let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend timestamp = TimeGenerated
requiredDataConnectors: []
name: AppServices AV Scan Failure
queryFrequency: 1d
triggerThreshold: 1
severity: Informational
metadata:
support:
tier: Community
categories:
domains:
- Security - Others
- Platform
source:
kind: Community
author:
name: SecurityJedi
query: |
let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend timestamp = TimeGenerated
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Failure.yaml
version: 1.0.3
entityMappings:
- fieldMappings:
- columnName: _ResourceId
identifier: AzureID
entityType: Host
queryPeriod: 1d
triggerOperator: gt
id: c2da1106-bfe4-4a63-bf14-5ab73130ccd5
kind: Scheduled
description: |
'Identifies if an AV scan fails in Azure App Services.'
