cloudflare/Azure-Sentinel

// Name: Creation of an anomalous number of resources
//
// Id: a09e6368-065b-4f1e-a4ce-b1b3a64b493b
//
// Description: looks for anomalous number of resources creation or deployment activities in azure activity log.
// It is best to run this query on a look back period which is at least 7 days.
//
// DataSource: #AzureActivity
//
// Tactics: #Execution, #Impact
//
AzureActivity
| where TimeGenerated >= ago(7d)
| where OperationName == "Create or Update Virtual Machine" or OperationName == "Create Deployment" 
| where ActivityStatus == "Succeeded" 
| make-series dcount(ResourceId)  default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
| render timechart