Azure-Sentinel/Hunting Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations.yaml

id: 17201aa8-0916-4078-a020-7ea3a9262889
name: Azure Sentinel Connectors Administrative Operations
description: |
  'Identifies set of Azure Sentinel Data Connectors administrative operational detection queries for hunting activites'  
severity: Low
requiredDataConnectors:
  - connectorId: AzureActivity
    dataTypes:
      - AzureActivity
tactics:
  - Impact
relevantTechniques:
  - T1496
query: | 

  let opValues = dynamic(["Microsoft.SecurityInsights/dataConnectors/write", "Microsoft.SecurityInsights/dataConnectors/delete"]);
  // Azure Sentinel Data Connectors Update / Delete
  AzureActivity
  | where OperationNameValue in (opValues)
  | where ActivitySubstatusValue in ("Created", "OK")
  | sort by TimeGenerated desc
  | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity