Query Details
AR Cloud Shell Execution
Query
//KQL for Analytics Rule to track Cloud Shell Execution AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | where ActivityStatusValue == "Start" | extend action_ = tostring(parse_json(Authorization).action) | summarize count() by TimeGenerated , ResourceGroup , Caller , CallerIpAddress , ActivityStatusValue | extend AccountCustomEntity = Caller | extend IPCustomEntity = CallerIpAddress
Explanation
This query looks at Azure activity to track when someone starts using Cloud Shell. It filters for activities in resource groups starting with "CLOUD-SHELL" and where the activity status is "Start". It then summarizes the count of these activities by time, resource group, caller, caller's IP address, and activity status. Finally, it creates custom entities for the account and IP address of the caller.
Details
Rod Trent
Released: March 8, 2024
Tables
AzureActivity
Keywords
AzureActivity,CloudShell,Start,Caller,CallerIpAddress,AccountCustomEntity,IPCustomEntity
Operators
wherestartswith==extendtostringparse_jsonsummarizecount()byextendCallerCallerIpAddressAccountCustomEntityIPCustomEntity