Share via

Entity Queries - Get

Service:
Sentinel
API Version:
2025-04-01-preview

Gets an entity query.

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}?api-version=2025-04-01-preview

URI Parameters

Name In Required Type Description
entityQueryId
 path True

string

entity query ID
resourceGroupName
 path True

string

minLength: 1
maxLength: 90

The name of the resource group. The name is case insensitive.
subscriptionId
 path True

string (uuid)

The ID of the target subscription. The value must be an UUID.
workspaceName
 path True

string

minLength: 1
maxLength: 90
pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$

The name of the workspace.
api-version
 query True

string

minLength: 1

The API version to use for this operation.

Responses

Name Type Description
200 OK EntityQuery:

OK
Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get an Activity entity query.
Get an Expansion entity query.

Get an Activity entity query.

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b?api-version=2025-04-01-preview

Sample response

Status code:
200 
{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b",
  "name": "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
  "type": "Microsoft.SecurityInsights/entityQueries",
  "etag": null,
  "kind": "Activity",
  "properties": {
    "title": "An account was deleted on this host",
    "content": "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
    "description": "Account deleted on host",
    "queryDefinitions": {
      "query": "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 "
    },
    "inputEntityType": "Host",
    "requiredInputFieldsSets": [
      [
        "Host_HostName",
        "Host_NTDomain"
      ],
      [
        "Host_HostName",
        "Host_DnsDomain"
      ],
      [
        "Host_AzureID"
      ],
      [
        "Host_OMSAgentID"
      ]
    ],
    "entitiesFilter": {
      "Host_OsFamily": [
        "Windows"
      ]
    },
    "enabled": true,
    "templateName": null,
    "createdTimeUtc": "2019-01-01T13:15:30Z",
    "lastModifiedTimeUtc": "2019-01-01T13:15:30Z"
  }
}

Get an Expansion entity query.

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b?api-version=2025-04-01-preview

Sample response

Status code:
200 
{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b",
  "name": "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
  "type": "Microsoft.SecurityInsights/entityQueries",
  "etag": null,
  "kind": "Expansion",
  "properties": {
    "queryTemplate": "let GetParentProcessesOnHost = (v_Host_HostName:string){\r\n                            SecurityEvent \r\n                            | where EventID == 4688 \r\n                            | where isnotempty(ParentProcessName)\r\n                            | where NewProcessName !contains ':\\\\Windows\\\\System32\\\\conhost.exe' and ParentProcessName !contains ':\\\\Windows\\\\System32\\\\conhost.exe'\r\n                            and NewProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\csc.exe' and ParentProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\csc.exe'\r\n                            and NewProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\cvtres.exe' and ParentProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\cvtres.exe'\r\n                            and NewProcessName!contains ':\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' and ParentProcessName !contains ':\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe'\r\n                            and ParentProcessName !contains ':\\\\Windows\\\\CCM\\\\CcmExec.exe'\r\n                            | where(ParentProcessName !contains ':\\\\Windows\\\\System32\\\\svchost.exe' and (NewProcessName !contains ':\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' or NewProcessName !contains ':\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe'))\r\n                            | where(ParentProcessName !contains ':\\\\Windows\\\\System32\\\\services.exe' and NewProcessName !contains ':\\\\Windows\\\\servicing\\\\TrustedInstaller.exe')\r\n                            | where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\r\n                            | summarize min(TimeGenerated), max(TimeGenerated) by Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\r\n                            | project min_TimeGenerated, max_TimeGenerated, Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\r\n                            | project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName, Process_ParentProcess_ImageFile_FullPath=ParentProcessName\r\n                            | top 10 by min_TimeGenerated asc};\r\n                            GetParentProcessesOnHost(toupper('<hostName>'))",
    "inputFields": [
      "hostName"
    ],
    "outputEntityTypes": [
      "Process"
    ],
    "dataSources": [
      "SecurityEvent"
    ],
    "inputEntityType": "Host",
    "displayName": "Parent processes running on host"
  }
}

Definitions

Name Description
ActivityEntityQuery

Represents Activity entity query.
CloudError

Error response structure.
CloudErrorBody

Error details.
createdByType

The type of identity that created the resource.
EntityQueryKind

The kind of the entity query
EntityType

The type of the query's source entity
ExpansionEntityQuery

Represents Expansion entity query.
QueryDefinitions

The Activity query definitions
systemData

Metadata pertaining to creation and last modification of the resource.

