Query Details
Built In Fusion Creation
Query
//One way to find out when an Azure Sentinel instance is created is to monitor when the Fusion Analytics Rules is created. Fusion is enabled by default when Azure Sentinel is stood up. AzureActivity | where parse_json(Properties).resource has "builtinfusion" | where ActivitySubstatusValue =~ "created" | project TimeGenerated, Caller, CallerIpAddress, ResourceGroup
Explanation
This query looks for the creation of an Azure Sentinel instance by monitoring the creation of Fusion Analytics Rules. Fusion is automatically enabled when Azure Sentinel is set up. The query filters the AzureActivity logs to find entries where the resource contains "builtinfusion" and the ActivitySubstatusValue indicates creation. It then projects the TimeGenerated, Caller, CallerIpAddress, and ResourceGroup fields for further analysis.
Details
Rod Trent
Released: February 18, 2021
Tables
AzureActivity
Keywords
AzureActivity,Fusion,AzureSentinel,Instance,FusionAnalyticsRules,Created
Operators
wherehaswhere=~project