KQL query to detect the disablement and deletion of Automation Rules

Hi Community, We want to create a KQL-query that detects whether an automation rule has been disabled. The only way to partially do that at the moment is the AzureActivity table. The problem with...

alerts

analytics

Silver Contributor

Oct 19, 2023

Hi KevinHemelrijk,

you can use the following KQL query:

AzureActivity
| where OperationName == "MICROSOFT SECURITYINSIGHTS/AUTOMATIONRULES/WRITE"
| where Category == "Write"
| where Action == "Microsoft.Automation/automationRules/disable"
| project ActivityId, OperationName, Category, Action, ResourceId

This query will return all Azure Activity logs where an Automation Rule has been disabled in Azure Security Insights.

You can combine this query with the one to detect the deletion of Automation Rules to create a single query that will detect both the disablement and deletion of Automation Rules in Azure Security Insights.

(AzureActivity
| where OperationName == "MICROSOFT SECURITYINSIGHTS/AUTOMATIONRULES/WRITE"
| where Category == "Write"
| where Action == "Microsoft.Automation/automationRules/disable"
| project ActivityId, OperationName, Category, Action, ResourceId)
UNION
(AzureActivity
| where OperationName == "MICROSOFT SECURITYINSIGHTS/AUTOMATIONRULES/DELETE"
| where Category == "Delete"
| project ActivityId, OperationName, Category, Action, ResourceId)

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

Kindest regards,

Leon Pavesic
(LinkedIn)