Query Details

Azure Activity Snapshot Of Monitored Azure Resource

Query

let _MonitoredResources =
    _GetWatchlist("ResourceId-AuditAzureResources")
    | where Notes has "[Snapshot]"
    | project ResourceId, SubscriptionId, ResourceGroup, Resource
;
AzureActivity
| where OperationNameValue has_any ("/snapshots/beginGetAccess", "/snapshots/write") // "/snapshots/delete", "/snapshots/endGetAccess"
| where _ResourceId has_any (toscalar(_MonitoredResources | where isempty(Resource) | summarize make_list(ResourceId)))
    or _ResourceId has_any (toscalar(_MonitoredResources | where isnotempty(Resource) | extend ResourceId = replace_regex(ResourceId, @"^(.+?\/)[^\/]+(\/[^\/]+)$", @"\1snapshots\2") | summarize make_list(ResourceId)))
| extend PreferenceInteger = iff(ResourceProviderValue == toupper(ResourceProviderValue), 0, 1)
// Group together Start, Accept, Success... operations
| summarize hint.shufflekey=CorrelationId
    StartTime = min(TimeGenerated),
    EndTime = max(TimeGenerated),
    PropertiesDynamic = make_bag(pack(ActivityStatusValue, iff(PreferenceInteger == 1, todynamic(Properties), Properties_d))),
    EventDataId = array_sort_asc(make_list(EventDataId)),
    arg_max(TimeGenerated, *)
    by CorrelationId, ResourceProviderValue, OperationNameValue, _ResourceId
// Group together two kinds of logs (where ResourceProviderValue is all caps or title - e.g. MICROSOFT.AUTHORIZATION or Microsoft.Authorization)
| summarize hint.shufflekey=CorrelationId
    TimeGenerated = max(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    PropertiesDynamic = make_bag(pack(ResourceProviderValue, PropertiesDynamic)),
    EventDataId = make_bag(pack(ResourceProviderValue, EventDataId)),
    take_any(TenantId, SourceSystem, CategoryValue, SubscriptionId, Type),
    arg_min(PreferenceInteger, CallerIpAddress, Authorization, Authorization_d, Claims_d, Properties_d, EventSubmissionTimestamp, Hierarchy),
    arg_max(PreferenceInteger, Level, OperationNameValue, Caller, HTTPRequest, OperationId, ResourceGroup, ResourceProviderValue, ActivityStatusValue, ActivitySubstatusValue, OperationName, ActivityStatus, ActivitySubstatus, Category, ResourceId, ResourceProvider, Resource)
    by CorrelationId, _ResourceId
| project
    TimeGenerated,
    StartTime,
    EndTime,
    ResourceProvider,
    Category,
    CategoryValue,
    ResourceProviderValue,
    Level,
    CallerIpAddress,
    Caller,
    OperationName,
    OperationNameValue,
    ActivityStatusValue,
    //ActivityStatus,
    ActivitySubstatusValue,
    ActivitySubstatus,
    SubscriptionId,
    ResourceGroup,
    Resource,
    ResourceId,
    _ResourceId,
    Authorization,
    PropertiesDynamic,
    HTTPRequest,
    Authorization_d,
    Properties_d,
    Claims_d,
    Hierarchy,
    OperationId,
    CorrelationId,
    EventSubmissionTimestamp,
    EventDataId,
    Type

Explanation

This KQL query is designed to monitor and analyze Azure activity logs related to snapshot operations on specific resources. Here's a simplified breakdown of what the query does:

  1. Define Monitored Resources:

    • It retrieves a list of resources from a watchlist named "ResourceId-AuditAzureResources" where the notes contain "[Snapshot]".
    • It extracts relevant fields like ResourceId, SubscriptionId, ResourceGroup, and Resource.
  2. Filter Azure Activity Logs:

    • It filters the AzureActivity logs to include only operations related to snapshots, specifically those that involve beginning access or writing to snapshots.
    • It further filters these logs to include only those resources that are in the monitored resources list. It handles cases where the Resource field is empty or not, adjusting the ResourceId format accordingly.
  3. Process and Summarize Logs:

    • It extends the logs with a PreferenceInteger to differentiate between logs based on the case of ResourceProviderValue.
    • It groups logs by CorrelationId to summarize operations, capturing the start and end times, and collecting properties and event data IDs.
    • It further groups logs to handle variations in ResourceProviderValue (case differences), summarizing additional details like TenantId, SourceSystem, and more.
  4. Project Relevant Fields:

    • Finally, it selects and projects a comprehensive set of fields for the resulting dataset, including timestamps, resource details, operation names, activity statuses, authorization details, and more.

In essence, this query is used to track and analyze specific snapshot-related activities on Azure resources, providing a detailed view of operations and their associated metadata for auditing or monitoring purposes.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: April 16, 2025

Tables

AzureActivity

Keywords

AzureActivityResourcesSnapshotsResourceIdSubscriptionIdResourceGroupResourceCorrelationIdResourceProviderValueOperationNameValueTimeGeneratedPropertiesDynamicEventDataIdTenantIdSourceSystemCategoryValueTypePreferenceIntegerCallerIpAddressAuthorizationAuthorization_dClaims_dProperties_dEventSubmissionTimestampHierarchyLevelCallerHTTPRequestOperationIdActivityStatusValueActivitySubstatusValueActivitySubstatusCategory

Operators

lethasprojectwherehas_anytoscalarisemptysummarizemake_listisnotemptyextendreplace_regexifftoupperhint.shufflekeyminmaxmake_bagpackarray_sort_ascarg_maxbytake_anyarg_min

Actions

GitHub