39 строки
1.8 KiB
JSON
39 строки
1.8 KiB
JSON
{
|
|
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
|
"contentVersion": "1.0.0.0",
|
|
"parameters": {
|
|
"workspaceName": {
|
|
"type": "String"
|
|
},
|
|
"location": {
|
|
"type": "String"
|
|
}
|
|
},
|
|
"resources": [
|
|
{
|
|
"type": "Microsoft.OperationalInsights/workspaces",
|
|
"apiVersion": "2017-03-15-preview",
|
|
"name": "[parameters('workspaceName')]",
|
|
"location": "[parameters('location')]",
|
|
"resources": [
|
|
{
|
|
"type": "savedSearches",
|
|
"apiVersion": "2020-08-01",
|
|
"name": "AuditSentinelAnalytics",
|
|
"dependsOn": [
|
|
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
|
],
|
|
"properties": {
|
|
"etag": "*",
|
|
"displayName": "AuditSentinelAnalytics",
|
|
"category": "Security",
|
|
"FunctionAlias": "AuditSentinelAnalytics",
|
|
"query": "_SentinelAudit() | where SentinelResourceType ==\"Analytic Rule\" and Description == \"Create or update analytics rule.\" | extend SentinelResourceId = tostring(ExtendedProperties.ResourceId) | project TimeGenerated, SentinelResourceName, Status, Description, SentinelResourceKind, ExtendedProperties | extend query_ = tostring(parse_json(tostring(parse_json(tostring(ExtendedProperties.UpdatedResourceState)).properties)).query) | extend CallerName_ = tostring(ExtendedProperties.CallerName) | extend CallerIpAddress_ = tostring(ExtendedProperties.CallerIpAddress) | summarize arg_max(TimeGenerated,*) by query_, CallerIpAddress_, CallerName_, SentinelResourceName | project TimeGenerated, CallerName_, CallerIpAddress_,SentinelResourceName, query_ | order by SentinelResourceName",
|
|
"version": 1
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|