Azure Active Directory Suspicious Resource Deployment
Query
let ioc_lookBack = 90d;
let IncTitle = "Suspicious Resource deployment";
SecurityIncident
| where TimeGenerated > ago(90d)
| where Title == IncTitle
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| mv-expand AlertIds
| extend AlertId = tostring(AlertIds)
| join (SecurityAlert)
on $left. AlertId == $right. SystemAlertId
| mv-expand parse_json(Entities)
| extend EType = tostring((Entities.Type))
| project TimeGenerated, IncidentNumber, EType, IncidentUrl
| evaluate pivot(EType)About this query
Azure Active Directory - Suspicious Resource deployment
Query Information
Description
The Sentinel Analytics Rule Suspicious Resource deployment Identifies Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen caller.
References
Microsoft Sentinel
Use the below query to get a summary of these alerts and the total # of entities
Explanation
The query is used to identify suspicious resource deployments in Azure Active Directory. It looks for rare resource and resource group deployments by previously unseen callers. The query retrieves a summary of these alerts and the total number of entities involved in the suspicious deployments.
Details

Alex Verboon
Released: June 4, 2023
Tables
SecurityIncidentSecurityAlert
Keywords
DevicesIntuneUserResourceResourceGroupCallerIncidentAlert
Operators
letwheresummarizearg_maxbymv-expandextendjoinonparse_jsonprojectevaluatepivot