Forum Discussion
Public IP Operations
For the purposes of alerting when something has happened concerning a public IP, for example, a Public IP address was associated with a resource (NIC, Load Balancer, etc.), shouldn't this work? A...
Moreover, I found this in "Hunting":
let OperationNames = dynamic(["microsoft.compute/virtualMachines/write", "microsoft.resources/deployments/write"]);
AzureActivity
// We look for any Operation that modified and then was accepted or succeeded where a publicipaddress component is referenced
| where OperationNameValue in~ (OperationNames)
| where ActivityStatusValue has_any ("Succeeded", "Accepted")
| where Properties contains "publicipaddress"
It does not work at all as far as showing association/dissassociation of a public IP to a VM's NIC that I just performed like 20 minutes ago
let OperationNames = dynamic(["microsoft.compute/virtualMachines/write", "microsoft.resources/deployments/write"]);
AzureActivity
// We look for any Operation that modified and then was accepted or succeeded where a publicipaddress component is referenced
| where OperationNameValue in~ (OperationNames)
| where ActivityStatusValue has_any ("Succeeded", "Accepted")
| where Properties contains "publicipaddress"
It does not work at all as far as showing association/dissassociation of a public IP to a VM's NIC that I just performed like 20 minutes ago
AzureActivity
| where ResourceProvider == "Microsoft.Network"
| where OperationName == "Create or Update Public Ip Address"Thanks Clive, I am not sure why this is, but I am getting null (empty) for both columns. I don't think it's a permissions issue, since I am a contributor in the sub. where this log analytics workspace is located.
- Sorry I'm not sure, I do have workbook which also used ARG for extra data.
Its not been updated for a while but may help with Public IP. https://github.com/clivewatson/KQLpublic/tree/master/KQL%2FWorkbooks%2FPublicIP- Thanks, Will take a look
