For the purposes of alerting when something has happened concerning a public IP, for example, a Public IP address was associated with a resource (NIC, Load Balancer, etc.), shouldn't this work?
AzureActivity
| where OperationNameValue == @"Microsoft.Network/publicIPAddresses/join/action"
It is the literal definition from MS, here:
Microsoft.Network/publicIPAddresses/join/action - Associate a public IP address to a resource
but yet, the event (me, associating a public IP to a VM's nic) shows up under "Microsoft.Network/networkInterfaces/write"
My question is, what is the Operation that I need to evaluate for if I want to see if a Public IP was associated/disassociated with a resource (regardless of the resource)?
Ideally not just associations and dissassociations, but also creation, deletion, etc.
These do seem to work:
@"Microsoft.Network/publicIPAddresses/read", @"Microsoft.Network/publicIPAddresses/write", @"Microsoft.Network/publicIPAddresses/delete" but I care most about associations and dissassociations.
Thanks!
UPDATE TO THIS ISSUE: After some digging and speaking with Azure support, my original thought of using:
Microsoft.Network/publicIPAddresses/join/action
won't work, because it's not an alertable action!
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
To accomplish alerting in Sentinel/Log analytics for an operation where a public IP has been associated or disassociated from a resource, let's say a VM, the alert has to target:
Microsoft.Network/networkInterfaces/write
Essentially, the public IP association/disassociation is a "write" operation that's resource dependant so, you have to look at the operation name that corresponds to the resource you can actually associate/disassociate a public IP with:
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#at-a-glance
I will update this thread with an actual kql query that can be used as a baseline later on.
