Create Alert for "Delete Network Security Group Rule" Events

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Alerts to access all the notification alerts available in your Azure cloud account.

04 On the Alerts page, click on the Manage alert rules button from the dashboard top menu to access the alert rules management page.

05 On the Rules page, select the appropriate subscription from the Subscription filter box and the Enabled option from the Status dropdown list, to return all the active alert rules created in the selected Azure account subscription.

06 Click on the name of the alert rule that you want to examine.

07 On the selected alert rule configuration page, check the condition phrase available in the CONDITION section. If the phrase is different than Whenever the Administrative Activity Log "Delete Security Rule (networkSecurityGroups/securityRules)" has "any" level with "any" status and event is initiated by "any", the selected alert rule is not configured to detect "Delete Network Security Group Rule" events.

08 Repeat step no. 6 and 7 for the rest of the alert rules available within the selected subscription. If none of the verified rules contain the right condition, there are no activity log alerts created for "Delete Network Security Group Rule" events in the selected Azure cloud account subscription.

09 Repeat steps no. 5 – 8 for each subscription created in your Microsoft Azure cloud account.

01 Run monitor activity-log alert list command (Windows/macOS/Linux) using custom query filters to get the IDs of all the active activity log alert rules available within the current Azure subscription:

az monitor activity-log alert list
	--query '[?(enabled==`true`)].id'

02 The command output should return the requested activity log alert rule IDs:

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/Cloud Conformity Create Update NSG Rule Alert",
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/Cloud Conformity Configuration Change Alert"
]

03 Run monitor activity-log alert show command (Windows/macOS/Linux) using the ID of the alert rule that you want to examine as identifier parameter and custom query filters to list the condition defined for the selected activity log alert rule:

az monitor activity-log alert show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/Cloud Conformity Create Update NSG Rule Alert"
	--query 'condition'

04 The command output should return the selected alert rule condition metadata:

{
  "allOf": [
    {
      "containsAny": null,
      "equals": "Policy",
      "field": "category",
      "odata.type": null
    },
    {
      "containsAny": null,
      "equals": "Microsoft.Network/networkSecurityGroups/securityRules/write",
      "field": "operationName",
      "odata.type": null
    }
  ],
  "odata.type": null
}

05 Repeat step no. 3 and 4 for the rest of the alert rules available in the current subscription. If none of the verified rules contain the right condition, there are no activity log alerts created for "Delete Network Security Group Rule" events in the selected Azure cloud account subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Alerts to access all the notification alerts available in your Azure cloud account.

04 On the Alerts page, click on the Manage alert rules button from the dashboard top menu to access the alert rules management page.

05 On the Rules page, select the Azure account subscription where you want to create the new alert rule from the Subscription filter box.

06 Click New alert rule button from the dashboard top menu to initiate the rule setup process.

07 On the Create rule page, perform the following actions:

1. In the RESOURCE section, click Select and configure the target that you wish to monitor. In this case, select the appropriate Azure account subscription, then click Done to complete this step.
2. In the CONDITION section, click Add to configure the alert rule condition. A condition is represented by a signal and its logic. On Configure signal logic panel, find and select the signal with the name Delete Security Rule (Microsoft.Network/networkSecurityGroups/securityRules). To get the right configuration for the selected condition (i.e. Whenever the Administrative Activity Log "Delete Security Rule (networkSecurityGroups/securityRules)" has "any" level with "any" status and event is initiated by "any"), leave the default settings available for the signal logic unchanged, then click Done.
3. In the ACTIONS section, click Select action group to choose an existing action group to attach to this alert rule or click Create action group button to create a new one. An action group is a collection of alert notification preferences defined for the selected Azure subscription. Azure Monitor alerts use action groups to notify users that an alert has been triggered.
4. In the ALERT DETAILS section, type a unique name for the new alert rule in the Alert rule name box, provide a short description in the Description box, and choose the resource group in which the alert will be created from the Save alert to resource group dropdown list.
5. Make sure that Enable rule upon creation option is set to Yes, then click Create alert rule to finish the rule setup process.

08 Repeat steps no. 5 – 7 for each subscription created in your Microsoft Azure cloud account.

01 Run monitor activity-log alert create command (Windows/macOS/Linux) to create a new Azure activity log alert for detecting "Delete Network Security Group Rule" events within the current Microsoft Azure cloud subscription:

az monitor activity-log alert create
	--name cc-delete-nsg-rule-alert
	--description "Alert triggered by Delete Network Security Group Rule events"
	--resource-group Default-ActivityLogAlerts
	--action-group "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/default-activitylogalerts/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group"
	--condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/securityRules/delete

02 The command output should return the configuration metadata for the newly created alert:

{
  "actions": {
    "actionGroups": [
      {
        "actionGroupId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/default-activitylogalerts/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group",
        "webhookProperties": null
      }
    ]
  },
  "condition": {
    "allOf": [
      {
        "containsAny": null,
        "equals": "Administrative",
        "field": "category",
        "odata.type": null
      },
      {
        "containsAny": null,
        "equals": "Microsoft.Network/networkSecurityGroups/securityRules/delete",
        "field": "operationName",
        "odata.type": null
      }
    ],
    "odata.type": null
  },
  "description": "Alert triggered by Delete Network Security Group Rule events",
  "enabled": true,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/Default-ActivityLogAlerts/providers/microsoft.insights/activityLogAlerts/cc-delete-nsg-rule-alert",
  "identity": null,
  "kind": null,
  "location": "Global",
  "name": "cc-delete-nsg-rule-alert",
  "resourceGroup": "Default-ActivityLogAlerts",
  "scopes": [
    "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/Default-ActivityLogAlerts"
  ],
  "tags": {},
  "type": "Microsoft.Insights/ActivityLogAlerts"
}

03 Repeat step no. 1 and 2 for each subscription created within your Microsoft Azure cloud account.