M2131_DataConnectorAddedChangedRemoved

AzureActivity
| where OperationNameValue contains "Microsoft.SecurityInsights/dataConnectors/"
| where ActivityStatusValue == "Succeeded"
| project OperationNameValue, Caller, CallerIpAddress, ActivityStatusValue, ActivitySubstatusValue, ResourceGroup, Properties, ResourceId, TimeGenerated
| sort by TimeGenerated desc
| extend Account = Caller

kind: Scheduled
requiredDataConnectors: []
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Analytic Rules/M2131DataConnectorAddedChangedRemoved.yaml
entityMappings:
- entityType: AzureResource
  fieldMappings:
  - columnName: ResourceId
    identifier: ResourceId
severity: Medium
version: 1.0.0
name: M2131_DataConnectorAddedChangedRemoved
relevantTechniques:
- T1082
tactics:
- Discovery
triggerOperator: gt
id: eeb11b6b-e626-4228-b74d-3e730dca8999
query: |
  AzureActivity
  | where OperationNameValue contains "Microsoft.SecurityInsights/dataConnectors/"
  | where ActivityStatusValue == "Succeeded"
  | project OperationNameValue, Caller, CallerIpAddress, ActivityStatusValue, ActivitySubstatusValue, ResourceGroup, Properties, ResourceId, TimeGenerated
  | sort by TimeGenerated desc
  | extend Account = Caller  
description: |
    'This alert is designed to monitor data connector configurations. This alert is triggered when a data connector is added, updated, or deleted.'
queryFrequency: 1d
triggerThreshold: 0
status: Available