Query Details
Azure VM Disk Image URL Generated
Query
//Detect when a download URL is generated for an Azure virtual machine disk
//Data connector required for this query - Azure Activity
AzureActivity
| where OperationNameValue == "MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION"
| where ActivityStatusValue == "Success"
| extend DiskName = tostring(Properties_d.resource)
| project
TimeGenerated,
Actor=Caller,
['Actor IP Address']=CallerIpAddress,
['Azure Subscription Id']=SubscriptionId,
['Azure Resource Group']=ResourceGroup,
DiskNameExplanation
This query is looking for instances when a download URL is generated for an Azure virtual machine disk. It uses the Azure Activity data connector and filters for operations with the name "MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION" and a status of "Success". It then extends the query to include the disk name and projects specific columns such as time generated, actor (caller), actor IP address, Azure subscription ID, and Azure resource group.
Details
Matt Zorich
Released: June 17, 2022
Tables
AzureActivity
Keywords
TimeGenerated,Actor,ActorIpAddress,AzureSubscriptionId,AzureResourceGroup,DiskName
Operators
where==where==extendtostringproject