Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
536 questions
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Dears,
can I have a kql query to find if there is more than 10 resource creation by same user in the past 24 hours?
Regards,
"Resource creation" can be a tricky one to define. A single resource can be multi-faceted.
If you focus on Deployments and distinct resources, then I think you start getting close to what you want.
AzureActivity
| where OperationNameValue == 'MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE'
| where Level == 'Information'
| extend props=parse_json(Properties)
| project TimeGenerated, ResourceGroup, Caller, Resource=tostring(props.resource)
| summarize DistinctResources=dcount(Resource), Deployments=count() by Caller, Day=bin(TimeGenerated, 1d)
| sort by Day desc
Dear AirGordon,
I couldn't find where the threshold for number of resources is found in this query.
Regards,