AR NSG Changes
Query
//NSG Changes by Resource and Who did it
AzureActivity
| where parse_json(Authorization).action == "Microsoft.Network/networkSecurityGroups/securityRules/write" and ActivityStatus == "Succeeded"
| distinct Resource, Caller
| extend AccountCustomEntity = Caller
| extend URLCustomEntity = ResourceExplanation
This query looks at changes made to network security groups in Azure, showing the resource that was changed and who made the change. It filters for successful changes to security rules and then displays the unique combination of the resource and the caller who made the change. Finally, it creates custom entities for the account and URL involved in the change.
Details

Rod Trent
Released: March 8, 2024
Tables
AzureActivity
Keywords
AzureActivityResourceCallerAuthorizationActionActivityStatusSucceededAccountCustomEntityURLCustomEntity.
Operators
whereparse_json==anddistinctextend