ActivityEntityQuery

Object

Represents Activity entity query.

Name Type Description
etag

string

Etag of the azure resource
id

string (arm-id)

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
kind string:

Activity

the entity query kind
name

string

The name of the resource
properties.content

string

The entity query content to display in timeline
properties.createdTimeUtc

string (date-time)

The time the activity was created
properties.description

string

The entity query description
properties.enabled

boolean

Determines whether this activity is enabled or disabled.
properties.entitiesFilter

object

The query applied only to entities matching to all filters
properties.inputEntityType

EntityType

The type of the query's source entity
properties.lastModifiedTimeUtc

string (date-time)

The last time the activity was updated
properties.queryDefinitions

QueryDefinitions

The Activity query definitions
properties.requiredInputFieldsSets

string[]

List of the fields of the source entity that are required to run the query
properties.templateName

string

The template id this activity was created from
properties.title

string

The entity query title
systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.
type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

CloudError

Object

Error response structure.

Name Type Description
error

CloudErrorBody

Error data

CloudErrorBody

Object

Error details.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.
message

string

A message describing the error, intended to be suitable for display in a user interface.

createdByType

Enumeration

The type of identity that created the resource.

Value Description
User
Application
ManagedIdentity
Key

EntityQueryKind

Enumeration

The kind of the entity query

Value Description
Expansion
Insight
Activity

EntityType

Enumeration

The type of the query's source entity

Value Description
Account

Entity represents account in the system.
Host

Entity represents host in the system.
File

Entity represents file in the system.
AzureResource

Entity represents azure resource in the system.
CloudApplication

Entity represents cloud application in the system.
DNS

Entity represents dns in the system.
FileHash

Entity represents file hash in the system.
IP

Entity represents ip in the system.
Malware

Entity represents malware in the system.
Process

Entity represents process in the system.
RegistryKey

Entity represents registry key in the system.
RegistryValue

Entity represents registry value in the system.
SecurityGroup

Entity represents security group in the system.
URL

Entity represents url in the system.
IoTDevice

Entity represents IoT device in the system.
SecurityAlert

Entity represents security alert in the system.
HuntingBookmark

Entity represents HuntingBookmark in the system.
MailCluster

Entity represents mail cluster in the system.
MailMessage

Entity represents mail message in the system.
Mailbox

Entity represents mailbox in the system.
SubmissionMail

Entity represents submission mail in the system.
Nic

Entity represents network interface in the system.

ExpansionEntityQuery

Object

Represents Expansion entity query.

Name Type Description
etag

string

Etag of the azure resource
id

string (arm-id)

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
kind string:

Expansion

the entity query kind
name

string

The name of the resource
properties.dataSources

string[]

List of the data sources that are required to run the query
properties.displayName

string

The query display name
properties.inputEntityType

EntityType

The type of the query's source entity
properties.inputFields

string[]

List of the fields of the source entity that are required to run the query
properties.outputEntityTypes

EntityType[]

List of the desired output types to be constructed from the result
properties.queryTemplate

string

The template query string to be parsed and formatted
systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.
type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

QueryDefinitions

Object

The Activity query definitions

Name Type Description
query

string

The Activity query to run on a given entity

systemData

Object

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string (date-time)

The timestamp of resource creation (UTC).
createdBy

string

The identity that created the resource.
createdByType

createdByType

The type of identity that created the resource.
lastModifiedAt

string (date-time)

The timestamp of resource last modification (UTC)
lastModifiedBy

string

The identity that last modified the resource.
lastModifiedByType

createdByType

The type of identity that last modified the resource.