How can I create an alert for when a SA container access level is changed to anon access?

mij2020 366 Reputation points
2023-02-07T16:30:52.0366667+00:00

I know I can set "Allow Blob public access" to Disabled to stop this. But if I have some containers that need public access (with authentication) and some containers that should never have anon public access - I'd like to have an alert to tell me whenever anyone changes the Public access level from Private to Anon.

I tried a KQL query 

    StorageBlobLogs
    | where OperationName == "WriteContainer"

But nothing was returned.

Is this possible?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,683 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,427 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SaiKishor-MSFT 17,181 Reputation points
    2023-02-08T01:02:13.62+00:00

    @mij2020 Thanks for reaching out to Microsoft Q&A. I understand that you are having issues with getting alerted when someone changes the access level for the container in your Azure Storage Account.

    The specific activity log that shows that the container's public access level has changed is the "Microsoft.Storage/storageAccounts/blobServices/containers/write" operation. This log entry is generated when a change is made to the container's public access level. You can use Azure Monitor to set up an alert on this specific log entry and trigger an action or alert when it is generated.

    I tried changing this permission on the storage account and see the alerts as shown below -

    2023-02-07 16_49_13-Put blob container - Microsoft Azure and 6 more pages - Work - Microsoft​ Edge

    However, this takes a few minutes before it shows up in the logs. Can you confirm again that you cannot see this operation in your logs when the access is changed even after waiting for sometime? Please let me know.

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments
  2. mij2020 366 Reputation points
    2023-02-08T13:45:09.3566667+00:00

    Hi - thanks.

    This operation does show up in the activity log when changing the access level.

    However the alerting mechanism does not provide an existing Condition for: Microsoft.Storage/storageAccounts/blobServices/containers/write operation.

    There seems to be no option to create a new condition that I can see - only select an existing one.

    Instead, if I create a new alert rule directly from the Activity Log containing "Put blob container" - the target scope is only for that one container (the alert does work for that one container). If I try to change the scope to all storage accounts in the Subscription the Condition "Whenever the Activity Log has an event with Category='Administrative', Signal name='Patch blob container (storageAccounts/blobServices/containers)', Level='Informational', Status='Succeeded" which was auto-populated is removed and no way to add it back.