Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
944 questions
AZT508 - Azure Policy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 2%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETH%3C/text%3E%3C/svg%3E)
Tomáš Hrabkovský
0
Reputation points
Hello all :)
I have designed the following simple KQL query to monitor for potential misuse of the DeployIfNotExists effect by detecting policy definition updates:
AzureActivity
| where OperationNameValue == 'MICROSOFT.AUTHORIZATION/POLICYDEFINITIONS/WRITE'
| where ActivityStatusValue == "Success"
| extend CallerList = split(Caller, '@')
| project
TimeGenerated,
SubscriptionId,
Caller,
CallerIpAddress,
_ResourceId,
Name = CallerList[0],
UPNSUffix = CallerList[1]
My goal is to detect attempts to exploit the automated deployment mechanism by monitoring successful updates to policy definitions. Could you confirm if this query is sufficient for monitoring such activities, or would you recommend additional logic or enhancements?
For example, is it necessary to correlate these updates with subsequent deployments or include additional filtering criteria to improve detection? Thank you in advance for your guidance!
Source: https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT508/AZT508/
Thank you :)
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 20%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Pranay Reddy Madireddy 1,395 Reputation points Microsoft Vendor2025-01-13T17:12:52.2166667+00:00 Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
Your KQL query helps track possible misuse of the DeployIfNotExists effect by finding updates to policy definitions. It checks for successful updates and collects details like the caller, their IP address, and the resource ID.
To improve the query, you can add more filters or logic to make detection better. For example, you could link policy updates with later deployments to spot possible misuse of the DeployIfNotExists effect. You could also focus the results on specific policy definitions or resource types.
Here are some extra filters you can add to your query:
| where PolicyDefinitionName == "YourPolicyDefinitionName"
Filter by resource type:
| where ResourceProvider == "Microsoft.Compute" and ResourceTypeName == "virtualMachines"
For reference, please review this documentation:-
https://zcusa.951200.xyz/en-us/azure/azure-monitor/reference/queries/azureactivity
https://zcusa.951200.xyz/en-us/azure/azure-monitor/logs/log-query-overview
https://www.geeksforgeeks.org/how-to-export-definitions-in-an-azure-initiative-policy-to-csv-file/
https://stackoverflow.com/questions/77090556/get-azure-policy-mcas-effect-with-kqlIf you have any further queries, do let us know.
If the answer is helpful, please and "Upvote it".
-
Pranay Reddy Madireddy 1,395 Reputation points Microsoft Vendor
2025-01-15T07:31:27.7333333+00:00 Hi Tomáš Hrabkovský
If you had a chance to see my answer to your question. If it was helpful, please click "Upvote" and "accept answer "on my post let us know Thank you...!
Sign in to comment
Sign in to answer