New Resource Reporting

Intro

One of the common ask I get from customers is to alert on new resources when they are created. I typically hesitate to alert every time a single resource is created because I think the better approach is to generate a report of new resource on a schedule. So, for this blog I want to walk you through utilizing Azure Logic Apps along with Azure Log Analytics to generate a useful report that you can schedule. 

Sneek Peak 

Before we jump into implementation let's look at what the Logic Apps looks like.  

bwatts670_0-1613761551232.png

As you can see this is a simple Logic App. We only have 3 steps in this process: 

  • Schedule: simple scheduler to kick off the workflow
  • Query for New Resources: Query Log Analytics Workspace using the KQL language to find new resources.
  • Email HTML Report: Send the results of the KQL query via email as a HTML attachment.

Below is an example of the HTML Report: 

bwatts670_1-1613761551237.png

Prerequisites 

If you're interested in implementing this Logic App you need to be aware of a few requirements: 

1. You need to send you're Azure Activity Logs to a Log Analytics Workspace in order for the Log Analytics query to come back with any results.

Azure Activity log – Azure Monitor | Microsoft Docs 

2. For the example below I use the connector to Office365. So you either need an Office365 account or you need to use a different action for the email.

Implementing 

Hopefully, everyone is still interested and wants to look at this in your environment. Well let's walk through importing the Logic App! 

Step 1: Create a Logic App 

You can follow the below document to create a Logic App if you've never created one before: 

Quickstart – Create your first Logic Apps workflow – Azure portal – Azure Logic Apps | Microsoft Docs 

You can name you're Logic App whatever you like. I chose to name mine “NewResourcesReport” 

Step 2: Customize the Logic App 

When you create the Logic App it will bring you to the Template page. You can choose “Recurrence” to get started with the Logic App. 

bwatts670_2-1613761551244.png

I typically like to rename my steps before I do anything. So whenever I mention renaming a step you simply click on the “…” for the step and choose rename: 

bwatts670_3-1613761551248.png

Complete the following for the “Recurrence” step: 

  • Rename to “Schedule”
  • Set to whatever interval you wish. I'm choosing to run mine once a week.

bwatts670_4-1613761551253.png

Click on “+ New Step”, search for “”, and choose “ Logs” 

bwatts670_5-1613761551259.png

This will bring up the actions available for “ Logs” and we will use the “Run query and visualize results” 

bwatts670_6-1613761551263.png

Rename the action to “Query for New Resources” 

Enter the following values to connect to the Log Analytics Workspace where your “Azure Activity Logs” are being sent. 

  • Subscription: Azure Subscription where the Log Analytics Workspace is located
  • Resource Group: Azure Resource Group where the Log Analytics Workspace is located
  • Resource Type: Log Analytics Workspace
  • Resource Name: Log Analytics Workspace where the Azure Activity Logs are being sent
  • Query:

let ResourceCreation=AzureActivity 
| where OperationNameValue =~ ‘MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE'; 
ResourceCreation 
| summarize arg_max(TimeGenerated, *) by CorrelationId 
| where ActivityStatusValue =~ ‘Success' 
| project CorrelationId 
| join kind=inner (ResourceCreation  
| summarize arg_min(TimeGenerated, *) by CorrelationId) on CorrelationId 
| project TimeGenerated, Caller, CallerIpAddress, ResourceGroup, ResourceId 

  • Time Range: Should match with you Schedule Activity. For example, my schedule is for once a week so I chose “Last 7 days” 
  • Chart Type: Html Table 

bwatts670_7-1613761551268.png

Click on “+ New Step” below this activity, search for “send an email (v2)”, and choose the Office 365 Outlook action named “Send an email (V2)” 

bwatts670_8-1613761551286.png

Rename the Action to “Email HTML Report” and fill out the following: 

  • Body: Whatever you wish for the Body of the email
  • Subject: Whatever you wish for the Subject of the email
  • To: Fill out the emails you wish to receive the report
  • Click on “Add new parameter” and choose “Attachment”
  • Attachment Content: from the “Dynamic content” choose “Attachment Content” under “Query for New Resources”
  • Attachment Name: Something like “Resources.html”

bwatts670_9-1613761551293.png

That's it for the Logic App. You should now click on “Save” and once the Logic App is saved click on “Run” 

bwatts670_10-1613761551280.png

Summary 

With the help of Azure Log Analytics and the Kusto query language we are able to create a simple 3 step Logic App that will generate a HTML report that is emailed out on a recurring basis. This is a great example of how Azure Logic Apps can be a great tool to utilize as an Azure Administrator. 

 

This article was originally published by Microsoft's Azure Security Blog. You can find the original article here.