Post

Alert if somebody renames the Subscription

Posted
Preview Image
By Otto Gudszent
1 min read

In operations, you create a lot of stuff, such as naming conventions that everyone follows. This helps in finding something because you know the name and can locate it easily. However, what happens if someone renames a subscription? You will be lost, which results in more operation time, increased costs, and other complications. Therefore, we must prevent this issue, but that’s not possible because you want to grant owner permissions to the subscription owner. So, we need to monitor this. If someone renames a subscription, we need to be alerted. With the new resource change history feature, we can achieve this.

Subscription query

1
2
3
4
5
6
7
8
9
10

resourcecontainerchanges
  | extend timestamp = todatetime(properties.changeAttributes.timestamp)
  | extend resourceId = tostring(properties.targetResourceId)
  | extend resourceType = tostring(properties.targetResourceType)
  | extend changeType = tostring(properties.changeType)
  | extend changes = todynamic(properties.changes)
  | extend changeAttributes = todynamic(properties.changeAttributes)
  | where timestamp > ago(24h) and resourceType == "microsoft.resources/subscriptions" and changes like "name"
  | project timestamp, subscriptionId, resourceGroup, resourceId, resourceType, changeType = properties.changeType, changes, changeAttributes
  | order by timestamp desc

This query without eventgrid or any other will check every subscription where the alert rule has permission to read the subscriptions.

Alert

If we have the query, we can create an alert rule based on that. I already write it down in this post: Azure Subscription Tag Supervision. The only difference is the query, what we have to use.

Azure
Azure Alert
This post is licensed under CC BY 4.0 by the author.