Creating Azure Activity Log Alerts with PowerShell

Want to create alerts from the Azure Activity Log? I will be showing how to do this with the PowerShell cmdlet Set-AzActivityLogAlert using conditions taken from a json output of the Activity Log.

For the example I will be looking at alerting when a change has been made to a Network Security Group (NSG)

I am going to remove a NSG rule within NSG: tamops-nsg , once removed will look at the Activity Log. Rule 100 will be removed

Select Activity Log, you will see an entry for “Delete Security Rule”

.json output below, this is where we will extract data to be used for the condition of the alert

{
    "authorization": {
        "action": "Microsoft.Network/networkSecurityGroups/securityRules/delete",
        "scope": "/subscriptions/resourceGroups/nsg-alerts/providers/Microsoft.Network/networkSecurityGroups/tamops-nsg/securityRules/tamops-rdp"
    },
    "caller": "thomast@thomasthornton.cloud",
    "channels": "Operation",
    "claims": {
        "aud": "https://management.core.windows.net/",
        "iss": "https://sts.windows.net/6b86cb18-0db2-4901-bf8a-c8b800aa77e0/",
        "iat": "1570709541",
        "nbf": "1570709541",
        "exp": "1570713441",
        "http://schemas.microsoft.com/claims/authnclassreference": "1",
        "altsecid": "1:live.com:00030000D335480F",
        "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
        "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
        "appidacr": "2",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "thomast@thomasthornton.cloud",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Thornton",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "Thomas",
        "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com",
        "ipaddr": "195.89.171.5",
        "name": "Thomas Thornton",
        "http://schemas.microsoft.com/identity/claims/objectidentifier": "XXXXX-XXXX-XXX-XXX-XXXXXXXX",
        "puid": "1003BFFD90823820",
        "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "kqtg7fQYXhAwIV-NoIrj1EkNy3vgLTYlH_lZUypsWEg",
        "http://schemas.microsoft.com/identity/claims/tenantid": "6b86cb18-0db2-4901-bf8a-c8b800aa77e0",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "live.com#",
        "uti": "Szcj2GTF10-qROjJuHUVAA",
        "ver": "1.0",
        "wids": "62e90394-69f5-4237-9190-012177145e10"
    },
    "correlationId": "a532386b-d72b-4b76-a2e5-86121ebb6b89",
    "description": "",
    "eventDataId": "e7175c5d-a227-4a1b-b02d-5b90cc0d21af",
    "eventName": {
        "value": "EndRequest",
        "localizedValue": "End request"
    },
    "category": {
        "value": "Administrative",
        "localizedValue": "Administrative"
    },
    "eventTimestamp": "2019-10-09T19:25:55.5199497Z",
    "id": "/subscriptions/XXXXX-XXXX-XXX-XXX-XXXXXXXX/resourceGroups/nsg-alerts/providers/Microsoft.Network/networkSecurityGroups/tamops-nsg/securityRules/tamops-rdp/events/e7175c5d-a227-4a1b-b02d-5b90cc0d21af/ticks/637063071555199497",
    "level": "Informational",
    "operationId": "a532386b-d72b-4b76-a2e5-86121ebb6b89",
    "operationName": {
        "value": "Microsoft.Network/networkSecurityGroups/securityRules/delete",
        "localizedValue": "Delete Security Rule"
    },
    "resourceGroupName": "nsg-alerts",
    "resourceProviderName": {
        "value": "Microsoft.Network",
        "localizedValue": "Microsoft.Network"
    },
    "resourceType": {
        "value": "Microsoft.Network/networkSecurityGroups/securityRules",
        "localizedValue": "Microsoft.Network/networkSecurityGroups/securityRules"
    },
    "resourceId": "/subscriptions/XXXXX-XXXX-XXX-XXX-XXXXXXXX/resourceGroups/nsg-alerts/providers/Microsoft.Network/networkSecurityGroups/tamops-nsg/securityRules/tamops-rdp",
    "status": {
        "value": "Accepted",
        "localizedValue": "Accepted"
    },
    "subStatus": {
        "value": "Accepted",
        "localizedValue": "Accepted (HTTP Status Code: 202)"
    },
    "submissionTimestamp": "2019-10-09T19:26:40.1492001Z",
    "subscriptionId": "XXXXX-XXXX-XXX-XXX-XXXXXXXX",
    "properties": {
        "statusCode": "Accepted",
        "serviceRequestId": "3f092ba7-2e44-4b53-971d-87b9c6aa4793"
    },
    "relatedEvents": []
}

From the .json extract, I will be using both category & operationName fields

 "category": {
        "value": "Administrative",
        "localizedValue": "Administrative"
    },

    "operationName": {
        "value": "Microsoft.Network/networkSecurityGroups/securityRules/delete",
        "localizedValue": "Delete Security Rule"
    },

Two conditions for the alert are going to be created:-

  • Condition1:- Category = Administrative
  • Condition2:- OperationName = Microsoft.Network/networkSecurityGroups/securityRules/delete

Adding these now to PowerShell

		$condition1 = New-AzActivityLogAlertCondition -Field 'category' -Equal 'Administrative'
		$condition2 = New-AzActivityLogAlertCondition -Field 'operationName' -Equal 'Microsoft.Network/networkSecurityGroups/delete'

We now have the conditions, time to build the Set-AzActivityLogAlert query, parameters required:-

  • Location: Global
  • Name: Name of alert to Create
  • ResourceGroup: Resource Group of NSG
  • Scope: SubscriptionID of where NSG is located
  • Action: Creates an Action Group that will be used when the alert is triggered, see more about Action Groups here
  • Condition: As Created above
$condition1 = New-AzActivityLogAlertCondition -Field 'category' -Equal 'Administrative'
$condition2 = New-AzActivityLogAlertCondition -Field 'operationName' -Equal 'Microsoft.Network/networkSecurityGroups/securityRules/delete'
$actiongroup = Get-AzActionGroup -Name "tamopsag" -ResourceGroup "tamops"

		Set-AzActivityLogAlert -Location 'Global' `
        -Name "tamops-nsg rule deleted" `
        -ResourceGroupName "nsg-alerts" `
        -Scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxx/" `
        -Action (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $actiongroup.Id) `
        -Condition $condition1, $condition2

Now, to delete another NSG rule to test – reviewing Azure Monitoring – alerting, the alert has been fired

Clicking into this will give further details about the alert.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: