Want to create alerts from the Azure Activity Log? I will be showing how to do this with the PowerShell cmdlet Set-AzActivityLogAlert using conditions taken from a json output of the Activity Log.
For the example I will be looking at alerting when a change has been made to a Network Security Group (NSG)
I am going to remove a NSG rule within NSG: tamops-nsg , once removed will look at the Activity Log. Rule 100 will be removed
Select Activity Log, you will see an entry for “Delete Security Rule”
.json output below, this is where we will extract data to be used for the condition of the alert
{
"authorization": {
"action": "Microsoft.Network/networkSecurityGroups/securityRules/delete",
"scope": "/subscriptions/resourceGroups/nsg-alerts/providers/Microsoft.Network/networkSecurityGroups/tamops-nsg/securityRules/tamops-rdp"
},
"caller": "thomast@thomasthornton.cloud",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/6b86cb18-0db2-4901-bf8a-c8b800aa77e0/",
"iat": "1570709541",
"nbf": "1570709541",
"exp": "1570713441",
"http://schemas.microsoft.com/claims/authnclassreference": "1",
"altsecid": "1:live.com:00030000D335480F",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
"appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
"appidacr": "2",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "thomast@thomasthornton.cloud",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Thornton",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "Thomas",
"http://schemas.microsoft.com/identity/claims/identityprovider": "live.com",
"ipaddr": "195.89.171.5",
"name": "Thomas Thornton",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "XXXXX-XXXX-XXX-XXX-XXXXXXXX",
"puid": "1003BFFD90823820",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "kqtg7fQYXhAwIV-NoIrj1EkNy3vgLTYlH_lZUypsWEg",
"http://schemas.microsoft.com/identity/claims/tenantid": "6b86cb18-0db2-4901-bf8a-c8b800aa77e0",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "live.com#",
"uti": "Szcj2GTF10-qROjJuHUVAA",
"ver": "1.0",
"wids": "62e90394-69f5-4237-9190-012177145e10"
},
"correlationId": "a532386b-d72b-4b76-a2e5-86121ebb6b89",
"description": "",
"eventDataId": "e7175c5d-a227-4a1b-b02d-5b90cc0d21af",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2019-10-09T19:25:55.5199497Z",
"id": "/subscriptions/XXXXX-XXXX-XXX-XXX-XXXXXXXX/resourceGroups/nsg-alerts/providers/Microsoft.Network/networkSecurityGroups/tamops-nsg/securityRules/tamops-rdp/events/e7175c5d-a227-4a1b-b02d-5b90cc0d21af/ticks/637063071555199497",
"level": "Informational",
"operationId": "a532386b-d72b-4b76-a2e5-86121ebb6b89",
"operationName": {
"value": "Microsoft.Network/networkSecurityGroups/securityRules/delete",
"localizedValue": "Delete Security Rule"
},
"resourceGroupName": "nsg-alerts",
"resourceProviderName": {
"value": "Microsoft.Network",
"localizedValue": "Microsoft.Network"
},
"resourceType": {
"value": "Microsoft.Network/networkSecurityGroups/securityRules",
"localizedValue": "Microsoft.Network/networkSecurityGroups/securityRules"
},
"resourceId": "/subscriptions/XXXXX-XXXX-XXX-XXX-XXXXXXXX/resourceGroups/nsg-alerts/providers/Microsoft.Network/networkSecurityGroups/tamops-nsg/securityRules/tamops-rdp",
"status": {
"value": "Accepted",
"localizedValue": "Accepted"
},
"subStatus": {
"value": "Accepted",
"localizedValue": "Accepted (HTTP Status Code: 202)"
},
"submissionTimestamp": "2019-10-09T19:26:40.1492001Z",
"subscriptionId": "XXXXX-XXXX-XXX-XXX-XXXXXXXX",
"properties": {
"statusCode": "Accepted",
"serviceRequestId": "3f092ba7-2e44-4b53-971d-87b9c6aa4793"
},
"relatedEvents": []
}
From the .json extract, I will be using both category & operationName fields
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"operationName": {
"value": "Microsoft.Network/networkSecurityGroups/securityRules/delete",
"localizedValue": "Delete Security Rule"
},
Two conditions for the alert are going to be created:-
- Condition1:- Category = Administrative
- Condition2:- OperationName = Microsoft.Network/networkSecurityGroups/securityRules/delete
Adding these now to PowerShell
$condition1 = New-AzActivityLogAlertCondition -Field 'category' -Equal 'Administrative'
$condition2 = New-AzActivityLogAlertCondition -Field 'operationName' -Equal 'Microsoft.Network/networkSecurityGroups/delete'
We now have the conditions, time to build the Set-AzActivityLogAlert query, parameters required:-
- Location: Global
- Name: Name of alert to Create
- ResourceGroup: Resource Group of NSG
- Scope: SubscriptionID of where NSG is located
- Action: Creates an Action Group that will be used when the alert is triggered, see more about Action Groups here
- Condition: As Created above
$condition1 = New-AzActivityLogAlertCondition -Field 'category' -Equal 'Administrative'
$condition2 = New-AzActivityLogAlertCondition -Field 'operationName' -Equal 'Microsoft.Network/networkSecurityGroups/securityRules/delete'
$actiongroup = Get-AzActionGroup -Name "tamopsag" -ResourceGroup "tamops"
Set-AzActivityLogAlert -Location 'Global' `
-Name "tamops-nsg rule deleted" `
-ResourceGroupName "nsg-alerts" `
-Scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxx/" `
-Action (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $actiongroup.Id) `
-Condition $condition1, $condition2
Now, to delete another NSG rule to test – reviewing Azure Monitoring – alerting, the alert has been fired
Clicking into this will give further details about the alert.
Thomas Thornton - Microsoft Azure MVP - GitHub Star - HashiCorp Ambassador 
thanks for info works greatly however “description”: “” there is nothing on JSON output, not sure why even though I have description. can I populate that for custom message. I have problem with that. did you experience that?