Query Details

Azure Resource Graph Explorer KQL Change Analysis

Query

//Azure Resource Graph Explorer - KQL Change Analysis
//https://www.linkedin.com/feed/update/urn:li:activity:7171786606188724224/

//Identifying who made a change to your Azure resources during a security investigation and how the change was made just became easier! With Change Analysis, you can now see who initiated the change and with which client that change was made, for changes across all your tenants and subscriptions. You can try it out by querying the “resourcechanges” or “resourcecontainerchanges” tables in Azure Resource Graph. Check out the below article for list of KQL change analysis queries

//Summarization of Resource Changes past 7 days

resourcechanges
| extend changeTime = todatetime (properties.changeAttributes.timestamp), targetResourceId = tostring(properties.targetResourceId), changeType = tostring (properties.changeType), changedBy = tostring(properties.changeAttributes. changedBy), changedByType = properties.changeAttributes.changedByType, clientType = tostring (properties.changeAttributes.clientType)
| where changeTime > ago(7d)
| project changeType, changedBy, changedByType, clientType
| summarize count() by changedBy, changeType, clientType
| order by count_ desc

// MITRE ATT&CK Mapping

// Based on the fields and operations in the KQL query, the following MITRE ATT&CK techniques are relevant:

// T1078 - Valid Accounts:
// The changedBy and changedByType fields can help identify if valid accounts are being used for unauthorized changes.
// T1098 - Account Manipulation:
// The changeType field can indicate if there are changes related to account settings or permissions.
// T1003 - Credential Dumping:
// If the clientType indicates a suspicious client, it might be related to credential dumping activities.
// T1071 - Application Layer Protocol:
// The clientType field can also help identify if unusual protocols are being used for changes.
// T1566 - Phishing:
// If the changedBy field shows unexpected users making changes, it might indicate compromised accounts due to phishing.

Explanation

This query is designed to help you investigate changes made to your Azure resources over the past seven days. It focuses on identifying who made the changes, what type of changes were made, and how they were executed. Here's a simple breakdown of what the query does:

  1. Data Extraction: It pulls data from the resourcechanges table, focusing on the time of change, the resource affected, the type of change, who made the change, and the client used to make the change.

  2. Time Filter: It filters the data to only include changes that occurred in the last seven days.

  3. Data Projection: It selects specific fields to display: the type of change, who made the change, the type of user who made the change, and the client used.

  4. Summarization: It counts the number of changes grouped by who made the change, the type of change, and the client used.

  5. Ordering: It sorts the results by the number of changes, in descending order, to highlight the most frequent changes.

Additionally, the query is mapped to relevant MITRE ATT&CK techniques to provide context for potential security threats, such as unauthorized account usage, account manipulation, credential dumping, unusual protocols, and phishing activities. This mapping helps in understanding the security implications of the changes detected.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

resourcechanges

Keywords

AzureResourcesSecurityInvestigationChangeAnalysisResourceChangesTenantsSubscriptionsResourcechangesResourcecontainerchangesTimestampTargetResourceIdChangeTypeChangedByChangedByTypeClientTypeMITREATT&CKValidAccountsAccountManipulationCredentialDumpingApplicationLayerProtocolPhishing

Operators

extendtodatetimetostringwhereagoprojectsummarizebyorder bydesc

Actions

GitHub