Mar 03 2022 06:59 AM - edited Mar 03 2022 07:01 AM
For the purposes of alerting when something has happened concerning a public IP, for example, a Public IP address was associated with a resource (NIC, Load Balancer, etc.), shouldn't this work?
AzureActivity
| where OperationNameValue == @"Microsoft.Network/publicIPAddresses/join/action"
It is the literal definition here:
https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/virtual-network-public-ip-address
Microsoft.Network/publicIPAddresses/join/action - Associate a public IP address to a resource
but yet, the event (me, associating a public IP to a VM's nic) shows up under "Microsoft.Network/networkInterfaces/write"
My question is, what is the Operation that I need to evaluate for if I want to see if a Public IP was associated/disassociated with a resource (regardless of the resource)?
Ideally not just associations and dissassociations, but also creation, deletion, etc.
These do seem to work:
@"Microsoft.Network/publicIPAddresses/read", @"Microsoft.Network/publicIPAddresses/write", @"Microsoft.Network/publicIPAddresses/delete" but I care most about associations and dissassociations.
Thanks!
Mar 03 2022 07:23 AM
Mar 03 2022 08:16 AM
AzureActivity
| where ResourceProvider == "Microsoft.Network"
| where OperationName == "Create or Update Public Ip Address"
Mar 03 2022 11:01 AM
Thanks Clive, I am not sure why this is, but I am getting null (empty) for both columns. I don't think it's a permissions issue, since I am a contributor in the sub. where this log analytics workspace is located.
Mar 03 2022 11:55 AM