mirror of
https://github.com/marcredhat/kql
synced 2026-06-08 13:23:58 +00:00
marc
12 lines
453 B
Plaintext
12 lines
453 B
Plaintext
let SensitiveOps = dynamic([
|
|
"microsoft.compute/snapshots/write",
|
|
"microsoft.network/networksecuritygroups/write",
|
|
"microsoft.storage/storageaccounts/listkeys/action"]);
|
|
let threshold = 5;
|
|
AzureActivity
|
|
| where OperationNameValue in~ (SensitiveOps)
|
|
| where ActivityStatusValue =~ "Success"
|
|
| where TimeGenerated >= ago(1d)
|
|
| summarize ActivityCount = count() by CallerIpAddress, Caller, OperationNameValue
|
|
| where ActivityCount >= threshold
|