KQL Query to create alert for Azure Storage accounts
I am trying to create alerts for storage accounts using KQL Queries, I need to create alert when some one changes on storage account networking, also when blob lifecycle changes from HOT to COOl or ARCHIVE
below is the query i am trying with
AzureActivity
| where ResourceProviderValue contains "MICROSOFT.STORAGE" and CategoryValue contains
"Administrative"
| where Properties has "NETWORKS"
but unable to forward from here. any leads is much appreciated, thanks in advance.
I tried in my environment and got the below Results:
You can use the below KQL to create an alert rule if some one changes on storage account networking.
Query
AzureActivity
| where ResourceProviderValue contains "Microsoft.storage" and CategoryValue contains "Administrative"
| where Properties has "networkAcls"
| project ResourceProviderValue,CategoryValue,Properties
Output:
Next, You can create action groups with either a new action group or an existing one used to send notifications through mail or sms.
Here is my snippet at the last of creating an alert rule.
After creation, you can check the alerts in the monitor or through the mail if someone made changes to your Networking.
I made changes in networking by adding an address range in the portal.
Portal:
Email: I got an alert both through the mail and in the alert section.
The same process you can use the below query to create alert rule when the blob lifecycle changes from HOT to COOl or ARCHIVE.
Query:
AzureActivity
| where ResourceProviderValue contains "Microsoft.storage" and CategoryValue contains "Administrative"
| where OperationNameValue == "Microsoft.Storage/storageAccounts/blobServices/blobs/changeLifecycle"
| where properties contains "NewTier\": \"Cool\"" or Properties contains "NewTier\": \"Archive\""
| project ResourceProviderValue,CategoryValue,Properties,OperationNameValue.