Forum Discussion

SocInABox's avatar
SocInABox
Iron Contributor
Oct 26, 2023

Azure Activity - any good kql queries?

Hi there, just wondering if there are any good Azure Activity queries out there, eg: - User related changes - non-user related changes (managed identities etc)   The out of the box sentinel work...
  • Clive_Watson's avatar
    Oct 26, 2023

    SocInABox 

     

    One option is to use ARG, here is part of a query I use in a Workbook (but it depends on the type of change you are looking for). 

    resourcechanges
    //| where subscriptionId =='{Subscription}'
    | extend timestamp_ = properties.changeAttributes.timestamp,
            changeType_ = properties.changeType
    | where timestamp_ > ago(1d)
    | where properties.targetResourceType startswith "MICROSOFT.OPERATION"
    | project properties.targetResourceType, properties.changeAttributes.changesCount, changeType_, timestamp_, subscriptionId, properties
    //| where changeType_ =='Create'   // 'Update','Delete'
    | summarize count(), arg_max(todatetime(timestamp_), *) by subscriptionId, tostring(properties_targetResourceType)
    | order by count_ desc

     

Resources