KQL Search

Query Details

HomeAI ToolsDevice Query

Resource Container Changes Azure Subscription Modified

Query

let query_frequency = 15m;
arg("").ResourceContainerChanges
| where properties["targetResourceType"] == "microsoft.resources/subscriptions"
| extend ChangesProperties = coalesce(properties["changes"]["properties.state"], properties["changes"]["properties.provisioningState"])
| extend
    Timestamp = todatetime(properties["changeAttributes"]["timestamp"]),
    ChangedByType = tostring(properties["changeAttributes"]["changedByType"]),
    ChangedBy = tostring(properties["changeAttributes"]["changedBy"]),
    ChangedByClient = tostring(properties["changeAttributes"]["clientType"]),
    Operation = tostring(properties["changeAttributes"]["operation"]),
    TargetResourceId = tostring(properties["targetResourceId"]),
    ChangesCount = toint(properties["changeAttributes"]["changesCount"]),
    ChangeType = tostring(properties["changeType"]),
    StateChangeCategory = tostring(ChangesProperties["changeCategory"]),
    StatePreviousValue = tostring(ChangesProperties["previousValue"]),
    StateNewValue = tostring(ChangesProperties["newValue"]),
    CorrelationId = tostring(properties["changeAttributes"]["correlationId"])
| where Timestamp > ago(query_frequency)
| join hint.remote=local kind=leftouter (
    arg("").ResourceContainers
    | where type == "microsoft.resources/subscriptions"
    | project subscriptionId, subscriptionName = name
    ) on subscriptionId
| extend AlertName = case(
    ChangeType == "Create", strcat("Azure subscription created", " - ", subscriptionName),
    ChangeType == "Delete", strcat("Azure subscription deleted", " - ", subscriptionName),
    ChangeType == "Update", strcat("Azure subscription ", tolower(StateNewValue), " - ", subscriptionName),
    ""
    )
| project
    Timestamp,
    ChangedByType,
    ChangedBy,
    ChangedByClient,
    Operation,
    subscriptionName,
    //resourceGroup,
    //location,
    TargetResourceId,
    ChangesCount,
    ChangeType,
    StateChangeCategory,
    StatePreviousValue,
    StateNewValue,
    CorrelationId,
    AlertName

Explanation

This query retrieves information about changes made to Azure subscriptions within a specified time frame. It includes details such as who made the change, the type of change (create, delete, update), the resource affected, and more. The query also joins this information with subscription details to provide a more comprehensive view. Finally, it creates an alert name based on the type of change made to the subscription.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 26, 2024

Tables

ResourceContainerChanges ResourceContainers

Keywords

Arg,ResourceContainerChanges,Timestamp,ChangedByType,ChangedBy,ChangedByClient,Operation,TargetResourceId,ChangesCount,ChangeType,StateChangeCategory,StatePreviousValue,StateNewValue,CorrelationId,ResourceContainers,subscriptionId,subscriptionName,AlertName

Operators

argwhereextendtodatetimetostringtointcoalescejoinhintoncaseproject

Actions