I am trying to create alert when someone changes the IAM RBAC roles or permissions on azure storage accounts using Kusto query. Can anyone help me in correcting the below KQL query.

Sahith Thatipalli 40 Reputation points
2024-03-10T07:51:14.6233333+00:00

| where OperationNameValue ==

AzureActivity

| where ResourceProviderValue contains "Microsoft.storage" and CategoryValue contains "Administrative"

| where OperationNameValue ==

"Microsoft.Authorization/roleAssignments/write" or

"Microsoft.Authorization/roleAssignments/delete" or 

"Microsoft.Authorization/roleDefinitions/write" or 

"Microsoft.Authorization/roleDefinitions/delete"

| where ActivityStatusValue in (""Started", "Succeeded", "Failed")

| project TimeGenerated, ResourceId, OperationNameValue, ActivityStatusValue
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,273 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,170 questions
{count} votes

Accepted answer
  1. Vinodh247 20,991 Reputation points
    2024-03-10T13:25:47.99+00:00

    did you try? what error do you face?

    AzureActivity | where ResourceProviderValue contains "Microsoft.storage" | where CategoryValue == "Administrative" | where OperationNameValue in ( "Microsoft.Authorization/roleAssignments/write", "Microsoft.Authorization/roleAssignments/delete", "Microsoft.Authorization/roleDefinitions/write", "Microsoft.Authorization/roleDefinitions/delete" ) | where ActivityStatusValue in ("Started", "Succeeded", "Failed") | project TimeGenerated, ResourceId, OperationNameValue, ActivityStatusValue

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. SwathiDhanwada-MSFT 18,766 Reputation points
    2024-03-11T06:26:17.59+00:00

    @Sahith Thatipalli You can use below Kusto query for identifying the operations related to role assignments or role definitions.

    AzureActivity
    | where Category has "Administrative"
    | where OperationName has "role assignment" or OperationName has "role definition"
    | where ActivityStatus in ("Started", "Succeeded", "Failed")
    | where ResourceId has "Microsoft.Storage/storageAccounts/"
    | project OperationName, ActivityStatus, ResourceId, ResourceGroup, TimeGenerated
    

    To create log alert, you can refer this document.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.