Azure Subscription Event

Overview

The Azure Subscription Event trigger activates in response to specified events from your Azure Subscription Event Grid Subscription or diagnostic logs on your Azure resources.

The trigger features configurations for fine-tuned alerts that can be paired with notification Actions. Use this trigger to enhance security and compliance by proactively managing and securing your Azure resources, reducing manual intervention and optimizing operational efficiency.

Understanding Azure Subscription Events and the trigger

GorillaStack Real Time Events can help you process two different types of audit events within your Azure Subscription and Tenants:

  1. Management Plane Events (through an Azure Event Grid Subscription to your Azure Subscription)
  2. Data Plan Events (through streaming diagnostic logs for your resources to an Azure Event Grid)

This trigger allows you to match against the operationName and against any other event attributes using the JMESPath expression.

Azure Subscription permissions

In order to create the resources (event hubs, resource groups, topics and subscriptions) to process the management and data plane resources, we require the following privileges:

  • Microsoft.EventHub/namespaces/write
  • Microsoft.EventHub/namespaces/read
  • Microsoft.EventHub/namespaces/Delete
  • Microsoft.EventHub/namespaces/eventhubs/write
  • Microsoft.EventHub/namespaces/eventhubs/read
  • Microsoft.EventHub/namespaces/eventhubs/Delete
  • Microsoft.EventGrid/systemTopics/read
  • Microsoft.EventGrid/systemTopics/write
  • Microsoft.EventGrid/systemTopics/delete
  • Microsoft.EventGrid/eventSubscriptions/write
  • Microsoft.EventGrid/eventSubscriptions/read
  • Microsoft.EventGrid/eventSubscriptions/delete
  • Microsoft.EventHub/namespaces/authorizationRules/listKeys/action
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/write
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/read
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/delete
  • microsoft.web/sites/functions/read
  • Microsoft.Web/sites/Write
  • Microsoft.Web/sites/functions/write
  • Microsoft.Storage/storageAccounts/write
  • Microsoft.Storage/storageAccounts/listKeys/action

Use of this trigger in a rule

The Azure Subscription Event trigger will usually be used in a rule with the Notify on Azure Subscription Event action, which generates formatted notifications based on selected events. However, it is possible to pair it with any action.

Configuration

The trigger works by matching fields in an Azure Subscription event after it is received on from Event Grid or an Event Hub.

You can match the record on the following fields directly:

  • Operation Name (mandatory)

    This is usually the name of the API Action (e.g. this would be Add user for a User Added event in Azure Active Directory).

Identifying Azure Subscription Event Names

Most activities in your Azure subscription can be observed using out Azure Subscription Event trigger.

There is no comprehensive list of operationNames available at present. In cases where you are seeking operation names from your diagnostic logs (data plane events), you can browse the data sent to Event Hub with a Stream Analytics Job

Specifying a Match Expression

The Match Expression is tested against any of the event fields, and it must evaluate to true in order to pass the evaluation. This means any value that is true when coerced to a boolean in JavaScript. For example:

  • null, undefined, empty string ('') and 0 are always converted to false
  • non-empty strings (including those with whitespace), empty arrays ([]), empty objects ({}) and non-zero numbers are converted to true

Use one of the example objects to get an idea of the event structure of an Azure Subscription event.