updating logic to new fields OperationNameValue

2021-09-17 18:18:33 -07:00 · 2021-09-17 18:18:33 -07:00 · b6067f45cc
--- a/Code/AzureSentinel-ManagementAPICsharp/AzureSentinel_ManagementAPI/Templates/ScheduledAlertRulePayload/ScheduledAlertRulePayload.json
+++ b/Code/AzureSentinel-ManagementAPICsharp/AzureSentinel_ManagementAPI/Templates/ScheduledAlertRulePayload/ScheduledAlertRulePayload.json
@ -10,7 +10,7 @@
        "Persistence",
        "LateralMovement"
      ],
-      "query": "AzureActivity | where isnotempty(OperationName)",
+      "query": "AzureActivity | where isnotempty(OperationNameValue)",
      "queryFrequency": "PT1H",
      "queryPeriod": "P2DT1H30M",
      "triggerOperator": "GreaterThan",
--- a/Workbooks/AzureActivity.json
+++ b/Workbooks/AzureActivity.json
@ -180,7 +180,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationName contains \"Delete\"), creations = countif(OperationName contains \"Create\"), updates = countif(OperationName contains \"Update\"), Activities = count(OperationName) by bin_at(TimeGenerated, 1h, now())\r\n",
+        "query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationNameValue endswith \"delete\"), creations = countif(OperationNameValue endswith \"write\"), updates = countif(OperationNameValue endswith \"write\"), Activities = count(OperationNameValue) by bin_at(TimeGenerated, 1h, now())\r\n",
        "size": 0,
        "exportToExcelOptions": "visible",
        "title": "Activities over time",
@ -202,7 +202,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationName contains \"Delete\"), creations = countif(OperationName contains \"Create\"), updates = countif(OperationName contains \"Update\"), Activities = count() by Caller\r\n",
+        "query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationNameValue endswith \"Delete\"), creations = countif(OperationNameValue endswith \"write\"), updates = countif(OperationNameValue endswith \"write\"), Activities = count() by Caller\r\n",
        "size": 1,
        "exportToExcelOptions": "visible",
        "title": "Caller activities",