Forum Discussion

rafaelruales's avatar
rafaelruales
Copper Contributor
Mar 03, 2022

Public IP Operations

For the purposes of alerting when something has happened concerning a public IP, for example, a Public IP address was associated with a resource (NIC, Load Balancer, etc.), shouldn't this work?

 

AzureActivity

| where OperationNameValue == @"Microsoft.Network/publicIPAddresses/join/action"

 

It is the literal definition here: 

https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/virtual-network-public-ip-address

Microsoft.Network/publicIPAddresses/join/action - Associate a public IP address to a resource

 

but yet, the event (me, associating a public IP to a VM's nic) shows up under "Microsoft.Network/networkInterfaces/write"

 

My question is, what is the Operation that I need to evaluate for if I want to see if a Public IP was associated/disassociated with a resource (regardless of the resource)? 

Ideally not just associations and dissassociations, but also creation, deletion, etc.

These do seem to work:

@"Microsoft.Network/publicIPAddresses/read", @"Microsoft.Network/publicIPAddresses/write", @"Microsoft.Network/publicIPAddresses/delete" but I care most about associations and dissassociations.

Thanks!

 

Analytics
Detection
KQL
monitoring
  • rafaelruales's avatar
    rafaelruales
    Copper Contributor
    Mar 03, 2022
    Moreover, I found this in "Hunting":

    let OperationNames = dynamic(["microsoft.compute/virtualMachines/write", "microsoft.resources/deployments/write"]);
    AzureActivity
    // We look for any Operation that modified and then was accepted or succeeded where a publicipaddress component is referenced
    | where OperationNameValue in~ (OperationNames)
    | where ActivityStatusValue has_any ("Succeeded", "Accepted")
    | where Properties contains "publicipaddress"

    It does not work at all as far as showing association/dissassociation of a public IP to a VM's NIC that I just performed like 20 minutes ago
    • Clive_Watson's avatar
      Clive_Watson
      Bronze Contributor
      Mar 03, 2022

      rafaelruales 

       

      AzureActivity
| where ResourceProvider == "Microsoft.Network"
| where OperationName == "Create or Update Public Ip Address"
      • rafaelruales's avatar
        rafaelruales
        Copper Contributor
        Mar 03, 2022

        Clive_Watson 

        Thanks Clive, I am not sure why this is, but I am getting null (empty) for both columns. I don't think it's a permissions issue, since I am a contributor in the sub. where this log analytics workspace is located.

Share