Skip to content

Add policy - Deploy Activity Log Alert for the selected category and operation name #526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mitramcc wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Add policy - Deploy Activity Log Alert for the selected category and operation name #526

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
d80fff2
add 2 Virtual Machines AMA related policies for cross subscription su…
hribeiro-msft Mar 19, 2024
f0928ef
add 2 windows vmss AMA related policies for cross subscription suppor…
hribeiro-msft Mar 19, 2024
f4c4112
adjust descriptions
hribeiro-msft Mar 20, 2024
e1e8c05
add 2 Linux AMA related policies for cross subscription supportability
hribeiro-msft Mar 20, 2024
df8d493
rename effect
hribeiro-msft Mar 20, 2024
cbfb230
rename effect
hribeiro-msft Mar 20, 2024
2d2ea30
rename effect
hribeiro-msft Mar 20, 2024
0cb53f1
rename display Name and descriptions
hribeiro-msft May 2, 2024
db7b7d2
Merge branch 'Azure:main' into main
mitramcc Jan 17, 2025
f356baa
Add policy Enforce tag Name and Value casing on resource groups and s…
hribeiro-msft Jan 17, 2025
5ac0dd9
change the guid
hribeiro-msft Jan 20, 2025
f2f8c16
change the guid
hribeiro-msft Jan 28, 2025
48f8a3c
fix policy logic, activity log for selected category and operation name
hribeiro-msft Feb 13, 2026
5ac7886
Merge branch 'Azure:main' into main
mitramcc Feb 13, 2026
ef646b4
fix policy logic, activity log for selected category and operation name
hribeiro-msft Feb 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
328 changes: 328 additions & 0 deletions .../Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,328 @@
{
"name": "1a30544f-d89d-42ee-9e74-7f8176772c3d",
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"displayName": "Deploy Activity Log Alert for the selected category and operation name",
"description": "Deploy Activity Log Alert for the selected category and operation name",
"metadata": {
"version": "1.0.0",
"category": "Monitoring"
},
"mode": "All",
"parameters": {
"actionGroupResourceId": {
"type": "string",
"metadata": {
"description": "Name for the Action group.",
"displayName": "Action Group Resource ID"
}
},
"activityLogAlertName": {
"type": "string",
"metadata": {
"description": "Name for the Activity log alert.",
"displayName": "Alert Name"
}
},
"appendSubscriptionNameAsPrefix": {
"type": "boolean",
"metadata": {
"description": "Append the Subscription Name to the parameter for the name of the Activity log alert and for the rg name.",
"displayName": "Append Subscription Name as Prefix"
},
"defaultValue": false,
"allowedValues":[
true,
false
]
},
"activityLogCategory": {
"type": "string",
"metadata": {
"description": "Category for the Activity log alert.",
"displayName": "Alert Category"
},
"allowedValues": [
"Administrative",
"Security",
"ServiceHealth",
"Alert",
"Recommendation",
"Policy",
"Autoscale",
"ResourceHealth"
],
"defaultValue": "Administrative"
},
"activityLogOperationName": {
"type": "string",
"metadata": {
"description": "Operation Name for the Activity log alert. format: Microsoft.Provider/resourceType/actionOrOperation examples: Microsoft.Sql/servers/firewallRules/write, Microsoft.Security/policies/write",
"displayName": "Alert Operation Name"
}
},
"activityLogAlertResourceGroupName": {
"type": "string",
"metadata": {
"description": "This is the name of the Resource Group that will contain the Activity log alert resource.",
"displayName": "Alert Resource Group Name"
}
},
"activityLogAlertResourceGroupLocation": {
"type": "string",
"metadata": {
"description": "This is the location of the Resource Group that will contain the Activity log alert resource.",
"displayName": "Alert Resource Group Location",
"strongType": "location"
},
"defaultValue": "northeurope"
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy"
},
"allowedValues": [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.resources/subscriptions"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/activityLogAlerts",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/ActivityLogAlerts/enabled",
"equals": "true"
},
{
"count": {
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
"where": {
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"equals": "category"
