kql query to find if there is more than 10 resource creation by same user in the past 24 hours

procomix 20 Reputation points
2023-06-06T12:36:01.84+00:00

Dears,

can I have a kql query to find if there is more than 10 resource creation by same user in the past 24 hours?

Regards,

Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
536 questions
0 comments No comments
{count} votes

Accepted answer
  1. AirGordon 7,125 Reputation points
    2023-06-07T11:03:50.5433333+00:00

    "Resource creation" can be a tricky one to define. A single resource can be multi-faceted.

    If you focus on Deployments and distinct resources, then I think you start getting close to what you want.

    AzureActivity
    | where OperationNameValue == 'MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE'
    | where Level == 'Information'
    | extend props=parse_json(Properties)
    | project TimeGenerated, ResourceGroup, Caller, Resource=tostring(props.resource)
    | summarize DistinctResources=dcount(Resource), Deployments=count() by Caller, Day=bin(TimeGenerated, 1d)
    | sort by Day desc 
    

    kql results

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. procomix 20 Reputation points
    2023-06-07T12:18:32.5533333+00:00

    Dear AirGordon,

    I couldn't find where the threshold for number of resources is found in this query.

    Regards,


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.