KQL Search

Query Details

Analytics Rule Createdor Modified

Query

//Analytics Rule to report when someone creates or modifies an Analytics Rule
//Entities: Caller, Caller IP, and Analytics Rule ID
AzureActivity
| where OperationNameValue has "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE"
| where ActivityStatusValue == "Success"
| extend Analytics_Rule_ID = tostring(parse_json(Properties).resource)
| extend AccountCustomEntity = Caller
| extend IPCustomEntity = CallerIpAddress
| extend URLCustomEntity = Analytics_Rule_ID

Explanation

This query is looking for instances where someone creates or modifies an Analytics Rule in Azure. It filters for successful operations and extracts the Caller, Caller IP, and Analytics Rule ID as custom entities.

Details

Rod Trent

Released: October 28, 2020

Tables

AzureActivity

Keywords

AzureActivity,OperationNameValue,MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE,ActivityStatusValue,Success,Properties,resource,AccountCustomEntity,Caller,IPCustomEntity,CallerIpAddress,URLCustomEntity,Analytics_Rule_ID

Operators

wherehas==extendtostringparse_json

KQL Search

Analytics Rule Createdor Modified

Query

Explanation

Details

Actions