azureazure-alertsazure-log-analytics-workspace

Add alert rule on activity log on Azure (for when a lock is modified/deleted)


I have a resource group in which some of the resources have locks. My goal is to add an alert rule, from bicep script, which fires if any of the locks on any of the resources in this resource group gets deleted or modified.

These actions will show up on Activity Log section on the Azure Portal with Add management locks or Delete management locks.

I tried creating one on the Azure Portal first. I went through all the options when creating an Alert Rule condition, but none of them seem to match to what I need. I also tried to Export Activity Logs to a Log Analytics, but the problem is that this setting (whatever Log Analytics Workspace that is selected when configuring this) is applied to all the resources in all the resource groups across the subscription - which is obviously bad.

So was wondering:

  1. Are there any alternatives to set this alert without sending them to Log Analytics?
  2. If not, is there another way to send the activity logs to whatever resource at the resource group level so you can get notified from?

Solution

  • Answering my own question:

    As of now (Aug 2023), there is no way to send the Activity Logs to different Log Analytics Workspaces within a subscription, i.e. the only option here is to send all the logs to one Log Analytics Workspace for all the resources in all resource groups in that subscription. This is far from an ideal solution.

    Another alternative is to set the alert directly on the Activity Log. If doing this through the UI, by clicking on the desired log message, then select New alert rule and follow the steps. The only trick here is that the scope must be the resource group. Otherwise some of the options, e.g. Add management locks (Management lock), will not show up under list of signals when you try to select a signal in Condition section.

    Further, here is the bicep script for the alert on, say, delete lock action:

    resource lockDeletedAlert 'microsoft.insights/activitylogalerts@2020-10-01' = {
      name: 'string'
      location: 'Global'
      properties: {
        description: 'Lock on some resource was deleted'
        scopes: [
          'string <this should be resource group ID>'
        ]
        condition: {
          allOf: [
            {
              field: 'category'
              equals: 'Administrative'
            }
            {
              field: 'operationName'
              equals: 'Microsoft.Authorization/locks/delete'
            }
          ]
        }
        actionGroups: [
          {
            actionGroupId: 'string'
            webhookProperties: {}
          }
        ]
        enabled: true
      }
    }
    

    Another note about activity logs related to locks is that the log for when the lock is created is identical to when the lock is modified and you can't differentiate them as of now. The alert rule for when a lock is added/modified in bicep is exactly like above one except Microsoft.Authorization/locks/write