Anomalies Anomalous User App Activities In Azure Audit Logs
Query
Anomalies
| where RuleName endswith "Anomalous user/app activities in Azure audit logs" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"]
| project
TimeGenerated,
RuleName,
Description,
Query,
UserPrincipalName,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinksExplanation
This query is looking for anomalies related to user or app activities in Azure audit logs. It filters out any anomalies that are in the "Flighting" status. It then extends the query to include the details of the first link in the ExtendedLinks array. Finally, it projects specific columns including the time generated, rule name, description, query, user principal name, score, anomaly details, entities, tactics, techniques, and extended links.
Details

Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
AnomaliesRuleNameRuleStatusQueryTimeGeneratedDescriptionUserPrincipalNameScoreAnomalyDetailsEntitiesTacticsTechniquesExtendedLinks
Operators
whereendswith!=extend[0]["DetailBladeInputs"]project