Audit Log Alerting

Question

Audit Log Alerting

Brett Walters 21

I have a Log Analytics workspace setup, and Entra AuditLogs (and SignIn) flowing into it. I can query for the specific item:

AuditLogs

| where OperationName == 'User registered security info'

It sees them when I search, so I know logs are making it and are valid. However, my alert rule and processing rule, something is broken in that it will not fire the alert or email me when this log event happens. I am pretty confused now as it seems set up right, but I am clearly missing something.

Accepted answer

1 additional answer

Your answer

Answer 1

Jose Benjamin Solis Nolasco 3,506

Hello,

Welcome to Microsoft Q&A

Did you check Azure monitor alerts action rules? I hope this documentation from Microsoft help you clarify things.

Azure Monitor > Alerts > Action Rules
Ensure there’s no rule suppressing this alert

How to create a log search alert in Azure Monitor https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log

Explains how to define the query, set frequency, and configure action groups.

Processing Rules (Action Rules)

Suppress or modify alerts with processing rules https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-action-rules

If your alerts aren't firing, an action rule might be suppressing or modifying them.

Troubleshoot alert rules that use log queries https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/troubleshoot-alerts-log

Microsoft’s official troubleshooting guide for this exact scenario.

Enable diagnostic settings for alerts https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings

😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

Brett Walters 21 Reputation points

2025-06-04T15:16:58.66+00:00

Alert rule is created already:

Alert processing rule is created:

I don't see anything anywhere suppressing the rule. I am getting alerts from the ASR implementation here (not via email, not set up for that):

Your Troubleshooting alert rules using log queries is a bad link.

Log are definitely going to the LA Workspace, I can query them there and see them.
Jose Benjamin Solis Nolasco 3,506 Reputation points

2025-06-04T16:01:38.83+00:00
Thanks for sharing the thread. Brett is running into a common issue with Azure Monitor alerts on Log Analytics queries. Since the alert rule is created and the logs are visible in the workspace, the issue likely lies in one of the following:

Checklist for Diagnosing Log Analytics Alert Rule Issues

Query Result Must Return a Record

Alerts only fire if the query returns at least one record.

Try the query manually in Log Analytics with the exact time window configured in the alert (e.g., last 5m, last 1h).

Example test query:

kusto AuditLogs | where OperationName == "User registered security info" | where TimeGenerated > ago(5m)

If it returns no results, the alert won’t fire.

Alert Rule Settings: Evaluation Frequency and Period

Go to Azure Monitor > Alerts > Alert rules.

Ensure:

Condition logic: “when results > 0” (or custom threshold)

Frequency: e.g., every 5 minutes

Lookback period: covers the time you expect events to occur.

Please let me know the outcome of this after checking this ...@Brett Walters

Answer 2

Brett Walters 21

I was finally able to get it to fire and email. Issue was that it was set to aggregate condition as opposed to single event. Now, if the alert would actually be readable. lol

Is there any way to get it to include the user in question? This is set to monitoring new authentication method creation. I see a link in the alert but that apparently is an internal link only as it requires being in the Microsoft tenant to access it.

User's image

Jose Benjamin Solis Nolasco 3,506 Reputation points

2025-06-04T16:27:07.74+00:00
You need to customize the alert details to include the triggering user

Add the User Principal Name (UPN) to Alert Email

You need to customize the alert details to include the triggering user (e.g., InitiatedBy.user.userPrincipalName or TargetResources[0].userPrincipalName).

Update your alert rule’s KQL to extract the UPN explicitly:

AuditLogs | where OperationName == "User registered security info" | project TimeGenerated, OperationName, UserPrincipalName=InitiatedBy.user.userPrincipalName, TargetResources

You can also extract from TargetResources[0].userPrincipalName if InitiatedBy is null.

Customize the Alert Email Using a Logic App (Optional but Recommended this is my favorite one when I'm playing with Sentinel)

Azure Monitor doesn’t support dynamic values directly in native email body, but Logic Apps do.

Steps:

Create a Logic App triggered by Azure Monitor alert.

Parse the alert payload (context.data.essentials.alertRule, SearchResults).

Extract UserPrincipalName.

Format the email however you want.

See this Guide this will Help you https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log#use-a-logic-app-to-handle-alerts
Brett Walters 21 Reputation points

2025-06-04T17:04:31.98+00:00

It's buried in there all right, but it's there. Creating a logic app appears to have yet another cost level added to a simple alert? Nor do I understand how to create a logic app (never have). I can appreciate that this is complex, but definitely not designed for and admin - but for developers! I guess as long as the alert will provide the name, we can log in to Azure to see it with those details (or memorize where it shows up in the email).
Jose Benjamin Solis Nolasco 3,506 Reputation points

2025-06-04T18:14:34.77+00:00

Is true logic apps is the favorite way for Dev and DevopSecops, just take a look when you have time to those kusto query I shared you. I hope this helps
Brett Walters 21 Reputation points

2025-06-04T19:45:46.1833333+00:00

Absolutely helped, thank you!

Share via

Audit Log Alerting

1 additional answer

Your answer