Query Details
Bastion Summarize Account Access
Query
//Summarize your Bastion usage by which users are connecting to which devices via which protocl (RDP or SSH)
//Data connector required for this query - Azure Bastion
MicrosoftAzureBastionAuditLogs
| where TimeGenerated > ago (30d)
| where Message == "Successfully Connected."
| summarize
['Count of RDP Devices']=dcountif(TargetVMIPAddress, Protocol == "rdp"),
['List of RDP Devices']=make_set_if(TargetVMIPAddress, Protocol == "rdp"),
['Count of SSH Devices']=dcountif(TargetVMIPAddress, Protocol == "ssh"),
['List of SSH Devices']=make_set_if(TargetVMIPAddress, Protocol == "ssh")
by UserName
| sort by ['Count of RDP Devices'] desc Explanation
This query summarizes the usage of Azure Bastion by showing which users are connecting to which devices using either the RDP or SSH protocol. It counts the number of devices connected through each protocol and provides a list of those devices. The results are sorted in descending order based on the count of RDP devices.
Details
Matt Zorich
Released: June 17, 2022
Tables
MicrosoftAzureBastionAuditLogs
Keywords
MicrosoftAzureBastionAuditLogs,TimeGenerated,Message,TargetVMIPAddress,Protocol,UserName
Operators
whereago==summarizedcountifmake_set_ifbysort bydesc