Alert for disabling soft-delete feature (Capture soft-delete disabled info into Azure Log analytics workspace. Possible ?)

Question

while creating an Azure alert, I dont see an option to create an alert for disabling soft delete feature for Azure Recovery Vault

Can anyone please give me the screenshot of the same. Should i go through Custom log query on log analytics workspace ?

Right now upon disabling soft delete, i get an automatic alert, but i want the alert to go to 3 other recipients as well.

Answer 1

Hi @MS Techie ,

I did some tests in my subscriptions and found the following information on this topic:

TESTS

1. There is no predefined signal name in an Azure Monitor Alert Rule on the Activity Log for catching disabling Soft Delete on Azure Recovery Services Vault (ARSV)
2. In the Azure Activity Logs on the ARSV / Subscription, for ARSV operations, you don't find something specific to this setting (Soft Delete), but just a
   generic info in the Properties field of the Log, containing "message": "Microsoft.RecoveryServices/vaults/backupconfig/write" and I believe that this will catch more operations than just the soft delete disabling.
3. Also, if you configure the Diagnostic Logs from ARSV to be sent in a Log Analytics Workspace, in the resulted logs you also don't find any information about disabling Soft-Delete option.

POSSIBLE SOLUTION

Still, there is a good new, as in every Azure Recovery Services Vault Resource, you can find Backup Alerts (in the Monitoring section of the resource), and there you will automatically (out of the box) get an Alert when Soft Delete is disabled, and from the same page, you can also Configure Notifications so that you receive an email notification when this operation is performed:

I hope this provides you with the answer you were looking for (if so, please remember to mark this as an Answer).

Thank you!
BR,
George

Answer 2

@MS Techie If you are using azure monitor based alerts, it should be possible to configure notifications using any of the programmatic methods. Here is an arm template sample for the same.

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.4.1272.37030",
"templateHash": "11639040158394753667"
}
},
"parameters": {
"emailAddress": {
"type": "array",
"metadata": {
"description": "Email addresses to add in action group"
}
},
"actionGroupName": {
"type": "string",
"defaultValue": "[format('ActionGroup-{0}', resourceGroup().name)]",
"metadata": {
"description": "Unique name (within the Resource Group) for the Action group."
}
},
"actionGroupShortName": {
"type": "string",
"defaultValue": "[format('ag-{0}', if(greaterOrEquals(length(resourceGroup().name), 9),substring(resourceGroup().name, 0, 9),resourceGroup().name))]",
"metadata": {
"description": "Short name (maximum 12 characters) for the Action group."
}
},
"alertProcessingRuleName": {
"type": "string",
"defaultValue": "[format('AlertProcessingRule-{0}', resourceGroup().name)]",
"metadata": {
"description": "Unique name for the Alert Processing Rule."
}
},
"alertProcessingRuleDescription": {
"type": "string",
"defaultValue":"Sample alert processing rule",
"metadata": {
"description": "Description of the alert processing rule"
}
},
"alertProcessingRuleScope": {
"type": "array",
"defaultValue": [ "[subscription().id]" ],
"metadata": {
"description": "The list of scopes on which the alert processing rule will be enabled."
}
}
},
"resources": [
{
"type": "microsoft.insights/actionGroups",
"apiVersion": "2019-06-01",
"name": "[parameters('actionGroupName')]",
"location": "Global",
"properties": {
"copy": [
{
"name": "emailReceivers",
"count": "[length(parameters('emailAddress'))]",
"input": {
"name": "[format('emailReceivers-{0}', uniqueString(parameters('emailAddress')[copyIndex('emailReceivers')]))]",
"emailAddress": "[parameters('emailAddress')[copyIndex('emailReceivers')]]",
"useCommonAlertSchema": true
}
}
],
"groupShortName": "[parameters('actionGroupShortName')]",
"enabled": true
}
},
{
"type": "Microsoft.AlertsManagement/actionRules",
"apiVersion": "2021-08-08",
"name": "[parameters('alertProcessingRuleName')]",
"location": "Global",
"properties": {
"scopes": "[parameters('alertProcessingRuleScope')]",
"conditions": [
{
"field": "TargetResourceType",
"operator": "Equals",
"values": ["microsoft.recoveryservices/vaults"]
}
],
"description": "[parameters('alertProcessingRuleDescription')]",
"enabled": true,
"actions": [
{
"actionGroupIds": [
"[resourceId('microsoft.insights/actionGroups', parameters('actionGroupName'))]"
],
"actionType": "AddActionGroups"
}
]
},
"dependsOn": [
"[resourceId('microsoft.insights/actionGroups', parameters('actionGroupName'))]"
]
}
],
"outputs": {
"actionGroupId": {
"type": "string",
"value": "[resourceId('microsoft.insights/actionGroups', parameters('actionGroupName'))]"
},
"alertProcessingRuleId": {
"type": "string",
"value": "[resourceId('Microsoft.AlertsManagement/actionRules', parameters('alertProcessingRuleName'))]"
}
}
}`

Hope this helps!

----------------------------------------------------------------------------------------------------------------------

If the response helped, do "Accept Answer" and up-vote it