let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend timestamp = TimeGenerated
severity: Informational
queryPeriod: 1d
name: AppServices AV Scan Failure
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Failure.yaml
entityMappings:
- fieldMappings:
- columnName: _ResourceId
identifier: AzureID
entityType: Host
version: 1.0.3
id: c2da1106-bfe4-4a63-bf14-5ab73130ccd5
queryFrequency: 1d
triggerThreshold: 1
triggerOperator: gt
query: |
let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend timestamp = TimeGenerated
description: |
'Identifies if an AV scan fails in Azure App Services.'
metadata:
support:
tier: Community
categories:
domains:
- Security - Others
- Platform
author:
name: SecurityJedi
source:
kind: Community
requiredDataConnectors: []
kind: Scheduled
