[EntityQueries] - Adding EntityQueryKind to EntityQueries and changing Properties to Expansion properties (#11776)

* update swagger - aading LogicAppResourceId to Action put and response

* update swagger - changing to logicAppResourceId style

* adding LogicAppResourceId to Actions Request & Response

* adding LogicAppResourceId to Actions Request & Response

* adding Action property base

* editing examples and adding reauired to logicAppResourceId

* from LogicAppResourceId to logicAppResourceId

* running prettier

* running prettier

* removing required for LogicAppRexourceId

* changing logicApp propery doc

* changing logicApp propery description

* adding kind to entity queries and changing entityQueriesProperties to ExpansionEntityQueriesProperties

* changin return for entityQueryById

Author: ori-licht

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json

@@ -2736,7 +2736,7 @@
       "get": {
         "x-ms-examples": {
           "Get an entity query.": {
-            "$ref": "./examples/entityQueries/GetEntityQueryById.json"
+            "$ref": "./examples/entityQueries/GetExpansionEntityQueryById.json"
           }
         },
         "tags": [
@@ -6383,21 +6383,63 @@
         "value"
       ]
     },
+    "EntityQueryKind": {
+      "description": "Describes an Entity query resource with kind.",
+      "properties": {
+        "kind": {
+          "description": "The kind of the entity query",
+          "enum": [
+            "Expansion"
+          ],
+          "type": "string",
+          "x-ms-enum": {
+            "modelAsString": true,
+            "name": "EntityQueryKind",
+            "values": [
+              {
+                "value": "Expansion"
+              }
+            ]
+          }
+        }
+      },
+      "required": [
+        "kind"
+      ],
+      "type": "object"
+    },
     "EntityQuery": {
       "allOf": [
         {
-          "$ref": "#/definitions/Resource"
+          "$ref": "#/definitions/ResourceWithEtag"
+        },
+        {
+          "$ref": "#/definitions/EntityQueryKind"
         }
       ],
       "description": "Specific entity query.",
+      "discriminator": "kind",
+      "type": "object",
+      "required": [
+        "kind"
+      ]
+    },
+    "ExpansionEntityQuery": {
+      "description": "Represents Expansion entity query.",
+      "allOf": [
+        {
+          "$ref": "#/definitions/EntityQuery"
+        }
+      ],
       "properties": {
         "properties": {
-          "$ref": "#/definitions/EntityQueryProperties",
-          "description": "Entity query properties",
+          "$ref": "#/definitions/ExpansionEntityQueriesProperties",
+          "description": "Expansion entity query properties",
           "x-ms-client-flatten": true
         }
       },
-      "type": "object"
+      "type": "object",
+      "x-ms-discriminator-value": "Expansion"
     },
     "EntityTimelineKind": {
       "description": "The entity query kind",
@@ -6446,8 +6488,8 @@
         "value"
       ]
     },
-    "EntityQueryProperties": {
-      "description": "Describes entity query properties",
+    "ExpansionEntityQueriesProperties": {
+      "description": "Describes expansion entity query properties",
       "properties": {
         "dataSources": {
           "description": "List of the data sources that are required to run the query",

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entityQueries/GetEntityQueries.json

@@ -14,6 +14,8 @@
             "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/37ca3555-c135-4a73-a65e-9c1d00323f5d",
             "name": "37ca3555-c135-4a73-a65e-9c1d00323f5d",
             "type": "Microsoft.SecurityInsights/entityQueries",
+            "etag": null,
+            "kind": "Expansion",
             "properties": {
               "queryTemplate": "let AccountActivity_byIP = (v_IP_Address:string){\r\n                            AzureActivity\r\n                            | where Caller != '' and CallerIpAddress == v_IP_Address\r\n                            | summarize Account_Aux_StartTime = min(TimeGenerated), Account_Aux_EndTime = max(TimeGenerated), Count = count() by Caller, TenantId\r\n                            | top 10 by Count asc nulls last \r\n                            | extend UPN = iff(Caller contains '@', Caller, ''), Account_AadUserId = iff(Caller !contains '@', Caller,'')\r\n                            | extend Account_Name = split(UPN,'@')[0] , Account_UPNSuffix = split(UPN,'@')[1]\r\n                            | project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime};\r\n                            AccountActivity_byIP('<address>')",
               "inputFields": [
@@ -33,6 +35,8 @@
             "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/97a1d515-abf2-4231-9a35-985f9de0bb91",
             "name": "97a1d515-abf2-4231-9a35-985f9de0bb91",
             "type": "Microsoft.SecurityInsights/entityQueries",
+            "etag": null,
+            "kind": "Expansion",
             "properties": {
               "queryTemplate": "let AccountActivity_byIP = (v_IP_Address:string){\r\n                            AzureActivity\r\n                            | where Caller != '' and CallerIpAddress == v_IP_Address\r\n                            | summarize Account_Aux_StartTime = min(TimeGenerated), Account_Aux_EndTime = max(TimeGenerated), Count = count() by Caller, TenantId\r\n                            | top 10 by Count desc nulls last \r\n                            | extend UPN = iff(Caller contains '@', Caller, ''), Account_AadUserId = iff(Caller !contains '@', Caller,'')\r\n                            | extend Account_Name = split(UPN,'@')[0] , Account_UPNSuffix = split(UPN,'@')[1]\r\n                            | project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime};\r\n                            AccountActivity_byIP('<address>')",
               "inputFields": [

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entityQueries/GetEntityQueryById.json renamed to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entityQueries/GetExpansionEntityQueryById.json

@@ -13,6 +13,8 @@
         "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b",
         "name": "07da3cc8-c8ad-4710-a44e-334cdcb7882b",
         "type": "Microsoft.SecurityInsights/entityQueries",
+        "etag": null,
+        "kind": "Expansion",
         "properties": {
           "queryTemplate": "let GetParentProcessesOnHost = (v_Host_HostName:string){\r\n                            SecurityEvent \r\n                            | where EventID == 4688 \r\n                            | where isnotempty(ParentProcessName)\r\n                            | where NewProcessName !contains ':\\\\Windows\\\\System32\\\\conhost.exe' and ParentProcessName !contains ':\\\\Windows\\\\System32\\\\conhost.exe'\r\n                            and NewProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\csc.exe' and ParentProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\csc.exe'\r\n                            and NewProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\cvtres.exe' and ParentProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\cvtres.exe'\r\n                            and NewProcessName!contains ':\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' and ParentProcessName !contains ':\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe'\r\n                            and ParentProcessName !contains ':\\\\Windows\\\\CCM\\\\CcmExec.exe'\r\n                            | where(ParentProcessName !contains ':\\\\Windows\\\\System32\\\\svchost.exe' and (NewProcessName !contains ':\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' or NewProcessName !contains ':\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe'))\r\n                            | where(ParentProcessName !contains ':\\\\Windows\\\\System32\\\\services.exe' and NewProcessName !contains ':\\\\Windows\\\\servicing\\\\TrustedInstaller.exe')\r\n                            | where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\r\n                            | summarize min(TimeGenerated), max(TimeGenerated) by Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\r\n                            | project min_TimeGenerated, max_TimeGenerated, Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\r\n                            | project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName, Process_ParentProcess_ImageFile_FullPath=ParentProcessName\r\n                            | top 10 by min_TimeGenerated asc};\r\n                            GetParentProcessesOnHost(toupper('<hostName>'))",
           "inputFields": [