Query Details
Cloud Shell Part2
Query
//AzureActivity logs differently between certain instances of Azure. For those environments where the original CloudShell Analytics Rules //doesn't work. Use this. //Still attempting to determine why the differences. AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | where ResourceProviderValue == "MICROSOFT.STORAGE" | where ActivityStatusValue == "Start" | extend action_ = tostring(parse_json(Authorization).action) | summarize count() by TimeGenerated , ResourceGroup , Caller , CallerIpAddress , ActivityStatusValue | extend AccountCustomEntity = Caller | extend IPCustomEntity = CallerIpAddress
Explanation
This query is used to analyze AzureActivity logs for certain instances of Azure. It filters the logs based on the resource group starting with "CLOUD-SHELL", the resource provider being "MICROSOFT.STORAGE", and the activity status being "Start". It then extracts the action from the authorization field and summarizes the count of logs based on the time generated, resource group, caller, caller IP address, and activity status. Finally, it adds custom entities for the account and IP address. The purpose of this query is to investigate the differences in AzureActivity logs between different Azure instances.
Details
Rod Trent
Released: October 14, 2020
Tables
AzureActivity
Keywords
Devices,Intune,User
Operators
wherestartswith====extendtostringparse_jsonsummarizecount()byextend