Jun 02 2022 07:46 AM
How to add condition wherein if there's a create/write activity of the same day, it will be excluded from the alert.
For example,
Time generated VirtualMachine OperationValueName
5/20/2022 Test1 Microsoft.Compute/virtualMachines/extensions/delete
5/20/2022 Test1 Microsoft.Compute/virtualMachines/extensions/write
Since there's delete and write activity for the same date, it should have been excluded from the alert.
Here's the current query:
AzureActivity
| where * has "extensions/delete"
| where Resource contains "Agent"
or Resource contains "OMS"
or Resource contains "VMDiagnosticsSettings"
| where ActivityStatus has "Succeeded"
| sort by EventSubmissionTimestamp desc
| extend VirtualMachine = replace(@"(.*?\/virtualMachines\/)(\S+)(\/extensions\/)(\S+)", @"\2", ResourceId)
| where Resource !contains "CustomScript"
| summarize count() by Resource, VirtualMachine, Caller