Update NRT_KeyVaultSensitiveOperations.yaml

Azure · Mar 30, 2023 · 0d5ec5d · 0d5ec5d
1 parent 03217a7
commit 0d5ec5d
Showing 1 changed file with 12 additions and 12 deletions.
diff --git a/Solutions/Azure Key Vault/Analytic Rules/NRT_KeyVaultSensitiveOperations.yaml b/Solutions/Azure Key Vault/Analytic Rules/NRT_KeyVaultSensitiveOperations.yaml
@@ -17,23 +17,23 @@ query: |
   let SensitiveOperationList = dynamic(
   ["VaultDelete", "KeyDelete", "SecretDelete", "SecretPurge", "KeyPurge", "SecretBackup", "KeyBackup"]);
   AzureDiagnostics
-  | extend ResultType = column_ifexists("ResultType", "NoResultType")
-  | extend requestUri_s = column_ifexists("requestUri_s", "None"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists("identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g", "None")
-  | extend id_s = column_ifexists("id_s", "None"), CallerIPAddress = column_ifexists("CallerIPAddress", "None"), clientInfo_s = column_ifexists("clientInfo_s", "None")
-  | where ResultType !~ "None" and isnotempty(ResultType)
-  | where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ "None" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)
-  | where id_s !~ "None" and isnotempty(id_s)
-  | where CallerIPAddress !~ "None" and isnotempty(CallerIPAddress)
-  | where clientInfo_s !~ "None" and isnotempty(clientInfo_s)
-  | where requestUri_s !~ "None" and isnotempty(requestUri_s)
   | where ResourceType =~ "VAULTS" and ResultType =~ "Success"
   | where OperationName in~ (SensitiveOperationList)
-  | summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=make_list(TimeGenerated,10000),OperationNameList=make_set(OperationName,10000), RequestURLList=make_set(requestUri_s,10000), CallerIPList = make_set(CallerIPAddress,10000),  CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s
+  | extend ResultType = column_ifexists("ResultType", "NoResultType"), 
+  requestUri_s = column_ifexists("requestUri_s", "None"), 
+  identity_claim_oid_g = column_ifexists("identity_claim_oid_g", "None"), CallerIPAddress = column_ifexists("CallerIPAddress", "None"), 
+  clientInfo_s = column_ifexists("clientInfo_s", "None"), 
+  identity_claim_upn_s = column_ifexists("identity_claim_upn_s", "None")
+  | summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=make_list(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress),  CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, identity_claim_upn_s, clientInfo_s
+  | extend timestamp = StartTimeUtc
+  | extend Name = tostring(split(identity_claim_upn_s,'@',0)[0]), UPNSuffix = tostring(split(identity_claim_upn_s,'@',1)[0])
 entityMappings:
   - entityType: Account
     fieldMappings:
-      - identifier: ObjectGuid
-        columnName: identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g
+      - identifier: Name
+        columnName: Name
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
   - entityType: IP
     fieldMappings:
       - identifier: Address