Log Alerts Creation

Rahul Nair 86 Reputation points
2022-01-25T15:49:03.253+00:00

Hey everyone, I'm working on Azure CSPM Integretion and have to write the code for these checks.

  • Ensures Activity Log alerts for create or update Security Policy Rule events are enabled
  • Ensures Activity Log alerts for the create or update and delete Network Security Group events are enabled
  • Ensures Activity Log Alerts for the create or update and delete SQL Server Firewall Rules events are enabled
  • Ensures Activity Log Alerts for the create or update and delete Virtual Networks events are enabled
  • Ensures Activity Log Alerts for the create or update and delete Security Solution events are enabled
  • Ensures Activity Log alerts for the create or update and delete Network Security Group rule events are enabled
  • Ensures Activity Log alerts for create or update and delete Policy Assignment events are enabled

But could someone help me understand how to create above log alerts? I don't seem to understand.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,941 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,235 questions
0 comments No comments
{count} votes

Accepted answer
  1. Stanislav Zhelyazkov 21,851 Reputation points MVP
    2022-01-26T09:30:45.207+00:00

    Hi,
    Go to Monitor page in Azure Portal. Select alerts. Click Create and then Alert Rule. Select the subscription you want to create the alert rule. Select the resource type (for example Network Security Group). Check Include all future resources and click Done. On Condition tab add condition. You will see a list of pre-defined conditions for Activity Log signal type. Find the one that you need and click Done. Continue the rest of the process to create the alert. With the exception of Security Policy Rule which is unclear what is for the others you should be able to see pre-defined conditions that you can use. You will have to create the same alert in each subscription you have to monitor.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Ruud van den Hooff 81 Reputation points Microsoft Employee
    2022-01-26T09:34:30.85+00:00

    First thing you'll need to do is to ensure that the activity log is send to Log Analytics, you can do this on subscription level : https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log#send-to-log-analytics-workspace

    The next step would be to create one or multiple kusto queries targeting the AzureActivity table that matches the criteria for the activities you want to monitor on.
    This is for example a query that involves changing a network security group:

    AzureActivity
    | where OperationNameValue == 'MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE'

    Some of the documentation goes into detail about how you can do this from a specific resource, but in this way you will cut costs in alert rules as you will target all resources from that specific type instead of specific resources and is more future proof. Yes, you need to dive a bit into the kusto queries and especially the results to make them how you want.

    This is some documentation how to create a log alert: https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/tutorial-log-alert

    EDIT: The solution that @Stanislav Zhelyazkov provided is however easier and more straight forward for what you are after, especially if you are missing the knowledge on creating kusto queries and understanding the log results.