Query Details
NSG Changes By User
Query
AzureActivity | where parse_json(Authorization).action == "Microsoft.Network/networkSecurityGroups/securityRules/write" and ActivityStatus == "Succeeded" | make-series count() default=0 on TimeGenerated in range(ago(7d), now(), 1d) by Caller |render barchart
Explanation
This query is searching for Azure activity logs related to writing security rules for network security groups. It filters for activities that have a status of "Succeeded". It then groups the results by the caller and creates a series of counts for each caller over the past 7 days. Finally, it renders the results as a bar chart.
Details
Rod Trent
Released: June 4, 2020
Tables
AzureActivity
Keywords
AzureActivity,Authorization,Microsoft.Network,networkSecurityGroups,securityRules,write,ActivityStatus,Succeeded,make-series,count,default,TimeGenerated,range,ago,now,Caller,render,barchart
Operators
whereparse_json==andActivityStatus==make-seriescount()default=0onTimeGeneratedinrange()ago()now()1dbyCallerrenderbarchart