Entity Queries - Get
Gets an entity query.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}?api-version=2024-01-01-previewURI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
entity
|
path | True |
string |
entity query ID |
|
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
|
subscription
|
path | True |
string |
The ID of the target subscription. |
|
workspace
|
path | True |
string |
The name of the workspace. Regex pattern: |
|
api-version
|
query | True |
string |
The API version to use for this operation. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK | EntityQuery: |
OK |
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
| Get an Activity entity query. |
| Get an Expansion entity query. |
Get an Activity entity query.
Sample Request
GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b?api-version=2024-01-01-preview
Sample Response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b",
"name": "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
"type": "Microsoft.SecurityInsights/entityQueries",
"etag": null,
"kind": "Activity",
"properties": {
"title": "An account was deleted on this host",
"content": "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
"description": "Account deleted on host",
"queryDefinitions": {
"query": "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 "
},
"inputEntityType": "Host",
"requiredInputFieldsSets": [
[
"Host_HostName",
"Host_NTDomain"
],
[
"Host_HostName",
"Host_DnsDomain"
],
[
"Host_AzureID"
],
[
"Host_OMSAgentID"
]
],
"entitiesFilter": {
"Host_OsFamily": [
"Windows"
]
},
"enabled": true,
"templateName": null,
"createdTimeUtc": "2019-01-01T13:15:30Z",
"lastModifiedTimeUtc": "2019-01-01T13:15:30Z"
}
}Get an Expansion entity query.
Sample Request
GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b?api-version=2024-01-01-preview
Sample Response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b",
"name": "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
"type": "Microsoft.SecurityInsights/entityQueries",
"etag": null,
"kind": "Expansion",
"properties": {
"queryTemplate": "let GetParentProcessesOnHost = (v_Host_HostName:string){\r\n SecurityEvent \r\n | where EventID == 4688 \r\n | where isnotempty(ParentProcessName)\r\n | where NewProcessName !contains ':\\\\Windows\\\\System32\\\\conhost.exe' and ParentProcessName !contains ':\\\\Windows\\\\System32\\\\conhost.exe'\r\n and NewProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\csc.exe' and ParentProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\csc.exe'\r\n and NewProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\cvtres.exe' and ParentProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\cvtres.exe'\r\n and NewProcessName!contains ':\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' and ParentProcessName !contains ':\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe'\r\n and ParentProcessName !contains ':\\\\Windows\\\\CCM\\\\CcmExec.exe'\r\n | where(ParentProcessName !contains ':\\\\Windows\\\\System32\\\\svchost.exe' and (NewProcessName !contains ':\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' or NewProcessName !contains ':\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe'))\r\n | where(ParentProcessName !contains ':\\\\Windows\\\\System32\\\\services.exe' and NewProcessName !contains ':\\\\Windows\\\\servicing\\\\TrustedInstaller.exe')\r\n | where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\r\n | summarize min(TimeGenerated), max(TimeGenerated) by Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\r\n | project min_TimeGenerated, max_TimeGenerated, Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\r\n | project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName, Process_ParentProcess_ImageFile_FullPath=ParentProcessName\r\n | top 10 by min_TimeGenerated asc};\r\n GetParentProcessesOnHost(toupper('<hostName>'))",
"inputFields": [
"hostName"
],
"outputEntityTypes": [
"Process"
],
"dataSources": [
"SecurityEvent"
],
"inputEntityType": "Host",
"displayName": "Parent processes running on host"
}
}Definitions
| Name | Description |
|---|---|
|
Activity |
Represents Activity entity query. |
|
Cloud |
Error response structure. |
|
Cloud |
Error details. |
|
created |
The type of identity that created the resource. |
|
Entity |
The kind of the entity query |
|
Entity |
The type of the query's source entity |
|
Expansion |
Represents Expansion entity query. |
|
Query |
The Activity query definitions |
|
system |
Metadata pertaining to creation and last modification of the resource. |
ActivityEntityQuery
Represents Activity entity query.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName} |
| kind |
string:
Activity |
the entity query kind |
| name |
string |
The name of the resource |
| properties.content |
string |
The entity query content to display in timeline |
| properties.createdTimeUtc |
string |
The time the activity was created |
| properties.description |
string |
The entity query description |
| properties.enabled |
boolean |
Determines whether this activity is enabled or disabled. |
| properties.entitiesFilter |
object |
The query applied only to entities matching to all filters |
| properties.inputEntityType |
The type of the query's source entity |
|
| properties.lastModifiedTimeUtc |
string |
The last time the activity was updated |
| properties.queryDefinitions |
The Activity query definitions |
|
| properties.requiredInputFieldsSets |
string[] |
List of the fields of the source entity that are required to run the query |
| properties.templateName |
string |
The template id this activity was created from |
| properties.title |
string |
The entity query title |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
CloudError
Error response structure.
| Name | Type | Description |
|---|---|---|
| error |
Error data |
CloudErrorBody
Error details.
| Name | Type | Description |
|---|---|---|
| code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
| message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
createdByType
The type of identity that created the resource.
| Name | Type | Description |
|---|---|---|
| Application |
string |
|
| Key |
string |
|
| ManagedIdentity |
string |
|
| User |
string |
EntityQueryKind
The kind of the entity query
| Name | Type | Description |
|---|---|---|
| Activity |
string |
|
| Expansion |
string |
|
| Insight |
string |
EntityType
The type of the query's source entity
| Name | Type | Description |
|---|---|---|
| Account |
string |
Entity represents account in the system. |
| AzureResource |
string |
Entity represents azure resource in the system. |
| CloudApplication |
string |
Entity represents cloud application in the system. |
| DNS |
string |
Entity represents dns in the system. |
| File |
string |
Entity represents file in the system. |
| FileHash |
string |
Entity represents file hash in the system. |
| Host |
string |
Entity represents host in the system. |
| HuntingBookmark |
string |
Entity represents HuntingBookmark in the system. |
| IP |
string |
Entity represents ip in the system. |
| IoTDevice |
string |
Entity represents IoT device in the system. |
| MailCluster |
string |
Entity represents mail cluster in the system. |
| MailMessage |
string |
Entity represents mail message in the system. |
| Mailbox |
string |
Entity represents mailbox in the system. |
| Malware |
string |
Entity represents malware in the system. |
| Nic |
string |
Entity represents network interface in the system. |
| Process |
string |
Entity represents process in the system. |
| RegistryKey |
string |
Entity represents registry key in the system. |
| RegistryValue |
string |
Entity represents registry value in the system. |
| SecurityAlert |
string |
Entity represents security alert in the system. |
| SecurityGroup |
string |
Entity represents security group in the system. |
| SubmissionMail |
string |
Entity represents submission mail in the system. |
| URL |
string |
Entity represents url in the system. |
ExpansionEntityQuery
Represents Expansion entity query.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName} |
| kind |
string:
Expansion |
the entity query kind |
| name |
string |
The name of the resource |
| properties.dataSources |
string[] |
List of the data sources that are required to run the query |
| properties.displayName |
string |
The query display name |
| properties.inputEntityType |
The type of the query's source entity |
|
| properties.inputFields |
string[] |
List of the fields of the source entity that are required to run the query |
| properties.outputEntityTypes |
List of the desired output types to be constructed from the result |
|
| properties.queryTemplate |
string |
The template query string to be parsed and formatted |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
QueryDefinitions
The Activity query definitions
| Name | Type | Description |
|---|---|---|
| query |
string |
The Activity query to run on a given entity |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |