KQL Search

Query Details

Cloudshell2

Query

AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| extend action_ = tostring(parse_json(Authorization).action) 
| summarize count() by ResourceGroup  , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue,  CategoryValue , action_ 
 
// List sucess vs. failure 
AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| summarize count(ActivityStatus) by Caller, ActivityStatus

Explanation

This query is looking at Azure activity data for resource groups that start with "CLOUD-SHELL". It is extending the "action" field from the "Authorization" column and then summarizing the count of activities by various fields such as resource group, caller, caller IP address, activity status, activity substatus, category, and the extended action field.

The second part of the query is filtering for resource groups that start with "CLOUD-SHELL" again and summarizing the count of activity statuses (success vs. failure) by caller.

Details

Rod Trent

Released: April 20, 2020

Tables

AzureActivity

Keywords

AzureActivity,ResourceGroup,CLOUD-SHELL,Authorization,action_,Caller,CallerIpAddress,ActivityStatusValue,ActivitySubstatusValue,CategoryValue,ActivityStatus

Operators

wherestartswithextendtostringparse_jsonsummarizecountby

KQL Search

Cloudshell2

Query

Explanation

Details

Actions