How to create an Alert for Data Collection Rule deletion across all VMs in a subscription?

Question

How to create an Alert for Data Collection Rule deletion across all VMs in a subscription?

Pender Sessoms 30

I'm trying to create an alert that will notify me whenever a Data Collection Rule (DCR) is deleted or removed from any Virtual Machine (VM) in my subscription. I want this to apply across all VMs, not just individual resources.

Here’s what I’ve tried so far:

I’ve used AzureActivity logs in Log Analytics to query for DCR deletion events. Here’s the Kusto query I’ve used:

AzureActivity

| where OperationNameValue == "Microsoft.Insights/dataCollectionRules/delete"

| where ActivityStatusValue == "Succeeded"

I attempted to scope this query at the subscription level and set up an alert rule in Azure Monitor. However, I encountered some issues:

The query is not capturing the Data Collection Rule deletions as expected.
I'm not sure if the OperationNameValue is correct or if there is a better way to detect DCR deletion across all resources.

What I’m Looking For:

A working solution or example that sets up an alert rule to notify me when a Data Collection Rule is deleted across all VMs in my subscription.
Any corrections or improvements to my Kusto query to accurately track DCR deletions.
Best practices for monitoring this across an entire subscription in Azure.

Any help or guidance would be greatly appreciated!

Anonymous

2024-11-20T08:42:01.7033333+00:00

Hi @Pender Sessoms
Just checking in to see if the below answer provided by @Stanislav Zhelyazkov

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Anonymous

2024-11-21T01:15:39.7333333+00:00

Hi @Pender Sessoms
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!
Anonymous

2025-01-06T01:12:34.5466667+00:00

Hi @Pender Sessoms

We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.
Pender Sessoms 30 Reputation points

2025-01-07T18:14:19.76+00:00

@Anonymous Thank you for you reply. When I put that query into the search query for the alert rule, I am getting this error:
Anonymous

2025-01-10T06:46:25.4366667+00:00

Hi @Pender Sessoms

Thanks for your patience! Here's a simple guide to help you set up the alert correctly:

Your Activity Logs are being sent to the right Log Analytics Workspace. You can check this in Azure Monitor → Activity Logs. If the logs aren't coming through, the query won't find anything.

Go to Azure Monitor → Logs and paste your query there. Run the query to see if it returns any results. If it works here, then the query is correct, and your logs are available.

Also, ensure your account has the necessary Reader permissions for the entire subscription so you can view all the logs.

Confirm that Activity Logs are being captured for the whole subscription (not just specific resources). You can check this in Azure Monitor → Activity Logs.

Once you've confirmed everything is working, go to Azure Monitor → Alerts → + New Alert Rule. Choose Custom log search and paste your query. Set the alert to trigger when the query finds any results (meaning a DCR was deleted). Finally, set up a notification (like an email) to let you know when the alert is triggered.

you should be able to get an alert whenever a Data Collection Rule (DCR) is deleted across any VM in your subscription.

If you have any further queries, do let us know.

2 answers

Your answer

Anonymous

2024-11-20T08:42:01.7033333+00:00

Hi @Pender Sessoms
Just checking in to see if the below answer provided by @Stanislav Zhelyazkov

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Anonymous

2024-11-21T01:15:39.7333333+00:00

Hi @Pender Sessoms
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!
Anonymous

2025-01-06T01:12:34.5466667+00:00

Hi @Pender Sessoms

We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.
Pender Sessoms 30 Reputation points

2025-01-07T18:14:19.76+00:00

@Anonymous Thank you for you reply. When I put that query into the search query for the alert rule, I am getting this error:
Anonymous

2025-01-10T06:46:25.4366667+00:00

Hi @Pender Sessoms

Thanks for your patience! Here's a simple guide to help you set up the alert correctly:

Your Activity Logs are being sent to the right Log Analytics Workspace. You can check this in Azure Monitor → Activity Logs. If the logs aren't coming through, the query won't find anything.

Go to Azure Monitor → Logs and paste your query there. Run the query to see if it returns any results. If it works here, then the query is correct, and your logs are available.

Also, ensure your account has the necessary Reader permissions for the entire subscription so you can view all the logs.

