MicrosoftHi Javier,
i cant seem to be able to deploy long queries, e.g: - is there a limit?
let starttime = 14d; let endtime = 1d; // The number of operations below which an IP address is considered an unusual source of role assignment operations let alertOperationThreshold = 5; let createRoleAssignmentActivity = AzureActivity | where OperationName == \"Create role assignment\"; createRoleAssignmentActivity | where TimeGenerated between (ago(starttime) .. ago(endtime)) | summarize count() by CallerIpAddress, Caller | where count_ >= alertOperationThreshold | join kind = rightanti ( createRoleAssignmentActivity | where TimeGenerated > ago(endtime) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), OperationIds = makelist(OperationId), CorrelationId = makelist(CorrelationId), ActivityCountByCallerIPAddress = count() by ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup ) on CallerIpAddress, Caller | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
