let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend timestamp = TimeGenerated
kind: Scheduled
triggerThreshold: 1
metadata:
source:
kind: Community
author:
name: SecurityJedi
support:
tier: Community
categories:
domains:
- Security - Others
- Platform
triggerOperator: gt
version: 1.0.3
queryFrequency: 1d
id: c2da1106-bfe4-4a63-bf14-5ab73130ccd5
requiredDataConnectors: []
name: AppServices AV Scan Failure
description: |
'Identifies if an AV scan fails in Azure App Services.'
entityMappings:
- entityType: Host
fieldMappings:
- columnName: _ResourceId
identifier: AzureID
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Failure.yaml
queryPeriod: 1d
severity: Informational
query: |
let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend timestamp = TimeGenerated
