Query Details
AR NSG Changes
Query
//NSG Changes by Resource and Who did it AzureActivity | where parse_json(Authorization).action == "Microsoft.Network/networkSecurityGroups/securityRules/write" and ActivityStatus == "Succeeded" | distinct Resource, Caller | extend AccountCustomEntity = Caller | extend URLCustomEntity = Resource
Explanation
This query looks at changes made to network security groups in Azure, showing the resource that was changed and who made the change. It filters for successful changes to security rules and then displays the unique combination of the resource and the caller who made the change. Finally, it creates custom entities for the account and URL involved in the change.
Details
Rod Trent
Released: March 8, 2024
Tables
AzureActivity
Keywords
AzureActivity,Resource,Caller,Authorization,Action,ActivityStatus,Succeeded,AccountCustomEntity,URLCustomEntity.
Operators
whereparse_json==anddistinctextend