I'm trying to create an alert that will notify me whenever a Data Collection Rule (DCR) is deleted or removed from any Virtual Machine (VM) in my subscription. I want this to apply across all VMs, not just individual resources.
Here’s what I’ve tried so far:
I’ve used AzureActivity logs in Log Analytics to query for DCR deletion events.
Here’s the Kusto query I’ve used:
AzureActivity
| where OperationNameValue == "Microsoft.Insights/dataCollectionRules/delete"
| where ActivityStatusValue == "Succeeded"
I attempted to scope this query at the subscription level and set up an alert rule in Azure Monitor. However, I encountered some issues:
The query is not capturing the Data Collection Rule deletions as expected. I'm not sure if the OperationNameValue is correct or if there is a better way to detect DCR deletion across all resources.
What I’m Looking For:
- A working solution for example that sets up an alert rule to notify me when a Data Collection Rule is deleted across all VMs in my subscription.
Below is the KQL query to verify when a Data collection rule is deleted across all the VMs in a subscription scope. Before executing the query, to select subscription scope, go to
log analytics workspace >> Logs
and set it as shown here.
Query:
AzureActivity
| where OperationNameValue == "Microsoft.Insights/dataCollectionRules/delete"
| where ActivityStatusValue == "Succeeded"
| project TimeGenerated, Resource, ActivityStatus, ActivityStatusValue
Once it is done, you can click on New alert rule
as shown below to create an alert rule when the condition is triggered.
Below window appears on the screen with your given query and set the alert options visible once you open this screen. (Eg: Threshold value)
After that, you need to create an action group with the specific notification type
on how the alert will be received to the user (either through an email or a message) as shown below.
After checking every field, click on Review and create
to proceed further.