Query Details
Analytics Rule Createdor Modifiedwith Display Name
Query
//Analytics Rule to report when someone creates or modifies an Analytics Rule
//Entities: Caller, Caller IP, and Analytics Rule ID
AzureActivity
| where OperationNameValue has "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE"
| where ActivityStatusValue == "Success"
| extend Analytics_Rule_ID = tostring(parse_json(Properties).resource)
| extend AccountCustomEntity = Caller
| extend IPCustomEntity = CallerIpAddress
| extend URLCustomEntity = Analytics_Rule_ID
// Add logic to detect the name from the RuleID
| extend id_ = tostring(split(Analytics_Rule_ID, '/').[2])
| join (
SecurityAlert
| extend id_ = tostring(split(AlertType,'_').[1])
| project DisplayName, id_
) on id_
| project-away id_1, id_
Explanation
This query is looking for instances where someone creates or modifies an Analytics Rule in Azure. It retrieves information about the caller, caller IP, and the Analytics Rule ID. It then adds logic to extract the name from the Rule ID and joins it with the SecurityAlert table to get the display name of the rule. The final result only includes the display name and removes the temporary ID columns.
Details
Rod Trent
Released: April 27, 2022
Tables
AzureActivitySecurityAlert
Keywords
AzureActivity,MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE,Success,Caller,CallerIpAddress,Analytics_Rule_ID,AccountCustomEntity,IPCustomEntity,URLCustomEntity,RuleID,SecurityAlert,AlertType,DisplayName
Operators
wherehas==extendtostringparse_jsonsplitjoinprojectproject-away