How to create an alert for azure storage account if there is data action permissions assigned to a custom role or a built in role

80 Views Asked by Sahith Thatipalli At 21 March 2024 at 05:36

How to create an alert using Kusto query when an Azure RBAC role (custom and built-in role) is assigned with a data action permission for azure storage account.

AzureActivity
| where OperationName == "Microsoft.Authorization/roleAssignments/write"
| extend Properties = parse_json(Properties)
| where Properties.targetResource.id contains "storageAccounts"
| where Properties_d.responseBody contains "dataActions" or Properties.responseBody contains "notDataActions"
| project TimeGenerated, PrincipalType=Properties.requestBody.properties.principalType, PrincipalName=Properties.requestBody.properties.principalName, RoleDefinitionName=Properties.requestBody.properties.roleDefinitionName, Scope=Properties.scope, Resource=Properties.targetResource

Original Q&A

There are 1 best solutions below

RithwikBojja On 21 March 2024 at 10:59

AFAIK, there is no logging on data action in Azure activity, you can get to know the logs about role assignment but not the data actions in it.

If you want to create a alert with Role assignment you can use below KQL query:

AzureActivity
| where OperationNameValue contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS"
| extend Properties = parse_json(Properties)

enter image description here

How to create an alert for azure storage account if there is data action permissions assigned to a custom role or a built in role

There are 1 best solutions below

Related Questions in AZURE

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in KQL

Related Questions in AZURE-MONITORING

Trending Questions

Popular # Hahtags

Popular Questions