Overview

The Azure Activity Log Event Monitor keeps track of your Microsoft Azure activity logs. It lets you set alerts based on initator, status or category of Azure activity logs.

Use Cases

• Receiving alerts about activity in your Azure account

Monitoring Options

This event monitor provides the following options:

Authentication

Select an authentication profile of the Microsoft Azure Credentials type or use specific values for Subscription ID, Application (client) ID, Directory (tenant) ID, and Client Secret Value.

Subscription ID

Enter the subscription ID associated with the activity log you want to monitor.

Application (Client) ID

Enter the client ID associated with the activity log you want to monitor.

Directory (Tenant) ID

Enter the tenant ID associated with the activity log you want to monitor.

Client Secret Value

Enter the client secret value associated with the activity log you want to monitor.

Alert with [Info/Warning/Error/Critical] if Microsoft Azure is unreachable

Use this option to alert you if the event monitor is unable to connect to Microsoft Azure. Reasons for a failure to connect include invalid security tokens and loss of external network access.

Alert with [Info/Warning/Error/Critical] when specific events are found

Under this option, you can enter specific events that will trigger an alert of your choosing. Select the event level(s) that will trigger an alert using the check boxes provided.

Under "Event Initiator", you can choose to filter by the event initiator. Enter each event initiator on a new line of the provided text box. ]

Under "Category", you can choose the categories that will trigger an alert. Enter each new category on a new line of the provided text box.

Show the first [#] matching event logs

This option lets you choose how many matching event logs to display in the event text each time the event monitor runs.

Authentication and Security

First, you'll need to create an app registration to add to your event monitor's authentication profile. Information on how to do this can be found in our "Creating an Azure Authentication Profile" article.

Your event monitor will also need Reader permissions at the subscription level. To configure this, go to your Azure portal and click Subscriptions > [Your Subscription] > Access Control (IAM) > Add Role Assignment, then search for "Reader". Finally, add your app registration as a member and click "Review and Assign".

Protocols

Data Points

This event monitor does not generate any data points.

Sample Output