KQL Search

This KQL (Kusto Query Language) query is designed to search for specific events related to the use of the VMAccess Extension on Azure Virtual Machines (VMs) or Azure Virtual Desktops (AVDs). Here's a simple breakdown of what the query does:

1. Data Source: The query is looking at DeviceEvents, which likely contains logs of various events occurring on devices.

2. Time Frame: It filters the events to only include those generated in the last 90 days.

3. Remote Access: It checks for events where remote client access was accepted, indicated by AdditionalFields.RemoteClientsAccess == "AcceptRemote".

4. Specific Process: The query is specifically looking for instances where the JsonVMAccessExtension.exe process was run with the command line argument "enable". This indicates that the VMAccess Extension was used to enable or reset the built-in administrator account or add new accounts on an Azure VM.

5. System Account: It further filters these events to those where the process was initiated by the system account, which is typical for such extensions that require elevated privileges.

Overall, this query is used to identify and monitor the use of the VMAccess Extension on Azure VMs, particularly focusing on actions that involve enabling or resetting administrator accounts, which could be critical for security auditing and compliance.