplication"
"DNS"
"File"
"FileHash"
"Host"
"HuntingBookmark"
"IP"
"IoTDevice"
"MailCluster"
"MailMessage"
"Mailbox"
"Malware"
"Process"
"RegistryKey"
"RegistryValue"
"SecurityAlert"
"SecurityGroup"
"SubmissionMail"
"URL"
queryDefinitions The Activity query definitions ActivityEntityQueriesPropertiesQueryDefinitions
requiredInputFieldsSets List of the fields of the source entity that are required to run the query string[][]
templateName The template id this activity was created from string
title The entity query title string

ActivityEntityQueriesPropertiesQueryDefinitions

Name Description Value
query The Activity query to run on a given entity string

ExpansionEntityQuery

Name Description Value
kind the entity query kind "Expansion" (required)