Resources/mgmt-plane/L3N1YnNjcmlwdGlvbnMve30vcmVzb3VyY2Vncm91cHMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5vcGVyYXRpb25hbGluc2lnaHRzL3dvcmtzcGFjZXMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5zZWN1cml0eWluc2lnaHRzL2VudGl0eXF1ZXJpZXMve30=/2022-06-01-preview.xml

<?xml version='1.0' encoding='utf-8'?> <CodeGen plane="mgmt-plane"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/entityqueries/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvZW50aXR5UXVlcmllcy97ZW50aXR5UXVlcnlJZH0=/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <commandGroup name="sentinel entity-query"> <command name="show" version="2022-06-01-preview"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/entityqueries/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvZW50aXR5UXVlcmllcy97ZW50aXR5UXVlcnlJZH0=/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="string" var="$Path.entityQueryId" options="entity-query-id name n" required="True" idPart="child_name_1"> <help short="entity query ID"/> </arg> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <operation operationId="EntityQueries_Get"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}"> <request method="get"> <path> <param type="string" name="entityQueryId" arg="$Path.entityQueryId" required="True"/> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value=""2022-06-01-preview""/> <format minLength="1"/> </const> </query> </request> <response statusCode="200"> <body> <json var="$Instance"> <schema type="object"> <prop type="string" name="etag"/> <prop readOnly="True" type="ResourceId" name="id"> <format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/entityQueries/{}"/> </prop> <prop type="string" name="kind" required="True"> <enum> <item value=""Activity""/> <item value=""Expansion""/> <item value=""Insight""/> </enum> </prop> <prop readOnly="True" type="string" name="name"/> <prop readOnly="True" type="object" name="systemData"> <prop readOnly="True" type="dateTime" name="createdAt"/> <prop readOnly="True" type="string" name="createdBy"/> <prop readOnly="True" type="string" name="createdByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedAt"/> <prop readOnly="True" type="string" name="lastModifiedBy"/> <prop readOnly="True" type="string" name="lastModifiedByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> </prop> <prop readOnly="True" type="string" name="type"/> <discriminator property="kind" value="Activity"> <prop type="object" name="properties" clientFlatten="True"> <prop type="string" name="content"/> <prop readOnly="True" type="dateTime" name="createdTimeUtc"/> <prop type="string" name="description"/> <prop type="boolean" name="enabled"/> <prop type="object" name="entitiesFilter"> <additionalProp> <item type="array<string>"> <item type="string"/> </item> </additionalProp> </prop> <prop type="string" name="inputEntityType"> <enum> <item value=""Account""/> <item value=""AzureResource""/> <item value=""CloudApplication""/> <item value=""DNS""/> <item value=""File""/> <item value=""FileHash""/> <item value=""Host""/> <item value=""HuntingBookmark""/> <item value=""IP""/> <item value=""IoTDevice""/> <item value=""MailCluster""/> <item value=""MailMessage""/> <item value=""Mailbox""/> <item value=""Malware""/> <item value=""Process""/> <item value=""RegistryKey""/> <item value=""RegistryValue""/> <item value=""SecurityAlert""/> <item value=""SecurityGroup""/> <item value=""SubmissionMail""/> <item value=""URL""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedTimeUtc"/> <prop type="object" name="queryDefinitions"> <prop type="string" name="query"/> </prop> <prop type="array<array<string>>" name="requiredInputFieldsSets"> <item type="array<string>"> <item type="string"/> </item> </prop> <prop type="string" name="templateName"/> <prop type="string" name="title"/> </prop> </discriminator> <discriminator property="kind" value="Expansion"> <prop type="object" name="properties" clientFlatten="True"> <prop type="array<string>" name="dataSources"> <item type="string"/> </prop> <prop type="string" name="displayName"/> <prop type="string" name="inputEntityType"> <enum> <item value=""Account""/> <item value=""AzureResource""/> <item value=""CloudApplication""/> <item value=""DNS""/> <item value=""File""/> <item value=""FileHash""/> <item value=""Host""/> <item value=""HuntingBookmark""/> <item value=""IP""/> <item value=""IoTDevice""/> <item value=""MailCluster""/> <item value=""MailMessage""/> <item value=""Mailbox""/> <item value=""Malware""/> <item value=""Process""/> <item value=""RegistryKey""/> <item value=""RegistryValue""/> <item value=""SecurityAlert""/> <item value=""SecurityGroup""/> <item value=""SubmissionMail""/> <item value=""URL""/> </enum> </prop> <prop type="array<string>" name="inputFields"> <item type="string"/> </prop> <prop type="array<string>" name="outputEntityTypes"> <item type="string"> <enum> <item value=""Account""/> <item value=""AzureResource""/> <item value=""CloudApplication""/> <item value=""DNS""/> <item value=""File""/> <item value=""FileHash""/> <item value=""Host""/> <item value=""HuntingBookmark""/> <item value=""IP""/> <item value=""IoTDevice""/> <item value=""MailCluster""/> <item value=""MailMessage""/> <item value=""Mailbox""/> <item value=""Malware""/> <item value=""Process""/> <item value=""RegistryKey""/> <item value=""RegistryValue""/> <item value=""SecurityAlert""/> <item value=""SecurityGroup""/> <item value=""SubmissionMail""/> <item value=""URL""/> </enum> </item> </prop> <prop type="string" name="queryTemplate"/> </prop> </discriminator> </schema> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <output type="object" ref="$Instance" clientFlatten="True"/> </command> <command name="delete" version="2022-06-01-preview" confirmation="Are you sure you want to perform this operation?"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/entityqueries/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvZW50aXR5UXVlcmllcy97ZW50aXR5UXVlcnlJZH0=/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="string" var="$Path.entityQueryId" options="entity-query-id name n" required="True" idPart="child_name_1"> <help short="entity query ID"/> </arg> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <operation operationId="EntityQueries_Delete"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}"> <request method="delete"> <path> <param type="string" name="entityQueryId" arg="$Path.entityQueryId" required="True"/> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value=""2022-06-01-preview""/> <format minLength="1"/> </const> </query> </request> <response statusCode="200"/> <response statusCode="204"/> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> </command> <command name="create" version="2022-06-01-preview"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/entityqueries/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvZW50aXR5UXVlcmllcy97ZW50aXR5UXVlcnlJZH0=/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="string" var="$Path.entityQueryId" options="entity-query-id name n" required="True" idPart="child_name_1"> <help short="entity query ID"/> </arg> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <argGroup name="EntityQuery"> <arg type="object" var="$entityQuery.Activity" options="activity" group="EntityQuery"> <arg type="string" var="$entityQuery.Activity.properties.content" options="content" group="Properties"> <help short="The entity query content to display in timeline"/> </arg> <arg type="string" var="$entityQuery.Activity.properties.description" options="description" group="Properties"> <help short="The entity query description"/> </arg> <arg type="boolean" var="$entityQuery.Activity.properties.enabled" options="enabled" group="Properties"> <help short="Determines whether this activity is enabled or disabled."/> </arg> <arg type="object" var="$entityQuery.Activity.properties.entitiesFilter" options="entities-filter" group="Properties"> <help short="The query applied only to entities matching to all filters"/> <additionalProp> <item type="array<string>"> <item type="string"/> </item> </additionalProp> </arg> <arg type="string" var="$entityQuery.Activity.properties.inputEntityType" options="input-entity-type" group="Properties"> <help short="The type of the query's source entity"/> <enum> <item name="Account" value=""Account""/> <item name="AzureResource" value=""AzureResource""/> <item name="CloudApplication" value=""CloudApplication""/> <item name="DNS" value=""DNS""/> <item name="File" value=""File""/> <item name="FileHash" value=""FileHash""/> <item name="Host" value=""Host""/> <item name="HuntingBookmark" value=""HuntingBookmark""/> <item name="IP" value=""IP""/> <item name="IoTDevice" value=""IoTDevice""/> <item name="MailCluster" value=""MailCluster""/> <item name="MailMessage" value=""MailMessage""/> <item name="Mailbox" value=""Mailbox""/> <item name="Malware" value=""Malware""/> <item name="Process" value=""Process""/> <item name="RegistryKey" value=""RegistryKey""/> <item name="RegistryValue" value=""RegistryValue""/> <item name="SecurityAlert" value=""SecurityAlert""/> <item name="SecurityGroup" value=""SecurityGroup""/> <item name="SubmissionMail" value=""SubmissionMail""/> <item name="URL" value=""URL""/> </enum> </arg> <arg type="object" var="$entityQuery.Activity.properties.queryDefinitions" options="query-definitions" group="Properties"> <help short="The Activity query definitions"/> <arg type="string" var="$entityQuery.Activity.properties.queryDefinitions.query" options="query"> <help short="The Activity query to run on a given entity"/> </arg> </arg> <arg type="array<array<string>>" var="$entityQuery.Activity.properties.requiredInputFieldsSets" options="required-input-fields-sets" group="Properties"> <help short="List of the fields of the source entity that are required to run the query"/> <item type="array<string>"> <item type="string"/> </item> </arg> <arg type="string" var="$entityQuery.Activity.properties.templateName" options="template-name" group="Properties"> <help short="The template id this activity was created from"/> </arg> <arg type="string" var="$entityQuery.Activity.properties.title" options="title" group="Properties"> <help short="The entity query title"/> </arg> </arg> <arg type="string" var="$entityQuery.etag" options="etag" group="EntityQuery"> <help short="Etag of the azure resource"/> </arg> </argGroup> <operation operationId="EntityQueries_CreateOrUpdate"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}"> <request method="put"> <path> <param type="string" name="entityQueryId" arg="$Path.entityQueryId" required="True"/> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value=""2022-06-01-preview""/> <format minLength="1"/> </const> </query> <body> <json> <schema type="object" name="entityQuery" required="True" clientFlatten="True"> <prop type="string" name="etag" arg="$entityQuery.etag"/> <prop type="string" name="kind" required="True"> <enum> <item arg="$entityQuery.Activity" value=""Activity""/> </enum> </prop> <discriminator property="kind" value="Activity"> <prop type="object" name="properties" clientFlatten="True"> <prop type="string" name="content" arg="$entityQuery.Activity.properties.content"/> <prop type="string" name="description" arg="$entityQuery.Activity.properties.description"/> <prop type="boolean" name="enabled" arg="$entityQuery.Activity.properties.enabled"/> <prop type="object" name="entitiesFilter" arg="$entityQuery.Activity.properties.entitiesFilter"> <additionalProp> <item type="array<string>"> <item type="string"/> </item> </additionalProp> </prop> <prop type="string" name="inputEntityType" arg="$entityQuery.Activity.properties.inputEntityType"> <enum> <item value=""Account""/> <item value=""AzureResource""/> <item value=""CloudApplication""/> <item value=""DNS""/> <item value=""File""/> <item value=""FileHash""/> <item value=""Host""/> <item value=""HuntingBookmark""/> <item value=""IP""/> <item value=""IoTDevice""/> <item value=""MailCluster""/> <item value=""MailMessage""/> <item value=""Mailbox""/> <item value=""Malware""/> <item value=""Process""/> <item value=""RegistryKey""/> <item value=""RegistryValue""/> <item value=""SecurityAlert""/> <item value=""SecurityGroup""/> <item value=""SubmissionMail""/> <item value=""URL""/> </enum> </prop> <prop type="object" name="queryDefinitions" arg="$entityQuery.Activity.properties.queryDefinitions"> <prop type="string" name="query" arg="$entityQuery.Activity.properties.queryDefinitions.query"/> </prop> <prop type="array<array<string>>" name="requiredInputFieldsSets" arg="$entityQuery.Activity.properties.requiredInputFieldsSets"> <item type="array<string>"> <item type="string"/> </item> </prop> <prop type="string" name="templateName" arg="$entityQuery.Activity.properties.templateName"/> <prop type="string" name="title" arg="$entityQuery.Activity.properties.title"/> </prop> </discriminator> </schema> </json> </body> </request> <response statusCode="200 201"> <body> <json var="$Instance"> <schema type="object"> <prop type="string" name="etag"/> <prop readOnly="True" type="ResourceId" name="id"> <format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/entityQueries/{}"/> </prop> <prop type="string" name="kind" required="True"> <enum> <item value=""Activity""/> <item value=""Expansion""/> <item value=""Insight""/> </enum> </prop> <prop readOnly="True" type="string" name="name"/> <prop readOnly="True" type="object" name="systemData"> <prop readOnly="True" type="dateTime" name="createdAt"/> <prop readOnly="True" type="string" name="createdBy"/> <prop readOnly="True" type="string" name="createdByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedAt"/> <prop readOnly="True" type="string" name="lastModifiedBy"/> <prop readOnly="True" type="string" name="lastModifiedByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> </prop> <prop readOnly="True" type="string" name="type"/> <discriminator property="kind" value="Activity"> <prop type="object" name="properties" clientFlatten="True"> <prop type="string" name="content"/> <prop readOnly="True" type="dateTime" name="createdTimeUtc"/> <prop type="string" name="description"/> <prop type="boolean" name="enabled"/> <prop type="object" name="entitiesFilter"> <additionalProp> <item type="array<string>"> <item type="string"/> </item> </additionalProp> </prop> <prop type="string" name="inputEntityType"> <enum> <item value=""Account""/> <item value=""AzureResource""/> <item value=""CloudApplication""/> <item value=""DNS""/> <item value=""File""/> <item value=""FileHash""/> <item value=""Host""/> <item value=""HuntingBookmark""/> <item value=""IP""/> <item value=""IoTDevice""/> <item value=""MailCluster""/> <item value=""MailMessage""/> <item value=""Mailbox""/> <item value=""Malware""/> <item value=""Process""/> <item value=""RegistryKey""/> <item value=""RegistryValue""/> <item value=""SecurityAlert""/> <item value=""SecurityGroup""/> <item value=""SubmissionMail""/> <item value=""URL""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedTimeUtc"/> <prop type="object" name="queryDefinitions"> <prop type="string" name="query"/> </prop> <prop type="array<array<string>>" name="requiredInputFieldsSets"> <item type="array<string>"> <item type="string"/> </item> </prop> <prop type="string" name="templateName"/> <prop type="string" name="title"/> </prop> </discriminator> <discriminator property="kind" value="Expansion"> <prop type="object" name="properties" clientFlatten="True"> <prop type="array<string>" name="dataSources"> <item type="string"/> </prop> <prop type="string" name="displayName"/> <prop type="string" name="inputEntityType"> <enum> <item value=""Account""/> <item value=""AzureResource""/> <item value=""CloudApplication""/> <item value=""DNS""/> <item value=""File""/> <item value=""FileHash""/> <item value=""Host""/> <item value=""HuntingBookmark""/> <item value=""IP""/> <item value=""IoTDevice""/> <item value=""MailCluster""/> <item value=""MailMessage""/> <item value=""Mailbox""/> <item value=""Malware""/> <item value=""Process""/> <item value=""RegistryKey""/> <item value=""RegistryValue""/> <item value=""SecurityAlert""/> <item value=""SecurityGroup""/> <item value=""SubmissionMail""/> <item value=""URL""/> </enum> </prop> <prop type="array<string>" name="inputFields"> <item type="string"/> </prop> <prop type="array<string>" name="outputEntityTypes"> <item type="string"> <enum> <item value=""Account""/> <item value=""AzureResource""/> <item value=""CloudApplication""/> <item value=""DNS""/> <item value=""File""/> <item value=""FileHash""/> <item value=""Host""/> <item value=""HuntingBookmark""/> <item value=""IP""/> <item value=""IoTDevice""/> <item value=""MailCluster""/> <item value=""MailMessage""/> <item value=""Mailbox""/> <item value=""Malware""/> <item value=""Process""/> <item value=""RegistryKey""/> <item value=""RegistryValue""/> <item value=""SecurityAlert""/> <item value=""SecurityGroup""/> <item value=""SubmissionMail""/> <item value=""URL""/> </enum> </item> </prop> <prop type="string" name="queryTemplate"/> </prop> </discriminator> </schema> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <output type="object" ref="$Instance" clientFlatten="True"/> </command> <command name="update" version="2022-06-01-preview"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/entityqueries/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvZW50aXR5UXVlcmllcy97ZW50aXR5UXVlcnlJZH0=/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="string" var="$Path.entityQueryId" options="entity-query-id name n" required="True" idPart="child_name_1"> <help short="entity query ID"/> </arg> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <argGroup name="EntityQuery"> <arg type="object" var="$entityQuery.Activity" options="activity" group="EntityQuery"> <arg nullable="True" type="string" var="$entityQuery.Activity.properties.content" options="content" group="Properties"> <help short="The entity query content to display in timeline"/> </arg> <arg nullable="True" type="string" var="$entityQuery.Activity.properties.description" options="description" group="Properties"> <help short="The entity query description"/> </arg> <arg nullable="True" type="boolean" var="$entityQuery.Activity.properties.enabled" options="enabled" group="Properties"> <help short="Determines whether this activity is enabled or disabled."/> </arg> <arg nullable="True" type="object" var="$entityQuery.Activity.properties.entitiesFilter" options="entities-filter" group="Properties"> <help short="The query applied only to entities matching to all filters"/> <additionalProp> <item type="array<string>"> <item type="string"/> </item> </additionalProp> </arg> <arg nullable="True" type="string" var="$entityQuery.Activity.properties.inputEntityType" options="input-entity-type" group="Properties"> <help short="The type of the query's source entity"/> <enum> <item name="Account" value=""Account""/> <item name="AzureResource" value=""AzureResource""/> <item name="CloudApplication" value=""CloudApplication""/> <item name="DNS" value=""DNS""/> <item name="File" value=""File""/> <item name="FileHash" value=""FileHash""/> <item name="Host" value=""Host""/> <item name="HuntingBookmark" value=""HuntingBookmark""/> <item name="IP" value=""IP""/> <item name="IoTDevice" value=""IoTDevice""/> <item name="MailCluster" value=""MailCluster""/> <item name="MailMessage" value=""MailMessage""/> <item name="Mailbox" value=""Mailbox""/> <item name="Malware" value=""Malware""/> <item name="Process" value=""Process""/> <item name="RegistryKey" value=""RegistryKey""/> <item name="RegistryValue" value=""RegistryValue""/> <item name="SecurityAlert" value=""SecurityAlert""/> <item name="SecurityGroup" value=""SecurityGroup""/> <item name="SubmissionMail" value=""SubmissionMail""/> <item name="URL" value=""URL""/> </enum> </arg> <arg nullable="True" type="object" var="$entityQuery.Activity.properties.queryDefinitions" options="query-definitions" group="Properties"> <help short="The Activity query definitions"/> <arg nullable="True" type="string" var="$entityQuery.Activity.properties.queryDefinitions.query" options="query"> <help short="The Activity query to run on a given entity"/> </arg> </arg> <arg nullable="True" type="array<array<string>>" var="$entityQuery.Activity.properties.requiredInputFieldsSets" options="required-input-fields-sets" group="Properties"> <help short="List of the fields of the source entity that are required to run the query"/> <item type="array<string>"> <item type="string"/> </item> </arg> <arg nullable="True" type="string" var="$entityQuery.Activity.properties.templateName" options="template-name" group="Properties"> <help short="The template id this activity was created from"/> </arg> <arg nullable="True" type="string" var="$entityQuery.Activity.properties.title" options="title" group="Properties"> <help short="The entity query title"/> </arg> </arg> <arg nullable="True" type="string" var="$entityQuery.etag" options="etag" group="EntityQuery"> <help short="Etag of the azure resource"/> </arg> </argGroup> <operation operationId="EntityQueries_Get"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}"> <request method="get"> <path> <param type="string" name="entityQueryId" arg="$Path.entityQueryId" required="True"/> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value=""2022-06-01-preview""/> <format minLength="1"/> </const> </query> </request> <response statusCode="200"> <body> <json var="$Instance"> <schema type="object" cls="EntityQuery_read"> <prop type="string" name="etag"/> <prop readOnly="True" type="ResourceId" name="id"> <format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/entityQueries/{}"/> </prop> <prop type="string" name="kind" required="True"> <enum> <item value=""Activity""/> <item value=""Expansion""/> <item value=""Insight""/> </enum> </prop> <prop readOnly="True" type="string" name="name"/> <prop readOnly="True" type="object" name="systemData"> <prop readOnly="True" type="dateTime" name="createdAt"/> <prop readOnly="True" type="string" name="createdBy"/> <prop readOnly="True" type="string" name="createdByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedAt"/> <prop readOnly="True" type="string" name="lastModifiedBy"/> <prop readOnly="True" type="string" name="lastModifiedByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> </prop> <prop readOnly="True" type="string" name="type"/> <discriminator property="kind" value="Activity"> <prop type="object" name="properties" clientFlatten="True"> <prop type="string" name="content"/> <prop readOnly="True" type="dateTime" name="createdTimeUtc"/> <prop type="string" name="description"/> <prop type="boolean" name="enabled"/> <prop type="object" name="entitiesFilter"> <additionalProp> <item type="array<string>"> <item type="string"/> </item> </additionalProp> </prop> <prop type="string" name="inputEntityType"> <enum> <item value=""Account""/> <item value=""AzureResource""/> <item value=""CloudApplication""/> <item value=""DNS""/> <item value=""File""/> <item value=""FileHash""/> <item value=""Host""/> <item value=""HuntingBookmark""/> <item value=""IP""/> <item value=""IoTDevice""/> <item value=""MailCluster""/> <item value=""MailMessage""/> <item value=""Mailbox""/> <item value=""Malware""/> <item value=""Process""/> <item value=""RegistryKey""/> <item value=""RegistryValue""/> <item value=""SecurityAlert""/> <item value=""SecurityGroup""/> <item value=""SubmissionMail""/> <item value=""URL""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedTimeUtc"/> <prop type="object" name="queryDefinitions"> <prop type="string" name="query"/> </prop> <prop type="array<array<string>>" name="requiredInputFieldsSets"> <item type="array<string>"> <item type="string"/> </item> </prop> <prop type="string" name="templateName"/> <prop type="string" name="title"/> </prop> </discriminator> <discriminator property="kind" value="Expansion"> <prop type="object" name="properties" clientFlatten="True"> <prop type="array<string>" name="dataSources"> <item type="string"/> </prop> <prop type="string" name="displayName"/> <prop type="string" name="inputEntityType"> <enum> <item value=""Account""/> <item value=""AzureResource""/> <item value=""CloudApplication""/> <item value=""DNS""/> <item value=""File""/> <item value=""FileHash""/> <item value=""Host""/> <item value=""HuntingBookmark""/> <item value=""IP""/> <item value=""IoTDevice""/> <item value=""MailCluster""/> <item value=""MailMessage""/> <item value=""Mailbox""/> <item value=""Malware""/> <item value=""Process""/> <item value=""RegistryKey""/> <item value=""RegistryValue""/> <item value=""SecurityAlert""/> <item value=""SecurityGroup""/> <item value=""SubmissionMail""/> <item