Azure Monitor Activity Log Alert
This page shows how to write Terraform and Azure Resource Manager for Monitor Activity Log Alert and write them securely.
azurerm_monitor_activity_log_alert (Terraform)
The Activity Log Alert in Monitor can be configured in Terraform with the resource name azurerm_monitor_activity_log_alert
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_monitor_activity_log_alert" "setting_5_2_1" {
name = "policy-alert"
resource_group_name = var.resource_group_name
scopes = var.scopes
description = "This alert will monitor all policy attachments"
resource "azurerm_monitor_activity_log_alert" "activity_log_alert_cu_security_group" {
name = "Activity Log Alert for Create or Update Security Group"
resource_group_name = azurerm_resource_group.resource_group_security_services.name
scopes = [data.azurerm_subscription.current.id]
description = "Monitoring for Create or Update Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity"
tags = var.resource_tags
resource "azurerm_monitor_activity_log_alert" "ok_monitor_activity_log_alert" {
name = "example-activitylogalert"
resource_group_name = azurerm_resource_group.main.name
scopes = [azurerm_resource_group.main.id]
description = "This alert will monitor a specific storage account updates."
resource "azurerm_monitor_activity_log_alert" "ok_monitor_activity_log_alert" {
name = "example-activitylogalert"
resource_group_name = azurerm_resource_group.main.name
scopes = [azurerm_resource_group.main.id]
description = "This alert will monitor a specific storage account updates."
resource "azurerm_monitor_activity_log_alert" "main1" {
name = "example-activitylogalert1"
resource_group_name = azurerm_resource_group.example.name
scopes = [azurerm_resource_group.example.id]
description = "This alert will monitor a specific storage account updates."
resource "azurerm_monitor_activity_log_alert" "main" {
name = var.custom_rules_settings.name
resource_group_name = var.context.resource_group_name
scopes = var.custom_rules_settings.scopes
description = var.custom_rules_settings.description
resource "azurerm_monitor_activity_log_alert" "TFAAlert" {
name = "Route Table Update"
resource_group_name = azurerm_resource_group.TFAAlert.name
scopes = [azurerm_resource_group.TFAAlert.id]
description = "This alert will monitor is Route Table has bee created or Update."
resource "azurerm_monitor_activity_log_alert" "ok_monitor_activity_log_alert_1" {
name = "example-activitylogalert"
resource_group_name = azurerm_resource_group.main.name
scopes = [azurerm_resource_group.main.id]
description = "This alert will monitor a specific storage account updates."
resource "azurerm_monitor_activity_log_alert" "main" {
name = var.name
resource_group_name = data.azurerm_resource_group.rg.name
scopes = [data.azurerm_resource_group.rg.id]
description = "This alert will monitor a vnet peering updates."
criteria {
resource "azurerm_monitor_activity_log_alert" "main" {
name = "securityalerts"
resource_group_name = azurerm_resource_group.alertsgroup.name
/*Scopes = var.subscriptions */
scopes = toset(data.azurerm_subscriptions.available.subscriptions[*].id)
description = "This alert will monitor security related service health events."
Parameters
-
description
optional - string -
enabled
optional - bool -
id
optional computed - string -
name
required - string -
resource_group_name
required - string -
scopes
required - set of string -
tags
optional - map from string to string -
action
set block-
action_group_id
required - string -
webhook_properties
optional - map from string to string
-
-
criteria
list block-
caller
optional - string -
category
required - string -
level
optional - string -
operation_name
optional - string -
recommendation_category
optional - string -
recommendation_impact
optional - string -
recommendation_type
optional - string -
resource_group
optional - string -
resource_id
optional - string -
resource_provider
optional - string -
resource_type
optional - string -
status
optional - string -
sub_status
optional - string -
service_health
list block
-
-
timeouts
single block
Explanation in Terraform Registry
Manages an Activity Log Alert within Azure Monitor.
Tips: Best Practices for The Other Azure Monitor Resources
In addition to the azurerm_monitor_log_profile, Azure Monitor has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_monitor_log_profile
Ensure to enable the activity retention log
It is better to enable the activity retention log to ensure that all the information required for an effective investigation is still available.
Microsoft.Insights/activityLogAlerts (Azure Resource Manager)
The activityLogAlerts in Microsoft.Insights can be configured in Azure Resource Manager with the resource name Microsoft.Insights/activityLogAlerts
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
{
"kind": "template",
"properties": {
"displayName": "Subscription Alerts",
"description": "Core set of alerts for a subscription.",
{
"kind": "template",
"properties": {
"displayName": "Subscription Alerts",
"description": "Core set of alerts for a subscription.",
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"actiongroups_Phoenixs": {
"type": "Microsoft.Insights/activityLogAlerts",
"apiVersion": "2017-04-01",
"name": "[parameters('generatePinRecoveryServicesVaultLogAlert')]",
"location": "Global",
"properties": {
"enabled": true,
"type": "Microsoft.Insights/activityLogAlerts",
"apiVersion": "2017-04-01",
"name": "[parameters('createVirtualMachineLogAlert')]",
"location": "Global",
"properties": {
"enabled": true,
"type": "Microsoft.Insights/activityLogAlerts",
"apiVersion": "2017-04-01",
"name": "[parameters('createResourceGroupLogAlert')]",
"location": "Global",
"properties": {
"enabled": true,
"type": "Microsoft.Insights/activityLogAlerts",
"apiVersion": "2017-04-01",
"name": "[parameters('listKeysStorageAccountLogAlert')]",
"location": "Global",
"properties": {
"enabled": true,
"type": "Microsoft.Insights/activityLogAlerts",
"apiVersion": "2017-04-01",
"name": "[parameters('createauthorizationRuleServiceBusLogAlert')]",
"location": "Global",
"properties": {
"enabled": true,
"type": "Microsoft.Insights/activityLogAlerts",
"apiVersion": "[variables( 'apiVersions' ).activityLogAlerts]",
"tags": "[parameters('tags')]",
"location": "Global",
"properties": {
"enabled": true,
"type": "Microsoft.Insights/activityLogAlerts",
"apiVersion": "[variables( 'apiVersions' ).activityLogAlerts]",
"tags": "[parameters('tags')]",
"location": "Global",
"properties": {
"enabled": true,
Frequently asked questions
What is Azure Monitor Activity Log Alert?
Azure Monitor Activity Log Alert is a resource for Monitor of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Monitor Activity Log Alert?
For Terraform, the turbot/tdk, cbchalmers/Azure-Monitor-Alert-Rules and SnidermanIndustries/checkov-fork source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the edm-ms/azure-tandem, shaneneff1/tandem and WillisPhoenixs/phxonboard source code examples are useful. See the Azure Resource Manager Example section for further details.