AzureActivity
| where ResourceProviderValue contains "Microsoft.storage" and CategoryValue contains "Administrative"
| where OperationNameValue ==
"Microsoft. Authorization/roleAssignments/write",
"Microsoft. Authorization/roleAssignments/delete",
"Microsoft. Authorization/roleDefinitions/write",
"Microsoft. Authorization/roleDefinitions/delete"
| where ActivityStatusValue in (""Started", "Succeeded", "Failed")
| project TimeGenerated, ResourceId, OperationNameValue, ActivityStatus
当有人使用 Kusto 查询更改 Azure 存储帐户上的 IAM RBAC 角色或权限时,我尝试创建警报。
或者,当有人更改存储帐户上的 IAM RBAC 角色时,您可以从门户创建警报,请按照以下步骤操作。
Azure Storage account > Activity log > select any Create role assignment operation > New alert rule
scope (ex: subscription) > Resource type : Storage accounts.
使用您的电子邮件 ID 创建操作组或选择现有操作组。
要获取所有角色分配和删除,请在条件选项卡的状态字段中选择全部。