Activity
Represents Activity entity query. Uses Azure REST API version 2023-06-01-preview. In version 1.x of the Azure Native provider, it used API version 2021-03-01-preview.
Example Usage
Creates or updates an Activity entity query.
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var activityCustomEntityQuery = new AzureNative.SecurityInsights.ActivityCustomEntityQuery("activityCustomEntityQuery", new()
{
Content = "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'",
Description = "Account deleted on host",
Enabled = true,
EntitiesFilter =
{
{ "Host_OsFamily", new[]
{
"Windows",
} },
},
EntityQueryId = "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
InputEntityType = AzureNative.SecurityInsights.EntityType.Host,
Kind = "Activity",
QueryDefinitions = new AzureNative.SecurityInsights.Inputs.ActivityEntityQueriesPropertiesQueryDefinitionsArgs
{
Query = @"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', tostring(split(Computer, '.')[-2]),
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'),
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain)
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain)
or v_Host_AzureID =~ _ResourceId
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
| where EventID == 4726 ",
},
RequiredInputFieldsSets = new[]
{
new[]
{
"Host_HostName",
"Host_NTDomain",
},
new[]
{
"Host_HostName",
"Host_DnsDomain",
},
new[]
{
"Host_AzureID",
},
new[]
{
"Host_OMSAgentID",
},
},
ResourceGroupName = "myRg",
Title = "An account was deleted on this host",
WorkspaceName = "myWorkspace",
});
});Content copied to clipboard
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewActivityCustomEntityQuery(ctx, "activityCustomEntityQuery", &securityinsights.ActivityCustomEntityQueryArgs{
Content: pulumi.String("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'"),
Description: pulumi.String("Account deleted on host"),
Enabled: pulumi.Bool(true),
EntitiesFilter: pulumi.StringArrayMap{
"Host_OsFamily": pulumi.StringArray{
pulumi.String("Windows"),
},
},
EntityQueryId: pulumi.String("07da3cc8-c8ad-4710-a44e-334cdcb7882b"),
InputEntityType: pulumi.String(securityinsights.EntityTypeHost),
Kind: pulumi.String("Activity"),
QueryDefinitions: &securityinsights.ActivityEntityQueriesPropertiesQueryDefinitionsArgs{
Query: pulumi.String(`let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', tostring(split(Computer, '.')[-2]),
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'),
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain)
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain)
or v_Host_AzureID =~ _ResourceId
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
| where EventID == 4726 `),
},
RequiredInputFieldsSets: pulumi.StringArrayArray{
pulumi.StringArray{
pulumi.String("Host_HostName"),
pulumi.String("Host_NTDomain"),
},
pulumi.StringArray{
pulumi.String("Host_HostName"),
pulumi.String("Host_DnsDomain"),
},
pulumi.StringArray{
pulumi.String("Host_AzureID"),
},
pulumi.StringArray{
pulumi.String("Host_OMSAgentID"),
},
},
ResourceGroupName: pulumi.String("myRg"),
Title: pulumi.String("An account was deleted on this host"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQuery;
import com.pulumi.azurenative.securityinsights.ActivityCustomEntityQueryArgs;
import com.pulumi.azurenative.securityinsights.inputs.ActivityEntityQueriesPropertiesQueryDefinitionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var activityCustomEntityQuery = new ActivityCustomEntityQuery("activityCustomEntityQuery", ActivityCustomEntityQueryArgs.builder()
.content("On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'")
.description("Account deleted on host")
.enabled(true)
.entitiesFilter(Map.of("Host_OsFamily", "Windows"))
.entityQueryId("07da3cc8-c8ad-4710-a44e-334cdcb7882b")
.inputEntityType("Host")
.kind("Activity")
.queryDefinitions(ActivityEntityQueriesPropertiesQueryDefinitionsArgs.builder()
.query("""
let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){
SecurityEvent
| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)
// parsing for Host to handle variety of conventions coming from data
| extend Host_HostName = case(
Computer has '@', tostring(split(Computer, '@')[0]),
Computer has '\\', tostring(split(Computer, '\\')[1]),
Computer has '.', tostring(split(Computer, '.')[0]),
Computer
)
| extend Host_NTDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', tostring(split(Computer, '.')[-2]),
Computer
)
| extend Host_DnsDomain = case(
Computer has '\\', tostring(split(Computer, '\\')[0]),
Computer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'),
Computer
)
| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain)
or (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain)
or v_Host_AzureID =~ _ResourceId
or v_Host_OMSAgentID == SourceComputerId
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId
| extend AddedBy = SubjectUserName
// Future support for Activities
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount
};
GetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')
| where EventID == 4726 """)
.build())
.requiredInputFieldsSets(
"Host_HostName",
"Host_NTDomain",
"Host_HostName",
"Host_DnsDomain",
"Host_AzureID",
"Host_OMSAgentID")
.resourceGroupName("myRg")
.title("An account was deleted on this host")
.workspaceName("myWorkspace")
.build());
}
}Content copied to clipboard
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:securityinsights:ActivityCustomEntityQuery 07da3cc8-c8ad-4710-a44e-334cdcb7882b /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}Content copied to clipboard
Properties
Link copied to clipboard
The time the activity was created
Link copied to clipboard
The entity query description
Link copied to clipboard
The query applied only to entities matching to all filters
Link copied to clipboard
The type of the query's source entity
Link copied to clipboard
The last time the activity was updated
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
The Activity query definitions
Link copied to clipboard
List of the fields of the source entity that are required to run the query
Link copied to clipboard
Azure Resource Manager metadata containing createdBy and modifiedBy information.
Link copied to clipboard
The template id this activity was created from