How to Monitor New Management Group Creation and Deletion.
I am writing this post to monitor new Management group creation and Deletion using Azure Activity Logs and Trigger Incident in Microsoft Sentinel. You can also use it to Monitor the Subscription Creation as well using this Step. By default, the Dianostic settings for at the management group level is not enabled. It cannot be enabled using Azure Policy or from the Portal interface. Use the below article to enable the "Management Group Diagnostic Settings" Management Group Diagnostic Settings - Create Or Update - REST API (Azure Monitor) | Microsoft Learn Below is the screenshot of message body if you like to forward the logs only to the Log analytic workspace where sentinel is enabled. Also make sure you enable the Diagnostic settings at the tenant management group level to track all changes in your tenant. { "properties": { "workspaceId": "<< replace with workspace resource ID>>", "logs": [ { "category": "Administrative", "enabled": true }, { "category": "Policy", "enabled": true } ] } } Once you have enabled the Diagnostic settings, you can use the below KQL query to monitor the New Management group creation and Deletion using Azure Activity Logs. //KQL Query to Identify if Management group is deleted AzureActivity | where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/DELETE" | where ActivityStatusValue == "Success" | extend mg = split(tostring(Properties_d.entity),"/") | project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message), caller_ = tostring(Properties_d.caller) //KQL Query to Identify if Management group is Created AzureActivity | where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/WRITE" | where ActivityStatusValue == "Success" | extend mg = split(tostring(Properties_d.entity),"/") | project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message), caller_ = tostring(Properties_d.caller) This log can also be used to monitor the new subscription creation as well, using the below query AzureActivity | where OperationNameValue == "Microsoft.Management" and ActivityStatusValue == "Succeeded" and isnotempty(SubscriptionId) If you need to trigger incident on sentinel, use the above query in your custom scheduled analytical rule and create alert. Note: Enabling this API on the Mangement group diagnostic logs will also be inherited by the subscriptions downstream on the specific category.
Are you getting the most out of your Azure Log Analytics Workspace (LAW) investment?
Using a LAW is a great way to consolidate various types of data (performance, events, security, etc.) and signals from multiple sources. That's the easy part - mining this data for actionable insights is often the real challenge. One way we did this was by surfacing events related to disks across our physical server estate. We were already sending event data to our LAW; it was just a matter of parsing it with KQL and adding to a Power Bi dashboard for additional visibility. The snippet from the Power Bi dashboard shows when the alert was first triggered and when the disk was eventually replaced. Here's the KQL query we came up with. let start_time=ago(30d); let end_time=now(); Event | where TimeGenerated > start_time and TimeGenerated < end_time | where EventLog contains 'System' | where Source contains 'Storage Agents' | where RenderedDescription contains 'Drive Array Physical Drive Status Change' | parse kind=relaxed RenderedDescription with * 'Drive Array Physical Drive Status Change. The ' Drive ' with serial number ""' Serial '"", has a new status of ' Status '. (Drive status values:'* | project Computer, Drive, Serial, Status, TimeGenerated, EventLevelName You can of course set up alerting with Alerts for Azure Monitor. I hope this example helps you get more value from your LAW.
Audit user accessing entreprise App by SPN sign-in
I'm in a Hybrid Entra ID environment. Some users can use an "Entreprise Application" by utilizing IDs and a certificate. In the activity or sign-in logs, I can find the access entries, but I don't have the information on which user used the app registration or which certificate was used. I would like to have logs that allow me to identify WHO is using an SPN/App registration. Do you have any ideas? Thank you. Here an example: In this screenshot, I can see access made to an app using, for example, an appid+secret/certificate connection. So, it’s "logical" not to see a username since it's not required for this type of connection. However, I would really like to have this information or some indicator to identify which of my users accessed it. Currently, I only have the machine's IP address, but I would like more information. Maybe in Purview or with another service, but I haven't found anything.
Create Azure Alert for deleted virtual machines with the IP address for each VM as output
Hello everyone, I just want to ask if anyone know if is possible to create an azure alert for deleted virtual machines that displays the IP address of the virtual machine that has been deleted. I know that we have the Activity Log Alerts but they do not display the IP address. I created the following query: AzureActivity | where Authorization_d.action == "Microsoft.Compute/virtualMachines/delete" | extend dummy = 1 | project TimeGenerated, ResourceGroup, Resource, Caller, dummy | join kind=inner ( Heartbeat | extend dummy = 1 | project ResourceId, ComputerIP, dummy ) on dummy | project TimeGenerated, ResourceGroup, Resource, Caller, ComputerIP I joined the AzureActivity and Heartbeat table so I can get the computer IP. It is displaying the output that I want but the Log Alert is not firing even though I delete virtual machines. Does anyone know if is possible to accomplish this? Thank you!
Activity Alerts (set up via https://security.microsoft.com/managealerts) are not being received
To test activity alerts, I modified 10 different files in my SharePoint tenant and, though I set the alerts to detect those specific modifications and email me for each one, I only received 2 out of 10 emails. The first two email notifications were received within 10 minutes but, after 8 hours, the other 8 alerts have not been received. I do not see the activity for any of the 10 modifications in the activity log either. The metadata in SharePoint confirms that I made the changes, but the alerts are not being triggered. What can be done to ensure that these activity alerts are triggered with consistency?Querry Logs From ADF Flow run and Synapse flow with Python
Hi, I am trying to pull log data from my ADF flow run details or Synapse Flow run. I want to get some data from its like time start, time stop, duration, how many records was created ... through Python with API. How can i do that ? Thanks, thiendia
