fixed anomalous

Azure · May 12, 2021 · d87febd · d87febd
1 parent 7ae3296
commit d87febd
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml b/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml
@@ -22,18 +22,18 @@ query: |
   let timeframe = 7d;
   AzureActivity
   | where TimeGenerated >= ago(timeframe)
-  | where OperationName == "List Storage Account Keys"
-  | where ActivityStatus == "Succeeded" 
+  | where OperationNameValue == "List Storage Account Keys"
+  | where ActivityStatusValue == "Succeeded" 
   | join kind= inner (
       AzureActivity
       | where TimeGenerated >= ago(timeframe)
-      | where OperationName == "List Storage Account Keys"
-      | where ActivityStatus == "Succeeded" 
+      | where OperationNameValue == "List Storage Account Keys"
+      | where ActivityStatusValue == "Succeeded" 
       | project ExpectedIpAddress=CallerIpAddress, Caller 
       | evaluate autocluster()
   ) on Caller 
   | where CallerIpAddress != ExpectedIpAddress
-  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationName, Caller, CallerIpAddress
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress
   | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
 
 entityMappings: