let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend timestamp = TimeGenerated
version: 1.0.3
description: |
'Identifies if an AV scan fails in Azure App Services.'
metadata:
author:
name: SecurityJedi
source:
kind: Community
categories:
domains:
- Security - Others
- Platform
support:
tier: Community
requiredDataConnectors: []
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Failure.yaml
id: c2da1106-bfe4-4a63-bf14-5ab73130ccd5
queryFrequency: 1d
entityMappings:
- fieldMappings:
- columnName: _ResourceId
identifier: AzureID
entityType: Host
severity: Informational
queryPeriod: 1d
name: AppServices AV Scan Failure
query: |
let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend timestamp = TimeGenerated
triggerThreshold: 1
kind: Scheduled
