Query Details
Bastion Audit Usage
Query
//Find which users have attempted to connect to virtual machines using RDP or SSH in Azure Bastion
//Data connector required for this query - Azure Bastion
MicrosoftAzureBastionAuditLogs
| parse TargetResourceId with * 'VIRTUALMACHINES/' ['Virtual Machine Name']
| project
TimeGenerated,
Message,
UserName,
Protocol,
['Virtual Machine Name'],
['Virtual Machine IP']=TargetVMIPAddress
| sort by TimeGenerated desc Explanation
This query is looking for users who have tried to connect to virtual machines using RDP or SSH in Azure Bastion. It uses the Azure Bastion data connector and retrieves information from the MicrosoftAzureBastionAuditLogs table. The query parses the TargetResourceId to extract the virtual machine name, and then projects the TimeGenerated, Message, UserName, Protocol, Virtual Machine Name, and Virtual Machine IP. The results are sorted by the TimeGenerated in descending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
MicrosoftAzureBastionAuditLogs
Keywords
Users,VirtualMachines,RDP,SSH,AzureBastion,AuditLogs,TimeGenerated,Message,UserName,Protocol,VirtualMachineName,VirtualMachineIP,TargetVMIPAddress
Operators
parseprojectsort by