Create an Alert from Azure Activity results

%3CLINGO-SUB%20id%3D%22lingo-sub-658066%22%20slang%3D%22en-US%22%3ECreate%20an%20Alert%20from%20Azure%20Activity%20results%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-658066%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20create%20an%20Alert%20that%20fires%20when%20someone%20requests%20%22Just%20in%20time%20VM%20access%22.%20I%20can%20use%20the%20query%20below%20to%20surface%20these%20events%20in%20Logs%20but%20not%20sure%20how%20to%20turn%20that%20into%20and%20Alert.%20I%20have%20searched%20though%20the%20Alert%20signals%20and%20am%20unable%20to%20find%20one%20that%20maps%20to%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EAzureActivity%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20OperationName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22Initiate%20JIT%20Network%20Access%20Policy%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20ActivityStatus%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22Started%22%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-658066%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-658213%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20an%20Alert%20from%20Azure%20Activity%20results%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-658213%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F183254%22%20target%3D%22_blank%22%3E%40Byron%20Boudreaux%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJust%20press%20the%20%22add%20alert%22%20button.%26nbsp%3B%20Also%20create%20an%20Action%20Group%20with%20a%20email%20entry%20-%20if%20you%20want%20an%20email%3F%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F116574i45B9C984AE024BB9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-05-30%20144107.png%22%20title%3D%22Annotation%202019-05-30%20144107.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAction%20groups%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Faction-groups%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Faction-groups%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EAlerts%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Falerts-activity-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Falerts-activity-log%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-659163%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20an%20Alert%20from%20Azure%20Activity%20results%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-659163%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply.%20Tried%20that%20method%20(have%20it%20in%20place%20now)%20and%20can't%20get%20the%20Alert%20to%20fire.%20Not%20sure%20why.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-660444%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20an%20Alert%20from%20Azure%20Activity%20results%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-660444%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20solution%20did%20work%20but%20the%20notifications%20were%20way%20delayed.%20Unfortunately%20this%20is%20an%20inherit%20%22feature%22%20of%20Logs%20where%20the%20data%20coming%20in%20is%20delayed%20from%20the%20event%20that%20generated%20the%20entries.%20Hopefully%20this%20will%20improve%20over%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I would like to create an Alert that fires when someone requests "Just in time VM access". I can use the query below to surface these events in Logs but not sure how to turn that into and Alert. I have searched though the Alert signals and am unable to find one that maps to this:

 

AzureActivity
| where OperationName == "Initiate JIT Network Access Policy"
| where ActivityStatus == "Started"
3 Replies
Highlighted

@Byron Boudreaux 

 

Just press the "add alert" button.  Also create an Action Group with a email entry - if you want an email?

Annotation 2019-05-30 144107.png

 

Action groups: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups

Alerts: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log

 

Highlighted

@Clive Watson 

 

Thanks for the reply. Tried that method (have it in place now) and can't get the Alert to fire. Not sure why.

Highlighted

@Clive Watson 

This solution did work but the notifications were way delayed. Unfortunately this is an inherit "feature" of Logs where the data coming in is delayed from the event that generated the entries. Hopefully this will improve over time.