Diagnostic settings Alert

%3CLINGO-SUB%20id%3D%22lingo-sub-885203%22%20slang%3D%22en-US%22%3EDiagnostic%20settings%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-885203%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20set%20alert%20for%20Diagnostic%20settings%20like%20whoever%20enabling%20it%20with%20username%2C%20time%2C%20date%20and%20resource%20group%20name.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-885203%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-885301%22%20slang%3D%22en-US%22%3ERe%3A%20Diagnostic%20settings%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-885301%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380509%22%20target%3D%22_blank%22%3E%40Rahul_Mahajan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20%3CSTRONG%3EAzureActivcity%3C%2FSTRONG%3E%20logs%20has%20a%20lot%20of%20categories%2C%20so%20you%20need%20to%20scope%20it%20careful%20or%20you%20will%20get%20all%20(and%20many)%20alerts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20the%20GUI%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134895iF31E388F7770BEF2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-09-30%20154728.jpg%22%20title%3D%22Annotation%202019-09-30%20154728.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20665px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134896iFEAC42160462597A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-10-01%20094230%20-2.jpg%22%20title%3D%22Annotation%202019-10-01%20094230%20-2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20Log%20Analytics%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EAzureActivity%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(7d))%0A%7C%20where%20Category%20%3D%3D%20%22Administrative%22%0A%7C%20where%20OperationName%20%3D%3D%20%22Create%20or%20update%20resource%20diagnostic%20setting%22%0A%7C%20summarize%20count()%20by%20ActivityStatus%2C%20OperationName%2C%20Resource%2C%20Caller%2C%20ResourceGroup%2C%20TimeGenerated%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B-%20this%20isn't%20a%20full%20query%20but%20should%20help%20you.%26nbsp%3B%20%26nbsp%3BJust%20hit%20%22new%20alert%20rule%22%20after%20you%20run%20this%20(and%20after%20any%20edits%20you%20require).%26nbsp%3B%20Click%20below%20to%20see%20the%20results%20on%20test%20data%20-%20I%20limited%20the%20results%20to%205%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fms.portal.azure.com%23%4072f988bf-86f1-41af-91ab-2d7cd011db47%2Fblade%2FMicrosoft_Azure_Monitoring_Logs%2FDemoLogsBlade%2FresourceId%2F%252FDemo%2Fsource%2FLogsBlade.AnalyticsShareLinkToQuery%2Fq%2FH4sIAAAAAAAAA1WPzQqCQBDH70LvMHRS8BqdDMRDt4LqBTZ3sgF3R2ZnC6WHT6UQb8Pw%25252B3%25252BVQxQsa6UXab9JPvB%25252BoiDcyOERPYpRtHCAoEaUH9b0qWk43dssW%25252BBqhBqWHooCtqV15CnoqKQXbhfq3E1uxP5kHM5oJTgqgQViZ6dLMHCUGsGSaTwHpRoCqpJvZqMQnTNCA0LN0Wuawb2Hf%25252FmrGo0hX%25252BfkcPl55mPNtkVZPkfh2OXrqVNKS44UdskX0S1vkxsBAAA%25253D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20Run%20Query%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CDIV%3E%0A%3CTABLE%20cellspacing%3D%221%22%20cellpadding%3D%225%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTH%3EActivityStatus%3C%2FTH%3E%0A%3CTH%3EOperationName%3C%2FTH%3E%0A%3CTH%3EResource%3C%2FTH%3E%0A%3CTH%3ECaller%3C%2FTH%3E%0A%3CTH%3EResourceGroup%3C%2FTH%3E%0A%3CTH%3ETimeGenerated%3C%2FTH%3E%0A%3CTH%3Ecount_%3C%2FTH%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EStarted%3C%2FTD%3E%0A%3CTD%3ECreate%20or%20update%20resource%20diagnostic%20setting%3C%2FTD%3E%0A%3CTD%3EsetByPolicy%3C%2FTD%3E%0A%3CTD%3E1461b1b8-18a7-4d1b-a74d-6c19f48358d0%3C%2FTD%3E%0A%3CTD%3Econtosoazurehq%3C%2FTD%3E%0A%3CTD%3E2019-09-24T22%3A44%3A58.976Z%3C%2FTD%3E%0A%3CTD%3E1%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EStarted%3C%2FTD%3E%0A%3CTD%3ECreate%20or%20update%20resource%20diagnostic%20setting%3C%2FTD%3E%0A%3CTD%3EsetByPolicy%3C%2FTD%3E%0A%3CTD%3E1461b1b8-18a7-4d1b-a74d-6c19f48358d0%3C%2FTD%3E%0A%3CTD%3Econtosoitlabsupport%3C%2FTD%3E%0A%3CTD%3E2019-09-24T22%3A44%3A57.856Z%3C%2FTD%3E%0A%3CTD%3E1%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3ESucceeded%3C%2FTD%3E%0A%3CTD%3ECreate%20or%20update%20resource%20diagnostic%20setting%3C%2FTD%3E%0A%3CTD%3EsetByPolicy%3C%2FTD%3E%0A%3CTD%3E1461b1b8-18a7-4d1b-a74d-6c19f48358d0%3C%2FTD%3E%0A%3CTD%3Econtosoazurehq%3C%2FTD%3E%0A%3CTD%3E2019-09-24T22%3A44%3A57.009Z%3C%2FTD%3E%0A%3CTD%3E1%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EStarted%3C%2FTD%3E%0A%3CTD%3ECreate%20or%20update%20resource%20diagnostic%20setting%3C%2FTD%3E%0A%3CTD%3EsetByPolicy%3C%2FTD%3E%0A%3CTD%3E1461b1b8-18a7-4d1b-a74d-6c19f48358d0%3C%2FTD%3E%0A%3CTD%3Econtosoazurehq%3C%2FTD%3E%0A%3CTD%3E2019-09-24T22%3A44%3A54.577Z%3C%2FTD%3E%0A%3CTD%3E1%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3ESucceeded%3C%2FTD%3E%0A%3CTD%3ECreate%20or%20update%20resource%20diagnostic%20setting%3C%2FTD%3E%0A%3CTD%3EsetByPolicy%3C%2FTD%3E%0A%3CTD%3E1461b1b8-18a7-4d1b-a74d-6c19f48358d0%3C%2FTD%3E%0A%3CTD%3Econtosoautomation%3C%2FTD%3E%0A%3CTD%3E2019-09-24T22%3A46%3A12.993Z%3C%2FTD%3E%0A%3CTD%3E1%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hello,

 

How can I set alert for Diagnostic settings like whoever enabling it with username, time, date and resource group name.

 

Thanks in advance.

1 Reply
Highlighted

@Rahul_Mahajan 

 

The AzureActivcity logs has a lot of categories, so you need to scope it careful or you will get all (and many) alerts.

 

From the GUI

Annotation 2019-09-30 154728.jpg

 

Then

Annotation 2019-10-01 094230 -2.jpg

 

From Log Analytics

AzureActivity
| where TimeGenerated > startofday(ago(7d))
| where Category == "Administrative"
| where OperationName == "Create or update resource diagnostic setting"
| summarize count() by ActivityStatus, OperationName, Resource, Caller, ResourceGroup, TimeGenerated

 - this isn't a full query but should help you.   Just hit "new alert rule" after you run this (and after any edits you require).  Click below to see the results on test data - I limited the results to 5 

 

Go to Log Analytics and Run Query

ActivityStatus OperationName Resource Caller ResourceGroup TimeGenerated count_
Started Create or update resource diagnostic setting setByPolicy 1461b1b8-18a7-4d1b-a74d-6c19f48358d0 contosoazurehq 2019-09-24T22:44:58.976Z 1
Started Create or update resource diagnostic setting setByPolicy 1461b1b8-18a7-4d1b-a74d-6c19f48358d0 contosoitlabsupport 2019-09-24T22:44:57.856Z 1
Succeeded Create or update resource diagnostic setting setByPolicy 1461b1b8-18a7-4d1b-a74d-6c19f48358d0 contosoazurehq 2019-09-24T22:44:57.009Z 1
Started Create or update resource diagnostic setting setByPolicy 1461b1b8-18a7-4d1b-a74d-6c19f48358d0 contosoazurehq 2019-09-24T22:44:54.577Z 1
Succeeded Create or update resource diagnostic setting setByPolicy 1461b1b8-18a7-4d1b-a74d-6c19f48358d0 contosoautomation 2019-09-24T22:46:12.993Z 1