Azure Kusto Query Language hot tip: Diagnostic settings compliance

Our series on the very helpful Azure Kusto Query Language continues with a useful script that can boost your security. A key feature in Azure is the ability to send all log activity to either Log Analytics, Event Hubs, storage account, or third-party SIEM. Using Azure Kusto Query Language, we will be checking any diagnostic setting being removed from the environment and that helps to improve your security posture, as well as to track any unauthorized deletion.

The results of the query are depicted in the image below.

The query required to provide that output is listed below.

AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue == 'MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE'
| where ActivityStatusValue == 'Success'
| order by TimeGenerated desc
| project  TimeGenerated, Caller, ResourceProviderValue, resource = parse_json(Properties).resource, SubscriptionId, ResourceGroup, OperationNameValue,  ActivityStatusValue, ActivitySubstatusValue

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top