Monitor changes in Route Tables with Azure Monitor
Impact:MediumCategory:Monitoring and Alerting
APRL GUID:23b2dfc7-7e5d-9443-9f62-980ca621b561
Description:
Create Alerts with Azure Monitor for operations like Create or Update Route Table to spot unauthorized/undesired changes in production resources. This setup aids in identifying improper routing changes, including efforts to evade firewalls or access resources from outside.
Click the Azure Resource Graph tab to view the query
//AzureResourceGraphQuery//FindallRouteTableswithoutalertsformodificationconfigured.resources|wheretype=~"Microsoft.Network/routeTables"|projectname,id,tags,lowerCaseRouteTableId=tolower(id)|joinkind=leftouter(resources|wheretype=~"Microsoft.Insights/activityLogAlerts"andproperties.enabled==true|mv-expandscope=properties.scopes|wherescopehas"Microsoft.Network/routeTables"|projectalertName=name,conditionJson=dynamic_to_json(properties.condition.allOf),scope|whereconditionJsonhas'"Administrative"'and(//CreateorUpdateRouteTable(conditionJsonhas'"Microsoft.Network/routeTables/write"')or//AllAdministrativeoperations(conditionJson!has'"Microsoft.Network/routeTables/write"'andconditionJson!has'"Microsoft.Network/routeTables/delete"'andconditionJson!has'"Microsoft.Network/routeTables/join/action"'))|projectlowerCaseRouteTableIdOfScope=tolower(scope))on$left.lowerCaseRouteTableId==$right.lowerCaseRouteTableIdOfScope|whereisempty(lowerCaseRouteTableIdOfScope)|projectrecommendationId="23b2dfc7-7e5d-9443-9f62-980ca621b561",name,id,tags,param1="ModificationAlert: Not configured/Disabled"