Query Details
Hunting Queries Azure Activity Successand Failures
Query
//Hunting query to detect Azure Activity successes and show who did it AzureActivity | where TimeGenerated > ago(1d) | where OperationNameValue has "Action" | where ActivityStatusValue == "Success" | extend AccountCustomEntity = Caller | extend IPCustomEntity = CallerIpAddress | extend URLCustomEntity = OperationNameValue //Hunting query to detect Azure Activity failures and show who did it AzureActivity | where TimeGenerated > ago(1d) | where OperationNameValue has "Action" | where ActivityStatusValue == "Failure" | extend AccountCustomEntity = Caller | extend IPCustomEntity = CallerIpAddress | extend URLCustomEntity = OperationNameValue
Explanation
This query is used to detect Azure Activity successes and failures and show who performed the actions. It filters the AzureActivity data based on the time generated within the last day, operation name containing "Action", and activity status being either "Success" or "Failure". It then extends the results to include custom entities for the account, IP address, and URL related to the operation.
Details
Rod Trent
Released: November 3, 2020
Tables
AzureActivity
Keywords
AzureActivity,TimeGenerated,OperationNameValue,ActivityStatusValue,Caller,CallerIpAddress
Operators
where>agohas==extend