Confirm that Activity Logs are being captured for the whole subscription (not just specific resources). You can check this in Azure Monitor → Activity Logs.

Once you've confirmed everything is working, go to Azure Monitor → Alerts → + New Alert Rule. Choose Custom log search and paste your query. Set the alert to trigger when the query finds any results (meaning a DCR was deleted). Finally, set up a notification (like an email) to let you know when the alert is triggered.

you should be able to get an alert whenever a Data Collection Rule (DCR) is deleted across any VM in your subscription.

If you have any further queries, do let us know.

Answer 1

Hi @Pender Sessoms

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

It looks like the query you’re using to capture DCR deletions needs a little tweak. Here’s an updated version that should work for you:

AzureActivity
| where ResourceProvider == "Microsoft.Insights"
| where OperationNameValue == "Microsoft.Insights/dataCollectionRules/delete"
| where ActivityStatusValue == "Succeeded"
| project TimeGenerated, ResourceGroup, Resource, OperationNameValue, ActivityStatusValue, Identity, Caller

ResourceProvider == "Microsoft.Insights" filters for actions related to Azure Insights, where DCRs are managed.
OperationNameValue == "Microsoft.Insights/dataCollectionRules/delete" looks specifically for DCR deletions.
ActivityStatusValue == "Succeeded" ensures the alert only triggers on successful deletions.
project brings in useful details like who deleted the DCR and which resource was affected.

For this to work, make sure Activity Logs are being captured at the subscription level. If they aren’t enabled, the deletion events won’t show up in your query. Go to Azure Monitor → Activity Logs and make sure you're capturing logs for the entire subscription, including all your VMs.

Now that you have the query set up, follow these steps to create the alert:

Go to Azure Monitor → Alerts → + New Alert Rule.
Choose Custom log search and paste the query above.
Set the alert to trigger if it finds any results (i.e., a DCR has been deleted).
Set up an Action Group to send you a notification (via email or however you prefer).

Once everything is set up, you can test it by deleting a DCR and checking if you get an alert.

With this updated query and by ensuring your Activity Logs are collecting the right data, you’ll be able to track when a DCR is deleted across all VMs in your subscription. I hope this helps! Feel free to reach out if you need any further clarification or run into any issues.

If you have any further queries, do let us know.

Answer 2

Stanislav Zhelyazkov 29,501 MVP Volunteer Moderator

Hi,

I think there might be some misunderstand of how DCRs work so I will start with short explanation of that. Data collection rules define what is collected only. They do not define from which resources the data should be collected. In order to start collecting data from Azure VM for example you assign data collection rule association. The data collection rule association is assigned for the Azure VM and it contains which data collection rule is used for the associations. So in general someone could delete the data collection rule association but not delete the data collection rule and that will result in the Azure VM not collecting the data anymore. With that said the operation name for deleting data collection rule association is microsoft.insights/dataCollectionRuleAssociations/delete and for deleting data collection rule is Microsoft.Insights/dataCollectionRules/delete. As I see that you use Log Analytics for the alert rule I would use =~ to avoid any case sensitivity issues. In order for the alert to apply to all your subscriptions you need to configure all your subscriptions to send diagnostic logs to Log Analytics workspace.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Pender Sessoms 30 Reputation points

2024-11-21T14:41:20.8466667+00:00

Thank you very much for the feedback. I am unable to troubleshoot further without additional information. It appears as though Microsoft.Insights is not even a table in my log analytics workspace.

In additioan, AzureActivity is also not a table that I can find.
Pender Sessoms 30 Reputation points

2024-11-21T15:36:46.36+00:00

Thank you very much for the feedback. I am unable to troubleshoot further without additional information. It appears as though Microsoft.Insights is not even a table in my log analytics workspace.

In additioan, AzureActivity is also not a table that I can find.
Stanislav Zhelyazkov 29,501 Reputation points MVP Volunteer Moderator

2025-01-03T07:59:24.22+00:00

Microsoft.Insights is not a table. The table is AzureActivity which you are already using as per the screenshot. AzureActivity is default table that you should already have but data in it is available only if you send data to it Send Azure Monitor Activity log data.

Share via

How to create an Alert for Data Collection Rule deletion across all VMs in a subscription?

2 answers

Your answer