Query Details
Analytics Rule Deleted
Query
//When an Analytics Rule is Deleted; Alert when an Analytics Rule is deleted and who did it. AzureActivity | where OperationNameValue contains "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/DELETE" | where ActivityStatusValue == "Success" | extend Analytics_Rule_ID = tostring(parse_json(Properties).resource) | extend AccountCustomEntity = Caller | extend IPCustomEntity = CallerIpAddress | extend URLCustomEntity = Analytics_Rule_ID
Explanation
This query looks for instances when an Analytics Rule is deleted in Azure. It filters for successful deletions and retrieves information about who performed the deletion, including their account and IP address. The query also includes the ID of the deleted Analytics Rule.
Details
Rod Trent
Released: December 2, 2020
Tables
AzureActivity
Keywords
AzureActivity,OperationNameValue,MICROSOFT.SECURITYINSIGHTS/ALERTRULES/DELETE,ActivityStatusValue,Success,Analytics_Rule_ID,Properties,resource,AccountCustomEntity,Caller,IPCustomEntity,CallerIpAddress,URLCustomEntity
Operators
wherecontains==extendtostringparse_json