Top / Microsoft Azure / Azure Monitor / Activity Log Alert

Azure Monitor Activity Log Alert

This page shows how to write Terraform and Azure Resource Manager for Monitor Activity Log Alert and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_monitor_activity_log_alert (Terraform)

The Activity Log Alert in Monitor can be configured in Terraform with the resource name azurerm_monitor_activity_log_alert. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L6
resource "azurerm_monitor_activity_log_alert" "setting_5_2_1" {
  name                = "policy-alert"
  resource_group_name = var.resource_group_name
  scopes              = var.scopes
  description         = "This alert will monitor all policy attachments"
resources_monitor_activity_log_alert.tf#L4
resource "azurerm_monitor_activity_log_alert" "activity_log_alert_cu_security_group" {
  name                = "Activity Log Alert for Create or Update Security Group"
  resource_group_name = azurerm_resource_group.resource_group_security_services.name
  scopes              = [data.azurerm_subscription.current.id]
  description         = "Monitoring for Create or Update Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity"
  tags                = var.resource_tags
main.tf#L29
resource "azurerm_monitor_activity_log_alert" "ok_monitor_activity_log_alert" {
  name                = "example-activitylogalert"
  resource_group_name = azurerm_resource_group.main.name
  scopes              = [azurerm_resource_group.main.id]
  description         = "This alert will monitor a specific storage account updates."
main.tf#L29
resource "azurerm_monitor_activity_log_alert" "ok_monitor_activity_log_alert" {
  name                = "example-activitylogalert"
  resource_group_name = azurerm_resource_group.main.name
  scopes              = [azurerm_resource_group.main.id]
  description         = "This alert will monitor a specific storage account updates."
networking.tf#L103
resource "azurerm_monitor_activity_log_alert" "main1" {
  name                = "example-activitylogalert1"
  resource_group_name = azurerm_resource_group.example.name
  scopes              = [azurerm_resource_group.example.id]
  description         = "This alert will monitor a specific storage account updates."
main.tf#L1
resource "azurerm_monitor_activity_log_alert" "main" {
  name                = var.custom_rules_settings.name
  resource_group_name = var.context.resource_group_name
  scopes              = var.custom_rules_settings.scopes
  description         = var.custom_rules_settings.description
RouteTableUpdateAlert.tf#L20
resource "azurerm_monitor_activity_log_alert" "TFAAlert" {
  name                = "Route Table Update"
  resource_group_name = azurerm_resource_group.TFAAlert.name
  scopes              = [azurerm_resource_group.TFAAlert.id]
  description         = "This alert will monitor is Route Table has bee created or Update."
main.tf#L43
resource "azurerm_monitor_activity_log_alert" "ok_monitor_activity_log_alert_1" {
  name                = "example-activitylogalert"
  resource_group_name = azurerm_resource_group.main.name
  scopes              = [azurerm_resource_group.main.id]
  description         = "This alert will monitor a specific storage account updates."
monitor-activity-log-alert.tf#L10
resource "azurerm_monitor_activity_log_alert" "main" {
  name                = var.name
  resource_group_name = data.azurerm_resource_group.rg.name
  scopes              = [data.azurerm_resource_group.rg.id]
  description         = "This alert will monitor a vnet peering updates."
  criteria {
servicealerts.tf#L19
resource "azurerm_monitor_activity_log_alert" "main" {
  name                = "securityalerts"
  resource_group_name = azurerm_resource_group.alertsgroup.name
  /*Scopes = var.subscriptions */
  scopes      = toset(data.azurerm_subscriptions.available.subscriptions[*].id)
  description = "This alert will monitor security related service health events."

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages an Activity Log Alert within Azure Monitor.

>> from Terraform Registry

Tips: Best Practices for The Other Azure Monitor Resources

In addition to the azurerm_monitor_log_profile, Azure Monitor has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_monitor_log_profile

Ensure to enable the activity retention log

It is better to enable the activity retention log to ensure that all the information required for an effective investigation is still available.

Review your Azure Monitor settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Insights/activityLogAlerts (Azure Resource Manager)

The activityLogAlerts in Microsoft.Insights can be configured in Azure Resource Manager with the resource name Microsoft.Insights/activityLogAlerts. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

sub-alerts.json
{
  "kind": "template",
  "properties": {
    "displayName": "Subscription Alerts",
    "description": "Core set of alerts for a subscription.",
sub-alerts.json
{
  "kind": "template",
  "properties": {
    "displayName": "Subscription Alerts",
    "description": "Core set of alerts for a subscription.",
Activtylogalerts.json
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "actiongroups_Phoenixs": {
template.json#L56
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('generatePinRecoveryServicesVaultLogAlert')]",
      "location": "Global",
      "properties": {
        "enabled": true,
template.json#L48
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('createVirtualMachineLogAlert')]",
      "location": "Global",
      "properties": {
        "enabled": true,
template.json#L48
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('createResourceGroupLogAlert')]",
      "location": "Global",
      "properties": {
        "enabled": true,
template.json#L40
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('listKeysStorageAccountLogAlert')]",
      "location": "Global",
      "properties": {
        "enabled": true,
template.json#L40
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('createauthorizationRuleServiceBusLogAlert')]",
      "location": "Global",
      "properties": {
        "enabled": true,
alerts.json#L22
            "type": "Microsoft.Insights/activityLogAlerts",
            "apiVersion": "[variables( 'apiVersions' ).activityLogAlerts]",
            "tags": "[parameters('tags')]",
            "location": "Global",
            "properties": {
                "enabled": true,
alerts.json#L22
            "type": "Microsoft.Insights/activityLogAlerts",
            "apiVersion": "[variables( 'apiVersions' ).activityLogAlerts]",
            "tags": "[parameters('tags')]",
            "location": "Global",
            "properties": {
                "enabled": true,

The Other Related Azure Monitor Resources

Frequently asked questions

What is Azure Monitor Activity Log Alert?

Azure Monitor Activity Log Alert is a resource for Monitor of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Monitor Activity Log Alert?

For Terraform, the turbot/tdk, cbchalmers/Azure-Monitor-Alert-Rules and SnidermanIndustries/checkov-fork source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the edm-ms/azure-tandem, shaneneff1/tandem and WillisPhoenixs/phxonboard source code examples are useful. See the Azure Resource Manager Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents