I am attempting to create an azure policy which looks out for a certain type of event (Create or Update Security Rule) in the azure portal's activity log.
A look at the json for this event has confirmed that it is of type 'Administrative' and has action 'Microsoft.Network/networkSecurityGroups/securityRules/write' as shown by:
"authorization": {
"action": "Microsoft.Network/networkSecurityGroups/securityRules/delete",
"scope": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxx/securityRules/xxxx"
},
I'm hoping to use these details to distinguish this event from the rest. However I first need an alias that allows me to access these and cannot find the appropriate one from the ones shown by:
Get-AzPolicyAlias -NamespaceMatch 'microsoft.insights' | select -ExpandProperty Aliases | select -Property Name -ExpandProperty Paths
which gives:
Name Path ApiVersions
---- ---- -----------
Microsoft.Insights/logProfiles/storageAccountId properties.storageAccountId {2016-03-01}
Microsoft.Insights/logProfiles/serviceBusRuleId properties.serviceBusRuleId {2016-03-01}
Microsoft.Insights/logProfiles/locations properties.locations {2016-03-01}
Microsoft.Insights/logProfiles/locations[*] properties.locations[*] {2016-03-01}
Microsoft.Insights/logProfiles/categories properties.categories {2016-03-01}
Microsoft.Insights/logProfiles/categories[*] properties.categories[*] {2016-03-01}
Microsoft.Insights/logProfiles/retentionPolicy properties.retentionPolicy {2016-03-01}
Microsoft.Insights/logProfiles/retentionPolicy.enabled properties.retentionPolicy.enabled {2016-03-01}
Microsoft.Insights/logProfiles/retentionPolicy.days properties.retentionPolicy.days {2016-03-01}
Microsoft.Insights/alertRules/isEnabled properties.isEnabled {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.dataSource.resourceUri properties.condition.dataSource.resourceUri {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.dataSource.metricName properties.condition.dataSource.metricName {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.operator properties.condition.operator {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.threshold properties.condition.threshold {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.windowSize properties.condition.windowSize {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.timeAggregation properties.condition.timeAggregation {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.dataSource.odata.type properties.condition.dataSource.odata.type {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/actions[*].odata.type properties.action.odata.type {2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/actions[*].odata.type properties.actions[*].odata.type {2016-03-01}
Microsoft.Insights/alertRules/actions[*].sendToServiceOwners properties.action.sendToServiceOwners {2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/actions[*].sendToServiceOwners properties.actions[*].sendToServiceOwners {2016-03-01}
Microsoft.Insights/alertRules/actions[*].customEmails properties.action.customEmails {2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/actions[*].customEmails properties.actions[*].customEmails {2016-03-01}
Microsoft.Insights/alertRules/actions[*].customEmails[*] properties.action.customEmails[*] {2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/actions[*].customEmails[*] properties.actions[*].customEmails[*] {2016-03-01}
Microsoft.Insights/alertRules/actions[*].serviceUri properties.action.serviceUri {2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/actions[*].serviceUri properties.actions[*].serviceUri {2016-03-01}
Microsoft.Insights/diagnosticSettings/logs.enabled properties.logs[*].enabled {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/metrics.enabled properties.metrics[*].enabled {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/storageAccountId properties.storageAccountId {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/workspaceId properties.workspaceId {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId properties.eventHubAuthorizationRuleId {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/eventHubName properties.eventHubName {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/metrics[*].retentionPolicy.enabled properties.metrics[*].retentionPolicy.enabled {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/metrics[*].retentionPolicy.days properties.metrics[*].retentionPolicy.days {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/metrics[*].category properties.metrics[*].category {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled properties.logs[*].retentionPolicy.enabled {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days properties.logs[*].retentionPolicy.days {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/logs[*].category properties.logs[*].category {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/ActivityLogAlerts/scopes properties.scopes {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/scopes[*] properties.scopes[*] {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/condition properties.condition {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/condition.allOf properties.condition.allOf {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/condition.allOf[*] properties.condition.allOf[*] {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field properties.condition.allOf[*].field {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals properties.condition.allOf[*].equals {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].containsAny properties.condition.allOf[*].containsAny {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/enabled properties.enabled {2018-09-01, 2017-04-01, 2017-03-01-p…
Kindly help me figure out the correct alias
I do not believe it is possible to write a policy against activity log events themselves. However you can use Azure Policy to force Activity Logs to be routed to an event hub and then write a Function app to monitor and react to these.