The AzureActivcity logs has a lot of categories, so you need to scope it careful or you will get all (and many) alerts.
From the GUI
Then
From Log Analytics
AzureActivity
| where TimeGenerated > startofday(ago(7d))
| where Category == "Administrative"
| where OperationName == "Create or update resource diagnostic setting"
| summarize count() by ActivityStatus, OperationName, Resource, Caller, ResourceGroup, TimeGenerated- this isn't a full query but should help you. Just hit "new alert rule" after you run this (and after any edits you require). Click below to see the results on test data - I limited the results to 5
Go to Log Analytics and Run Query
| ActivityStatus | OperationName | Resource | Caller | ResourceGroup | TimeGenerated | count_ |
|---|---|---|---|---|---|---|
| Started | Create or update resource diagnostic setting | setByPolicy | 1461b1b8-18a7-4d1b-a74d-6c19f48358d0 | contosoazurehq | 2019-09-24T22:44:58.976Z | 1 |
| Started | Create or update resource diagnostic setting | setByPolicy | 1461b1b8-18a7-4d1b-a74d-6c19f48358d0 | contosoitlabsupport | 2019-09-24T22:44:57.856Z | 1 |
| Succeeded | Create or update resource diagnostic setting | setByPolicy | 1461b1b8-18a7-4d1b-a74d-6c19f48358d0 | contosoazurehq | 2019-09-24T22:44:57.009Z | 1 |
| Started | Create or update resource diagnostic setting | setByPolicy | 1461b1b8-18a7-4d1b-a74d-6c19f48358d0 | contosoazurehq | 2019-09-24T22:44:54.577Z | 1 |
| Succeeded | Create or update resource diagnostic setting | setByPolicy | 1461b1b8-18a7-4d1b-a74d-6c19f48358d0 | contosoautomation | 2019-09-24T22:46:12.993Z | 1 |