The entityQueries resource type can be deployed to:
For a list of changed properties in each API version, see change log.
To create a Microsoft.SecurityInsights/entityQueries resource, add the following JSON to your template.
{
"type": "Microsoft.SecurityInsights/entityQueries",
"apiVersion": "2023-02-01-preview",
"name": "string",
"kind": "string",
"etag": "string",
// For remaining properties, see entityQueries objects
}
Set the kind property to specify the type of object.
For Activity, use:
"kind": "Activity",
"properties": {
"content": "string",
"description": "string",
"enabled": "bool",
"entitiesFilter": {},
"inputEntityType": "string",
"queryDefinitions": {
"query": "string"
},
"requiredInputFieldsSets": [ [ "string" ] ],
"templateName": "string",
"title": "string"
}
For Expansion, use:
"kind": "Expansion"
Name | Description | Value |
---|---|---|
type | The resource type | 'Microsoft.SecurityInsights/entityQueries' |
apiVersion | The resource api version | '2023-02-01-preview' |
name | The resource name | string (required) |
kind | Set the object type | Activity Expansion (required) |
etag | Etag of the azure resource | string |
Name | Description | Value |
---|---|---|
kind | the entity query kind | 'Activity' (required) |
properties | Activity entity query properties | ActivityEntityQueriesProperties |
Name | Description | Value |
---|---|---|
content | The entity query content to display in timeline | string |
description | The entity query description | string |
enabled | Determines whether this activity is enabled or disabled. | bool |
entitiesFilter | The query applied only to entities matching to all filters | object |
inputEntityType | The type of the query's source entity | 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'HuntingBookmark' 'IP' 'IoTDevice' 'MailCluster' 'MailMessage' 'Mailbox' 'Malware' 'Nic' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityAlert' 'SecurityGroup' 'SubmissionMail' 'URL' |
queryDefinitions | The Activity query definitions | ActivityEntityQueriesPropertiesQueryDefinitions |
requiredInputFieldsSets | List of the fields of the source entity that are required to run the query | string[][] |
templateName | The template id this activity was created from | string |
title | The entity query title | string |
Name | Description | Value |
---|---|---|
query | The Activity query to run on a given entity | string |
Name | Description | Value |
---|---|---|
kind | the entity query kind | 'Expansion' (required) |