Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 Migrate SAP to Azure

Task 04: Run a KQL query

Description

This task focuses on executing a Kusto Query Language (KQL) query to identify missing configurations in the SAP audit log monitoring setup. You’ll switch to KQL mode in the Logs workspace and run a pre-defined query that detects gaps in the dynamic security audit log monitor. The query results help identify which message IDs are not being tracked and from which systems.

Success criteria

  • KQL mode is enabled and the query is executed.
  • Query results are reviewed for missing configurations.
  • Key fields such as Caller, ResourceGroupName, and AccessCount are interpreted.

Learning resources

Key tasks

  1. On upper right of new query tab, switch from Simple mode to KQL mode, then paste the following query into line 1 of the query editor.

     let MissingMessagesinSystems = SAPAuditLog | where MessageID <> "RZ 792" | summarize LastSeenMessageOn = arg_max(TimeGenerated, MessageID) by MessageID, SystemID, ClientID | join kind = leftanti (SAPAuditLogConfiguration(SelectedSeverities = dynamic(["All Severities"])) | summarize by MessageID) on MessageID | project-keep LastSeenMessageOn, MessageID, SystemID, ClientID | project-rename MissingMessageID = MessageID, ComingFromSystemID = SystemID | extend Dummy = 1; let MissingSummary = MissingMessagesinSystems | summarize ComingFromSystemIDs = make_set(ComingFromSystemID) , MissingMessageIDs = make_set(MissingMessageID) | extend ComingFromSystemIDs = iff(array_length(ComingFromSystemIDs) > 1, strcat('Systems ', strcat_array(ComingFromSystemIDs,", ")), strcat('System ',strcat_array(ComingFromSystemIDs,", "))) | extend MissingMessageIDs = iff(array_length(MissingMessageIDs) > 1, strcat('Message IDs ', strcat_array(MissingMessageIDs,", "), " have occured in "), strcat('Message ID ',strcat_array(MissingMessageIDs,", "), " has occured in ")) | extend Dummy = 1; MissingMessagesinSystems | join kind= inner MissingSummary on Dummy | project-away Dummy, Dummy1 | extend AlertRuleUniqueName = 'missingconfigurationinthedynamicsecurityauditlogmonitor'.

  2. Select > Run to run this query.

    This query helps you understand what resources users are accessing.

  3. Select the dropdown arrow on the first line item FU1.

Fields:

Caller: The user or service principal that performed the action. OperationNameValue: The type of operation (e.g., Microsoft.Compute/virtualMachines/read). ResourceGroupName: The resource group containing the accessed resource. ResourceProviderValue: The Azure service (e.g., Microsoft.Compute, Microsoft.Storage). ResourceId: Full ID of the resource accessed. AccessCount: Number of times the user accessed resources.