let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend timestamp = TimeGenerated
requiredDataConnectors: []
queryFrequency: 1d
id: c2da1106-bfe4-4a63-bf14-5ab73130ccd5
entityMappings:
- fieldMappings:
- columnName: _ResourceId
identifier: AzureID
entityType: Host
version: 1.0.3
query: |
let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend timestamp = TimeGenerated
metadata:
categories:
domains:
- Security - Others
- Platform
support:
tier: Community
author:
name: SecurityJedi
source:
kind: Community
description: |
'Identifies if an AV scan fails in Azure App Services.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Failure.yaml
triggerThreshold: 1
queryPeriod: 1d
triggerOperator: gt
name: AppServices AV Scan Failure
severity: Informational
kind: Scheduled
