How to create an Alert for Data Collection Rule deletion across all VMs in a subscription?

Pender Sessoms 30 Reputation points
2024-10-02T15:24:33.8066667+00:00

I'm trying to create an alert that will notify me whenever a Data Collection Rule (DCR) is deleted or removed from any Virtual Machine (VM) in my subscription. I want this to apply across all VMs, not just individual resources.

Here’s what I’ve tried so far:

  1. I’ve used AzureActivity logs in Log Analytics to query for DCR deletion events. Here’s the Kusto query I’ve used:

AzureActivity

| where OperationNameValue == "Microsoft.Insights/dataCollectionRules/delete"

| where ActivityStatusValue == "Succeeded"

I attempted to scope this query at the subscription level and set up an alert rule in Azure Monitor. However, I encountered some issues:

  • The query is not capturing the Data Collection Rule deletions as expected.
  • I'm not sure if the OperationNameValue is correct or if there is a better way to detect DCR deletion across all resources.

What I’m Looking For:

  • A working solution or example that sets up an alert rule to notify me when a Data Collection Rule is deleted across all VMs in my subscription.
  • Any corrections or improvements to my Kusto query to accurately track DCR deletions.
  • Best practices for monitoring this across an entire subscription in Azure.

Any help or guidance would be greatly appreciated!

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,353 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Stanislav Zhelyazkov 25,306 Reputation points MVP
    2024-10-03T08:04:15.3333333+00:00

    Hi,

    I think there might be some misunderstand of how DCRs work so I will start with short explanation of that. Data collection rules define what is collected only. They do not define from which resources the data should be collected. In order to start collecting data from Azure VM for example you assign data collection rule association. The data collection rule association is assigned for the Azure VM and it contains which data collection rule is used for the associations. So in general someone could delete the data collection rule association but not delete the data collection rule and that will result in the Azure VM not collecting the data anymore. With that said the operation name for deleting data collection rule association is microsoft.insights/dataCollectionRuleAssociations/delete and for deleting data collection rule is Microsoft.Insights/dataCollectionRules/delete. As I see that you use Log Analytics for the alert rule I would use =~ to avoid any case sensitivity issues. In order for the alert to apply to all your subscriptions you need to configure all your subscriptions to send diagnostic logs to Log Analytics workspace.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Pender Sessoms 30 Reputation points
    2024-11-21T14:41:20.8466667+00:00

    Thank you very much for the feedback. I am unable to troubleshoot further without additional information. It appears as though Microsoft.Insights is not even a table in my log analytics workspace.

    In additioan, AzureActivity is also not a table that I can find.

    0 comments No comments

  3. Pender Sessoms 30 Reputation points
    2024-11-21T15:36:46.36+00:00

    Thank you very much for the feedback. I am unable to troubleshoot further without additional information. It appears as though Microsoft.Insights is not even a table in my log analytics workspace.

    In additioan, AzureActivity is also not a table that I can find. User's image

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.