AzureActivity
| where OperationNameValue contains "Microsoft.SecurityInsights/dataConnectors/"
| where ActivityStatusValue == "Succeeded"
| project OperationNameValue, Caller, CallerIpAddress, ActivityStatusValue, ActivitySubstatusValue, ResourceGroup, Properties, ResourceId, TimeGenerated
| sort by TimeGenerated desc
| extend Account = Caller
triggerOperator: gt
kind: Scheduled
description: |
'This alert is designed to monitor data connector configurations. This alert is triggered when a data connector is added, updated, or deleted.'
version: 1.0.0
id: eeb11b6b-e626-4228-b74d-3e730dca8999
name: M2131_DataConnectorAddedChangedRemoved
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Analytic Rules/M2131DataConnectorAddedChangedRemoved.yaml
queryFrequency: 1d
status: Available
query: |
AzureActivity
| where OperationNameValue contains "Microsoft.SecurityInsights/dataConnectors/"
| where ActivityStatusValue == "Succeeded"
| project OperationNameValue, Caller, CallerIpAddress, ActivityStatusValue, ActivitySubstatusValue, ResourceGroup, Properties, ResourceId, TimeGenerated
| sort by TimeGenerated desc
| extend Account = Caller
triggerThreshold: 0
queryPeriod: 14d
requiredDataConnectors: []
relevantTechniques:
- T1082
entityMappings:
- fieldMappings:
- identifier: ResourceId
columnName: ResourceId
entityType: AzureResource
severity: Medium
tactics:
- Discovery
