Forum Discussion
SocInABox
Oct 26, 2023Iron Contributor
Azure Activity - any good kql queries?
Hi there, just wondering if there are any good Azure Activity queries out there, eg: - User related changes - non-user related changes (managed identities etc) The out of the box sentinel work...
- Oct 26, 2023
One option is to use ARG, here is part of a query I use in a Workbook (but it depends on the type of change you are looking for).
resourcechanges //| where subscriptionId =='{Subscription}' | extend timestamp_ = properties.changeAttributes.timestamp, changeType_ = properties.changeType | where timestamp_ > ago(1d) | where properties.targetResourceType startswith "MICROSOFT.OPERATION" | project properties.targetResourceType, properties.changeAttributes.changesCount, changeType_, timestamp_, subscriptionId, properties //| where changeType_ =='Create' // 'Update','Delete' | summarize count(), arg_max(todatetime(timestamp_), *) by subscriptionId, tostring(properties_targetResourceType) | order by count_ desc
Clive_Watson
Oct 26, 2023Bronze Contributor
One option is to use ARG, here is part of a query I use in a Workbook (but it depends on the type of change you are looking for).
resourcechanges
//| where subscriptionId =='{Subscription}'
| extend timestamp_ = properties.changeAttributes.timestamp,
changeType_ = properties.changeType
| where timestamp_ > ago(1d)
| where properties.targetResourceType startswith "MICROSOFT.OPERATION"
| project properties.targetResourceType, properties.changeAttributes.changesCount, changeType_, timestamp_, subscriptionId, properties
//| where changeType_ =='Create' // 'Update','Delete'
| summarize count(), arg_max(todatetime(timestamp_), *) by subscriptionId, tostring(properties_targetResourceType)
| order by count_ desc
- SocInABoxOct 27, 2023Iron ContributorI see, so you made a function to filter out the resource changes first, and then used this 2nd query to list all changes by subscription.
Thanks!