From d87febd45bd0f71f195e514fbb2d87625061795b Mon Sep 17 00:00:00 2001
From: t-shaviv <57748962+t-shaviv@users.noreply.github.com>
Date: Wed, 12 May 2021 14:07:55 +0300
Subject: [PATCH] fixed anomalous

---
 .../Anomalous_Listing_Of_Storage_Keys.yaml             | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml b/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml
index 02004711304..c2516af067d 100644
--- a/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml	
+++ b/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml	
@@ -22,18 +22,18 @@ query: |
   let timeframe = 7d;
   AzureActivity
   | where TimeGenerated >= ago(timeframe)
-  | where OperationName == "List Storage Account Keys"
-  | where ActivityStatus == "Succeeded" 
+  | where OperationNameValue == "List Storage Account Keys"
+  | where ActivityStatusValue == "Succeeded" 
   | join kind= inner (
       AzureActivity
       | where TimeGenerated >= ago(timeframe)
-      | where OperationName == "List Storage Account Keys"
-      | where ActivityStatus == "Succeeded" 
+      | where OperationNameValue == "List Storage Account Keys"
+      | where ActivityStatusValue == "Succeeded" 
       | project ExpectedIpAddress=CallerIpAddress, Caller 
       | evaluate autocluster()
   ) on Caller 
   | where CallerIpAddress != ExpectedIpAddress
-  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationName, Caller, CallerIpAddress
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress
   | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
 
 entityMappings: