azureloggingkqlazure-data-explorerazure-monitoring

How to create an Alert for Data Collection Rule deletion across all VMs in a subscription?


I'm trying to create an alert that will notify me whenever a Data Collection Rule (DCR) is deleted or removed from any Virtual Machine (VM) in my subscription. I want this to apply across all VMs, not just individual resources.

Here’s what I’ve tried so far:

I’ve used AzureActivity logs in Log Analytics to query for DCR deletion events.

Here’s the Kusto query I’ve used:

AzureActivity
| where OperationNameValue == "Microsoft.Insights/dataCollectionRules/delete"
| where ActivityStatusValue == "Succeeded"

I attempted to scope this query at the subscription level and set up an alert rule in Azure Monitor. However, I encountered some issues:

The query is not capturing the Data Collection Rule deletions as expected. I'm not sure if the OperationNameValue is correct or if there is a better way to detect DCR deletion across all resources.

What I’m Looking For:


Solution

    • A working solution for example that sets up an alert rule to notify me when a Data Collection Rule is deleted across all VMs in my subscription.

    Below is the KQL query to verify when a Data collection rule is deleted across all the VMs in a subscription scope. Before executing the query, to select subscription scope, go to log analytics workspace >> Logs and set it as shown here.

    enter image description here

    Query:

    AzureActivity
    | where OperationNameValue == "Microsoft.Insights/dataCollectionRules/delete"
    | where ActivityStatusValue == "Succeeded"
    | project TimeGenerated, Resource, ActivityStatus, ActivityStatusValue
    

    Once it is done, you can click on New alert rule as shown below to create an alert rule when the condition is triggered.

    enter image description here

    Below window appears on the screen with your given query and set the alert options visible once you open this screen. (Eg: Threshold value)

    enter image description here

    enter image description here

    After that, you need to create an action group with the specific notification type on how the alert will be received to the user (either through an email or a message) as shown below.

    enter image description here

    After checking every field, click on Review and create to proceed further.