Query Details
Who Modified Analytics Rule
Query
//Standard query AzureActivity | where OperationNameValue contains "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE" | where ActivityStatusValue == "Success" | extend Analytics_Rule_ID = tostring(parse_json(Properties).resource) | project TimeGenerated , CallerIpAddress , Caller , Analytics_Rule_ID //Analytics Rule AzureActivity | where OperationNameValue contains "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE" | where ActivityStatusValue == "Success" | extend Analytics_Rule_ID = tostring(parse_json(Properties).resource) | extend AccountCustomEntity = Caller | extend IPCustomEntity = CallerIpAddress
Explanation
This query retrieves Azure activity data related to writing alert rules in Microsoft Security Insights. It filters the results to only include successful activities. It then extends the query to include additional fields such as the time the activity was generated, the caller's IP address, the caller's identity, and the ID of the analytics rule associated with the activity.
Details
Rod Trent
Released: October 27, 2020
Tables
AzureActivity
Keywords
Keywords:AzureActivity,OperationNameValue,MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE,ActivityStatusValue,Success,extend,Analytics_Rule_ID,tostring,parse_json,Properties,project,TimeGenerated,CallerIpAddress,Caller,AccountCustomEntity,IPCustomEntity
Operators
wherecontains==extendtostringparse_jsonproject