},
{
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"equals": "[parameters('activityLogCategory')]"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"equals": "operationName"
},
{
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"equals": "[parameters('activityLogOperationName')]"
}
]
}
]
}
},
"equals": 2
},
{
"not": {
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"equals": "category"
}
},
{
"not": {
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"equals": "operationName"
}
}
]
},
"deploymentScope": "subscription",
"resourceGroupName":"[if(parameters('appendSubscriptionNameAsPrefix'), concat(subscription().displayName,'-', parameters('activityLogAlertResourceGroupName')), parameters('activityLogAlertResourceGroupName'))]",
"deployment": {
"location": "eastus",
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"activityLogAlertResourceGroupName": {
"type": "string"
},
"activityLogAlertResourceGroupLocation": {
"type": "string"
},
"actionGroupResourceId": {
"type": "string"
},
"activityLogAlertName": {
"type": "string"
},
"activityLogCategory": {
"type": "string"
},
"activityLogOperationName": {
"type": "string"
},
"appendSubscriptionNameAsPrefix": {
"type": "bool"
}
},
"variables": {
"createRg": "[concat('deployRG-', uniqueString(deployment().name))]",
"createAlert": "[concat('deployAlert-', uniqueString(deployment().name))]",
"alertRGNAme": "[if(parameters('appendSubscriptionNameAsPrefix'), concat(subscription().displayName,'-', parameters('activityLogAlertResourceGroupName')), parameters('activityLogAlertResourceGroupName'))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2022-09-01",
"name": "[variables('alertRGNAme')]",
"location": "[parameters('activityLogAlertResourceGroupLocation')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[variables('createAlert')]",
"resourceGroup": "[variables('alertRGNAme')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('alertRGNAme'))]"
],
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
},
"mode": "Incremental",
"parameters": {
"activityLogAlertName": {
"value": "[trim(parameters('activityLogAlertName'))]"
},
"actionGroupResourceId": {
"value": "[trim(parameters('actionGroupResourceId'))]"
},
"activityLogCategory": {
"value": "[parameters('activityLogCategory')]"
},
"activityLogOperationName": {
"value": "[trim(parameters('activityLogOperationName'))]"
},
"appendSubscriptionNameAsPrefix": {
"value": "[parameters('appendSubscriptionNameAsPrefix')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"actionGroupResourceId": {
"type": "string"
},
"activityLogAlertName": {
"type": "string"
},
"activityLogCategory": {
"type": "string"
},
"activityLogOperationName": {
"type": "string"
},
"appendSubscriptionNameAsPrefix": {
"type": "bool"
}
},
"variables": {
"alertName": "[if(parameters('appendSubscriptionNameAsPrefix'), concat(subscription().displayName,'-', parameters('activityLogAlertName')), parameters('activityLogAlertName'))]"
},
"resources": [
{
"type": "Microsoft.Insights/activityLogAlerts",
"apiVersion": "2017-04-01",
"name": "[substring(variables('alertName') ,0 , min(createArray(length(variables('alertName')), 259)))]",
"location": "Global",
"properties": {
"enabled": true,
"scopes": [
"[subscription().id]"
],
"condition": {
"allOf": [
{
"field": "category",
"equals": "[parameters('activityLogCategory')]"
},
{
"field": "operationName",
"equals": "[parameters('activityLogOperationName')]"
}
]
},
"actions": {
"actionGroups": [
{
"actionGroupId": "[parameters('actionGroupResourceId')]"
}
]
}
}
}
]
}
}
}
]
},
"parameters": {
"activityLogAlertName": {
"value": "[trim(parameters('activityLogAlertName'))]"
},
"actionGroupResourceId": {
"value": "[trim(parameters('actionGroupResourceId'))]"
},
"activityLogCategory": {
"value": "[parameters('activityLogCategory')]"
},
"activityLogOperationName": {
"value": "[trim(parameters('activityLogOperationName'))]"
},
"appendSubscriptionNameAsPrefix": {
"value": "[parameters('appendSubscriptionNameAsPrefix')]"
},
"activityLogAlertResourceGroupName": {
"value": "[parameters('activityLogAlertResourceGroupName')]"
},
"activityLogAlertResourceGroupLocation": {
"value": "[parameters('activityLogAlertResourceGroupLocation')]"
}
}
}
}
}
}
}
}
}
Loading
Loading