我正在尝试创建一种Azure策略,在Azure门户的活动日志中查找某种类型的事件(创建或更新安全规则)。
查看此事件的json确认其为'Administrative'类型,并且具有操作'Microsoft.Network/networkSecurityGroups/securityRules/write'为显示为:
"authorization": {
"action": "Microsoft.Network/networkSecurityGroups/securityRules/delete",
"scope": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxx/securityRules/xxxx"
},
我希望使用这些详细信息来区分此事件和其他事件。但是,我首先需要一个别名,该别名允许我访问这些别名,但无法从以下所示的别名中找到合适的别名:
Get-AzPolicyAlias -NamespaceMatch 'microsoft.insights' | select -ExpandProperty Aliases | select -Property Name -ExpandProperty Paths
给出:
Name Path ApiVersions
---- ---- -----------
Microsoft.Insights/logProfiles/storageAccountId properties.storageAccountId {2016-03-01}
Microsoft.Insights/logProfiles/serviceBusRuleId properties.serviceBusRuleId {2016-03-01}
Microsoft.Insights/logProfiles/locations properties.locations {2016-03-01}
Microsoft.Insights/logProfiles/locations[*] properties.locations[*] {2016-03-01}
Microsoft.Insights/logProfiles/categories properties.categories {2016-03-01}
Microsoft.Insights/logProfiles/categories[*] properties.categories[*] {2016-03-01}
Microsoft.Insights/logProfiles/retentionPolicy properties.retentionPolicy {2016-03-01}
Microsoft.Insights/logProfiles/retentionPolicy.enabled properties.retentionPolicy.enabled {2016-03-01}
Microsoft.Insights/logProfiles/retentionPolicy.days properties.retentionPolicy.days {2016-03-01}
Microsoft.Insights/alertRules/isEnabled properties.isEnabled {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.dataSource.resourceUri properties.condition.dataSource.resourceUri {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.dataSource.metricName properties.condition.dataSource.metricName {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.operator properties.condition.operator {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.threshold properties.condition.threshold {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.windowSize properties.condition.windowSize {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.timeAggregation properties.condition.timeAggregation {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/condition.dataSource.odata.type properties.condition.dataSource.odata.type {2016-03-01, 2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/actions[*].odata.type properties.action.odata.type {2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/actions[*].odata.type properties.actions[*].odata.type {2016-03-01}
Microsoft.Insights/alertRules/actions[*].sendToServiceOwners properties.action.sendToServiceOwners {2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/actions[*].sendToServiceOwners properties.actions[*].sendToServiceOwners {2016-03-01}
Microsoft.Insights/alertRules/actions[*].customEmails properties.action.customEmails {2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/actions[*].customEmails properties.actions[*].customEmails {2016-03-01}
Microsoft.Insights/alertRules/actions[*].customEmails[*] properties.action.customEmails[*] {2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/actions[*].customEmails[*] properties.actions[*].customEmails[*] {2016-03-01}
Microsoft.Insights/alertRules/actions[*].serviceUri properties.action.serviceUri {2015-04-01, 2014-04-01}
Microsoft.Insights/alertRules/actions[*].serviceUri properties.actions[*].serviceUri {2016-03-01}
Microsoft.Insights/diagnosticSettings/logs.enabled properties.logs[*].enabled {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/metrics.enabled properties.metrics[*].enabled {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/storageAccountId properties.storageAccountId {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/workspaceId properties.workspaceId {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId properties.eventHubAuthorizationRuleId {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/eventHubName properties.eventHubName {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/metrics[*].retentionPolicy.enabled properties.metrics[*].retentionPolicy.enabled {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/metrics[*].retentionPolicy.days properties.metrics[*].retentionPolicy.days {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/metrics[*].category properties.metrics[*].category {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled properties.logs[*].retentionPolicy.enabled {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days properties.logs[*].retentionPolicy.days {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/diagnosticSettings/logs[*].category properties.logs[*].category {2017-05-01-preview, 2016-09-01, 2015…
Microsoft.Insights/ActivityLogAlerts/scopes properties.scopes {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/scopes[*] properties.scopes[*] {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/condition properties.condition {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/condition.allOf properties.condition.allOf {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/condition.allOf[*] properties.condition.allOf[*] {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field properties.condition.allOf[*].field {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals properties.condition.allOf[*].equals {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].containsAny properties.condition.allOf[*].containsAny {2018-09-01, 2017-04-01, 2017-03-01-p…
Microsoft.Insights/ActivityLogAlerts/enabled properties.enabled {2018-09-01, 2017-04-01, 2017-03-01-p…
请帮助我找出正确的别名
答案 0 :(得分:0)
我认为不可能针对活动日志事件本身编写策略。但是,您可以使用Azure策略强制将活动日志路由到事件中心,然后编写一个Function应用程序来监视和响应这些事件。