Skip to content

Commit c730939

Browse files
rolyonrolyon
committed
Case-insensitive query update
1 parent eba6825 commit c730939

File tree

2 files changed

+7
-7
lines changed

2 files changed

+7
-7
lines changed

articles/role-based-access-control/media/role-assignments-alert/alert-rule-condition.png

125 Bytes
Loading

articles/role-based-access-control/role-assignments-alert.md

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ manager: amycolannino
77
ms.service: role-based-access-control
88
ms.topic: how-to
99
ms.workload: identity
10-
ms.date: 07/29/2022
10+
ms.date: 10/30/2022
1111
ms.author: rolyon
1212
---
1313

@@ -49,19 +49,19 @@ To get notified of privileged role assignments, you create an alert rule in Azur
4949

5050
```kusto
5151
AzureActivity
52-
| where CategoryValue == "Administrative" and
53-
OperationNameValue == "Microsoft.Authorization/roleAssignments/write" and
54-
(ActivityStatusValue == "Start" or ActivityStatus == "Started")
52+
| where CategoryValue =~ "Administrative" and
53+
OperationNameValue =~ "Microsoft.Authorization/roleAssignments/write" and
54+
(ActivityStatusValue =~ "Start" or ActivityStatus =~ "Started")
5555
| extend RoleDefinition = extractjson("$.Properties.RoleDefinitionId",tostring(Properties_d.requestbody),typeof(string))
5656
| extend PrincipalId = extractjson("$.Properties.PrincipalId",tostring(Properties_d.requestbody),typeof(string))
5757
| extend PrincipalType = extractjson("$.Properties.PrincipalType",tostring(Properties_d.requestbody),typeof(string))
5858
| extend Scope = extractjson("$.Properties.Scope",tostring(Properties_d.requestbody),typeof(string))
5959
| where Scope !contains "resourcegroups"
6060
| extend RoleId = split(RoleDefinition,'/')[-1]
6161
| extend RoleDisplayName = case(
62-
RoleId == 'b24988ac-6180-42a0-ab88-20f7382dd24c', "Contributor",
63-
RoleId == '8e3af657-a8ff-443c-a75c-2fe8c4bcb635', "Owner",
64-
RoleId == '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9', "User Access Administrator",
62+
RoleId =~ 'b24988ac-6180-42a0-ab88-20f7382dd24c', "Contributor",
63+
RoleId =~ '8e3af657-a8ff-443c-a75c-2fe8c4bcb635', "Owner",
64+
RoleId =~ '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9', "User Access Administrator",
6565
"Irrelevant")
6666
| where RoleDisplayName != "Irrelevant"
6767
| project TimeGenerated,Scope, PrincipalId,PrincipalType,RoleDisplayName

0 commit comments

Comments
 (0)