value=""URL""/> </enum> </prop> <prop type="array<string>" name="inputFields"> <item type="string"/> </prop> <prop type="array<string>" name="outputEntityTypes"> <item type="string"> <enum> <item value=""Account""/> <item value=""AzureResource""/> <item value=""CloudApplication""/> <item value=""DNS""/> <item value=""File""/> <item value=""FileHash""/> <item value=""Host""/> <item value=""HuntingBookmark""/> <item value=""IP""/> <item value=""IoTDevice""/> <item value=""MailCluster""/> <item value=""MailMessage""/> <item value=""Mailbox""/> <item value=""Malware""/> <item value=""Process""/> <item value=""RegistryKey""/> <item value=""RegistryValue""/> <item value=""SecurityAlert""/> <item value=""SecurityGroup""/> <item value=""SubmissionMail""/> <item value=""URL""/> </enum> </item> </prop> <prop type="string" name="queryTemplate"/> </prop> </discriminator> </schema> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <operation> <instanceUpdate instance="$Instance"> <json> <schema type="object" name="entityQuery" required="True" clientFlatten="True"> <prop type="string" name="etag" arg="$entityQuery.etag"/> <prop type="string" name="kind" required="True"> <enum> <item arg="$entityQuery.Activity" value=""Activity""/> </enum> </prop> <discriminator property="kind" value="Activity"> <prop type="object" name="properties" clientFlatten="True"> <prop type="string" name="content" arg="$entityQuery.Activity.properties.content"/> <prop type="string" name="description" arg="$entityQuery.Activity.properties.description"/> <prop type="boolean" name="enabled" arg="$entityQuery.Activity.properties.enabled"/> <prop type="object" name="entitiesFilter" arg="$entityQuery.Activity.properties.entitiesFilter"> <additionalProp> <item type="array<string>"> <item type="string"/> </item> </additionalProp> </prop> <prop type="string" name="inputEntityType" arg="$entityQuery.Activity.properties.inputEntityType"> <enum> <item value=""Account""/> <item value=""AzureResource""/> <item value=""CloudApplication""/> <item value=""DNS""/> <item value=""File""/> <item value=""FileHash""/> <item value=""Host""/> <item value=""HuntingBookmark""/> <item value=""IP""/> <item value=""IoTDevice""/> <item value=""MailCluster""/> <item value=""MailMessage""/> <item value=""Mailbox""/> <item value=""Malware""/> <item value=""Process""/> <item value=""RegistryKey""/> <item value=""RegistryValue""/> <item value=""SecurityAlert""/> <item value=""SecurityGroup""/> <item value=""SubmissionMail""/> <item value=""URL""/> </enum> </prop> <prop type="object" name="queryDefinitions" arg="$entityQuery.Activity.properties.queryDefinitions"> <prop type="string" name="query" arg="$entityQuery.Activity.properties.queryDefinitions.query"/> </prop> <prop type="array<array<string>>" name="requiredInputFieldsSets" arg="$entityQuery.Activity.properties.requiredInputFieldsSets"> <item type="array<string>"> <item type="string"/> </item> </prop> <prop type="string" name="templateName" arg="$entityQuery.Activity.properties.templateName"/> <prop type="string" name="title" arg="$entityQuery.Activity.properties.title"/> </prop> </discriminator> </schema> </json> </instanceUpdate> </operation> <operation operationId="EntityQueries_CreateOrUpdate"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}"> <request method="put"> <path> <param type="string" name="entityQueryId" arg="$Path.entityQueryId" required="True"/> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value=""2022-06-01-preview""/> <format minLength="1"/> </const> </query> <body> <json ref="$Instance"/> </body> </request> <response statusCode="200 201"> <body> <json var="$Instance"> <schema type="@EntityQuery_read"/> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <output type="object" ref="$Instance" clientFlatten="True"/> </command> </commandGroup> </CodeGen>

Resources/mgmt-plane/L3N1YnNjcmlwdGlvbnMve30vcmVzb3VyY2Vncm91cHMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5vcGVyYXRpb25hbGluc2lnaHRzL3dvcmtzcGFjZXMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5zZWN1cml0eWluc2lnaHRzL2VudGl0eXF1ZXJpZXMve30=/2022-06-01-preview.xml (966 lines of code) (raw):