KQL Search

Query Details

DFC Cloud Audit Events

Query

# Defender for Cloud - CloudAuditEvents

## Query Information

### Description

The ***CloudAuditEvents*** table in the advanced hunting schema contains information about cloud audit events for various cloud platforms protected by the organization's Microsoft Defender for Cloud.


#### References

- [CloudAuditEvents](https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudauditevents-table)


### Microsoft Defender XDR

To get a sample list of VM creation commands performed in the last seven days:

```kql
CloudAuditEvents
| where Timestamp > ago(7d)
| where OperationName startswith "Microsoft.Compute/virtualMachines/write"
| extend Status = RawEventData["status"], SubStatus = RawEventData["subStatus"]
| sample 10
```

Explanation

This query looks at the CloudAuditEvents table to find information about cloud audit events for various cloud platforms protected by Microsoft Defender for Cloud. It specifically looks for VM creation commands performed in the last seven days and displays a sample list of 10 events.

Details

Alex Verboon

Released: June 24, 2024

Tables

CloudAuditEvents

Keywords

CloudAuditEvents,Timestamp,OperationName,RawEventData,Status,SubStatus

Operators

CloudAuditEventswhereagostartswithextendsample

KQL Search

DFC Cloud Audit Events

Query

Explanation

Details

Actions