Microsoft.SecurityInsights entityQueries 2022-12-01-preview
Bicep resource definition
The entityQueries resource type can be deployed to:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/entityQueries resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.SecurityInsights/entityQueries@2022-12-01-preview' = {
name: 'string'
kind: 'string'
etag: 'string'
// For remaining properties, see entityQueries objects
}
entityQueries objects
Set the kind property to specify the type of object.
For Activity, use:
kind: 'Activity'
properties: {
content: 'string'
description: 'string'
enabled: bool
entitiesFilter: {}
inputEntityType: 'string'
queryDefinitions: {
query: 'string'
}
requiredInputFieldsSets: [
[
'string'
]
]
templateName: 'string'
title: 'string'
}
For Expansion, use:
kind: 'Expansion'
Property values
entityQueries
Name | Description | Value |
---|---|---|
name | The resource name | string (required) |
kind | Set the object type | Activity Expansion (required) |
etag | Etag of the azure resource | string |
ActivityCustomEntityQueryOrActivityEntityQuery
Name | Description | Value |
---|---|---|
kind | the entity query kind | 'Activity' (required) |
properties | Activity entity query properties | ActivityEntityQueriesProperties |
ActivityEntityQueriesProperties
Name | Description | Value |
---|---|---|
content | The entity query content to display in timeline | string |
description | The entity query description | string |
enabled | Determines whether this activity is enabled or disabled. | bool |
entitiesFilter | The query applied only to entities matching to all filters | object |
inputEntityType | The type of the query's source entity | 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'HuntingBookmark' 'IP' 'IoTDevice' 'MailCluster' 'MailMessage' 'Mailbox' 'Malware' 'Nic' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityAlert' 'SecurityGroup' 'SubmissionMail' 'URL' |
queryDefinitions | The Activity query definitions | ActivityEntityQueriesPropertiesQueryDefinitions |
requiredInputFieldsSets | List of the fields of the source entity that are required to run the query | string[][] |
templateName | The template id this activity was created from | string |
title | The entity query title | string |
ActivityEntityQueriesPropertiesQueryDefinitions
Name | Description | Value |
---|---|---|
query | The Activity query to run on a given entity | string |
ExpansionEntityQuery
Name | Description | Value |
---|---|---|
kind | the entity query kind | 'Expansion' (required) |
ARM template resource definition
The entityQueries resource type can be deployed to:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/entityQueries resource, add the following JSON to your template.
{
"type": "Microsoft.SecurityInsights/entityQueries",
"apiVersion": "2022-12-01-preview",
"name": "string",
"kind": "string",
"etag": "string",
// For remaining properties, see entityQueries objects
}
entityQueries objects
Set the kind property to specify the type of object.
For Activity, use:
"kind": "Activity",
"properties": {
"content": "string",
"description": "string",
"enabled": "bool",
"entitiesFilter": {},
"inputEntityType": "string",
"queryDefinitions": {
"query": "string"
},
"requiredInputFieldsSets": [ [ "string" ] ],
"templateName": "string",
"title": "string"
}
For Expansion, use:
"kind": "Expansion"
Property values
entityQueries
Name | Description | Value |
---|---|---|
type | The resource type | 'Microsoft.SecurityInsights/entityQueries' |
apiVersion | The resource api version | '2022-12-01-preview' |
name | The resource name | string (required) |
kind | Set the object type | Activity Expansion (required) |
etag | Etag of the azure resource | string |
ActivityCustomEntityQueryOrActivityEntityQuery
Name | Description | Value |
---|---|---|
kind | the entity query kind | 'Activity' (required) |
properties | Activity entity query properties | ActivityEntityQueriesProperties |
ActivityEntityQueriesProperties
Name | Description | Value |
---|---|---|
content | The entity query content to display in timeline | string |
description | The entity query description | string |
enabled | Determines whether this activity is enabled or disabled. | bool |
entitiesFilter | The query applied only to entities matching to all filters | object |
inputEntityType | The type of the query's source entity | 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'HuntingBookmark' 'IP' 'IoTDevice' 'MailCluster' 'MailMessage' 'Mailbox' 'Malware' 'Nic' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityAlert' 'SecurityGroup' 'SubmissionMail' 'URL' |
queryDefinitions | The Activity query definitions | ActivityEntityQueriesPropertiesQueryDefinitions |
requiredInputFieldsSets | List of the fields of the source entity that are required to run the query | string[][] |
templateName | The template id this activity was created from | string |
title | The entity query title | string |
ActivityEntityQueriesPropertiesQueryDefinitions
Name | Description | Value |
---|---|---|
query | The Activity query to run on a given entity | string |
ExpansionEntityQuery
Name | Description | Value |
---|---|---|
kind | the entity query kind | 'Expansion' (required) |
Terraform (AzAPI provider) resource definition
The entityQueries resource type can be deployed to:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/entityQueries resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.SecurityInsights/entityQueries@2022-12-01-preview"
name = "string"
parent_id = "string"
// For remaining properties, see entityQueries objects
body = jsonencode({
kind = "string"
etag = "string"
})
}
entityQueries objects
Set the kind property to specify the type of object.
For Activity, use:
kind = "Activity"
properties = {
content = "string"
description = "string"
enabled = bool
entitiesFilter = {}
inputEntityType = "string"
queryDefinitions = {
query = "string"
}
requiredInputFieldsSets = [
[
"string"
]
]
templateName = "string"
title = "string"
}
For Expansion, use:
kind = "Expansion"
Property values
entityQueries
Name | Description | Value |
---|---|---|
type | The resource type | "Microsoft.SecurityInsights/entityQueries@2022-12-01-preview" |
name | The resource name | string (required) |
parent_id | string (required) | |
kind | Set the object type | Activity Expansion (required) |
etag | Etag of the azure resource | string |
ActivityCustomEntityQueryOrActivityEntityQuery
Name | Description | Value |
---|---|---|
kind | the entity query kind | "Activity" (required) |
properties | Activity entity query properties | ActivityEntityQueriesProperties |
ActivityEntityQueriesProperties
Name | Description | Value |
---|---|---|
content | The entity query content to display in timeline | string |
description | The entity query description | string |
enabled | Determines whether this activity is enabled or disabled. | bool |
entitiesFilter | The query applied only to entities matching to all filters | object |
inputEntityType | The type of the query's source entity | "Account" "AzureResource" "CloudApplication" "DNS" "File" "FileHash" "Host" "HuntingBookmark" "IP" "IoTDevice" "MailCluster" "MailMessage" "Mailbox" "Malware" "Nic" "Process" "RegistryKey" "RegistryValue" "SecurityAlert" "SecurityGroup" "SubmissionMail" "URL" |
queryDefinitions | The Activity query definitions | ActivityEntityQueriesPropertiesQueryDefinitions |
requiredInputFieldsSets | List of the fields of the source entity that are required to run the query | string[][] |
templateName | The template id this activity was created from | string |
title | The entity query title | string |
ActivityEntityQueriesPropertiesQueryDefinitions
Name | Description | Value |
---|---|---|
query | The Activity query to run on a given entity | string |
ExpansionEntityQuery
Name | Description | Value |
---|---|---|
kind | the entity query kind | "Expansion" (required) |
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for