KQL Search

Query Details

HomeAI ToolsDevice Query

HUNT 02 Diag Settings Change Timeline

Query

// Hunt     : Hunt - Diagnostic Settings Change Timeline per Resource (90d)
// Tactics  : DefenseEvasion
// MITRE    : T1562.008
// Purpose  : Show the full create/update/delete history of diagnostic settings per resource. Use to identify resources that were permanently unmonitored by correlating delete events with no subsequent write.
//==========================================================================================

AzureActivity
| where TimeGenerated > ago(90d)
| where OperationNameValue has "DIAGNOSTICSETTINGS"
| where ActivityStatusValue =~ "Success"
| project TimeGenerated, Operation = OperationNameValue, Caller, ResourceId, CallerIpAddress, SubscriptionId, ResourceGroup
| extend IsDelete = Operation has "DELETE"
| order by ResourceId asc, TimeGenerated asc

Explanation

This query is designed to track changes in diagnostic settings for Azure resources over the past 90 days. It focuses on identifying any resources that might have been left unmonitored due to the deletion of diagnostic settings without subsequent updates. Here's a breakdown of what the query does:

  1. Data Source: It uses the AzureActivity table, which logs activities related to Azure resources.

  2. Time Frame: The query filters for activities that occurred within the last 90 days.

  3. Operation Filter: It specifically looks for operations related to diagnostic settings by checking if the OperationNameValue contains "DIAGNOSTICSETTINGS".

  4. Status Filter: It only considers successful operations, as indicated by ActivityStatusValue being "Success".

  5. Data Projection: The query selects specific columns to display: the time of the operation (TimeGenerated), the type of operation (Operation), the user who performed the operation (Caller), the resource affected (ResourceId), the IP address of the caller (CallerIpAddress), the subscription ID (SubscriptionId), and the resource group (ResourceGroup).

  6. Delete Operation Identification: It adds a new column IsDelete to flag operations that involve deletion by checking if the Operation contains "DELETE".

  7. Sorting: Finally, it sorts the results by ResourceId and TimeGenerated in ascending order, allowing you to see the chronological order of changes for each resource.

Overall, this query helps in auditing and ensuring that diagnostic settings are not inadvertently removed, leaving resources unmonitored.

Details

David Alonso profile picture

David Alonso

Released: March 12, 2026

Tables

AzureActivity

Keywords

AzureActivityTimeGeneratedOperationNameValueActivityStatusValueCallerResourceIdCallerIpAddressSubscriptionIdResourceGroup

Operators

AzureActivity|where>ago()has=~projectextendorder byasc

Actions