KQL Search

Query Details

HomeAI ToolsDevice Query

Azure Resource Graph Explorer KQL Change Analysis

Query

//Azure Resource Graph Explorer - KQL Change Analysis
//https://www.linkedin.com/feed/update/urn:li:activity:7171786606188724224/

//Identifying who made a change to your Azure resources during a security investigation and how the change was made just became easier! With Change Analysis, you can now see who initiated the change and with which client that change was made, for changes across all your tenants and subscriptions. You can try it out by querying the “resourcechanges” or “resourcecontainerchanges” tables in Azure Resource Graph. Check out the below article for list of KQL change analysis queries

//Summarization of Resource Changes past 7 days

resourcechanges
| extend changeTime = todatetime (properties.changeAttributes.timestamp), targetResourceId = tostring(properties.targetResourceId), changeType = tostring (properties.changeType), changedBy = tostring(properties.changeAttributes. changedBy), changedByType = properties.changeAttributes.changedByType, clientType = tostring (properties.changeAttributes.clientType)
| where changeTime > ago(7d)
| project changeType, changedBy, changedByType, clientType
| summarize count() by changedBy, changeType, clientType
| order by count_ desc

Explanation

This KQL (Kusto Query Language) query is designed to analyze changes made to Azure resources over the past 7 days. Here's a simple breakdown of what the query does:

  1. Source Table: It starts by querying the resourcechanges table, which logs changes to Azure resources.

  2. Extracting Information: It extracts several pieces of information from the properties field:

    • changeTime: The timestamp of when the change occurred.
    • targetResourceId: The ID of the resource that was changed.
    • changeType: The type of change that was made (e.g., create, update, delete).
    • changedBy: The identity of who made the change.
    • changedByType: The type of identity that made the change (e.g., user, system).
    • clientType: The client used to make the change (e.g., Azure portal, CLI).

  3. Filtering: It filters the results to include only changes that occurred within the last 7 days.

  4. Selecting Columns: It selects the columns changeType, changedBy, changedByType, and clientType for further analysis.

  5. Summarizing: It summarizes the data by counting the number of changes (count()) grouped by changedBy, changeType, and clientType.

  6. Sorting: Finally, it sorts the summarized data in descending order based on the count of changes.

In summary, this query helps you understand who made changes to your Azure resources, what type of changes were made, and which client was used, all within the past week. The results are sorted to show the most frequent changes at the top.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

resourcechanges

Keywords

AzureResourcesChangeAnalysis

Operators

extendtodatetimetostringwhereagoprojectsummarizebyorderdesc

Actions