0

I appreciate any time or effort on this issue. I'd like to create an alert in Azure Sentinel (Log Analytics) that would let us know when a new public IP was created in our tenant. I'm not sure what solution or source would have this data. I don't currently have any code on the issue as I'm not sure where this data would reside. If you have any insights on where to start or what solution I'm searching that would be great.

Thank you!

C. Lozach
  • 31
  • 1
  • 2

1 Answers1

0

This is probably more of a solution based on the Azure Activity log. You can create a Diagnostic setting to send the logs to a Log Analytics workspace. Take a look at the following bits of information to see if it matches:

Activity Log Schema: https://learn.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-schema

Collect and analyze Azure Activity log in Azure Monitor: https://learn.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

The Azure Activity Connector for Sentinel does collect some of this data for security and threat hunting purposes.

rodtrent
  • 108
  • 3
  • Hi rodtrent, thank you for the help. I have the alert triggering and being sent to our log analytics workspace. Although, I was curious if there was anything that could be done about the fields. The event seems pretty empty. Does not show who created the ip or any attributes about the ip. Would you know if this is something that could be tweaked or is that just native functionality and to investigate we'll have to head to public ips in Azure. Again, Thank you I appreciate your time to help. – C. Lozach Apr 16 '20 at 17:17