1

I am trying to create a custom activity log alert rule, but no matter which method I try, it results in errors as below or the ARM template does not create the conditions specified even though its successful and cannot figure out what I need to do:

PowerShell code:

$RG = "Lab"
$location = 'Global'
$alertName = "Test Storage Account Administrative Operations"
$scope = "/subscriptions/[subID]/[RG]/providers/Microsoft.Storage/storageAccounts/staccountname"

$condition1 = New-AzActivityLogAlertCondition -Field 'Category' -Equal 'Administrative'
$condition2 = New-AzActivityLogAlertCondition -Field 'operationName' -Equal 'Microsoft.Storage/storageAccounts/blobServices/containers/write'

$dict = New-Object "System.Collections.Generic.Dictionary``2[System.String,System.String]"
$dict.Add('key1', 'Value1')
$actionGrp1 = New-AzActionGroup -ActionGroupId $actiongroupid -WebhookProperty $dict

set-AzActivityLogAlert -Location $location -Name $alertname -ResourceGroupName $rg -Scope $scope -Action $actionGrp1 -Condition $condition1, $condition2

PowerShell Error:

WARNING: 10:16:40 - *** The namespace for all the model classes will change from Microsoft.Azure.Management.Monitor.Management.Models to Microsoft.Azure.Management.Monitor.Models in future releases.
WARNING: 10:16:40 - *** The namespace for output classes will be uniform for all classes in future releases to make it independent of modifications in the model classes.
Set-AzActivityLogAlert: 
Line |
  12 |  set-AzActivityLogAlert -Location $location -Name $alertname -Resource …
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception type: ErrorResponseException, Message: Microsoft.Azure.Management.Monitor.Models.ErrorResponseException: Operation returned an invalid status code 'BadRequest'
   at Microsoft.Azure.Management.Monitor.ActivityLogAlertsOperations.CreateOrUpdateWithHttpMessagesAsync(String resourceGroupName, String activityLogAlertName, ActivityLogAlertResource activityLogAlert, Dictionary`2 customHeaders, CancellationToken cancellationToken)
   at Microsoft.Azure.Management.Monitor.ActivityLogAlertsOperationsExtensions.CreateOrUpdateAsync(IActivityLogAlertsOperations operations, String resourceGroupName, String activityLogAlertName, ActivityLogAlertResource activityLogAlert, CancellationToken cancellationToken)
   at Microsoft.Azure.Management.Monitor.ActivityLogAlertsOperationsExtensions.CreateOrUpdate(IActivityLogAlertsOperations operations, String resourceGroupName, String activityLogAlertName, ActivityLogAlertResource activityLogAlert)     
   at Microsoft.Azure.Commands.Insights.ActivityLogAlert.SetAzureRmActivityLogAlertCommand.ProcessRecordInternal()
   at Microsoft.Azure.Commands.Insights.MonitorCmdletBase.ExecuteCmdlet(), Code: Null, Status code:Null, Reason phrase: Null

ARM template code:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "activityLogAlertName": {
            "defaultValue": "Test1",
            "type": "String",
            "metadata": {
                "description": "Unique name (within the Resource Group) for the Activity log alert."
            }
        },
        "activityLogAlertEnabled": {
            "defaultValue": true,
            "type": "Bool",
            "metadata": {
                "description": "Indicates whether or not the alert is enabled."
            }
        },
        "actionGroupResourceId": {
            "defaultValue": "/subscriptions/[subID]]/resourceGroups/FLab/providers/microsoft.insights/actionGroups/actiongroup2",
            "type": "String",
            "metadata": {
                "description": "Resource Id for the Action group."
            }
        },
        "condition1": {
            "defaultValue": "Administrative",
            "type": "String",
            "metadata": {
                "description": "condition value"
            }
        },
        "condition2": {
            "defaultValue": "Microsoft.Storage/storageAccounts/blobServices/containers/write",
            "type": "String",
            "metadata": {
                "description": "condition value"
            }
        },
        "condition3": {
            "defaultValue": "Microsoft.Storage/storageAccounts/blobServices/containers",
            "type": "String",
            "metadata": {
                "description": "condition value"
            }
        },
        "condition4": {
            "defaultValue": "Succeeded",
            "type": "String",
            "metadata": {
                "description": "condition value"
            }
        },
        "condition5": {
            "defaultValue": "Created",
            "type": "String",
            "metadata": {
                "description": "condition value"
            }
        }
    },
    "resources": [
        {
            "type": "Microsoft.Insights/activityLogAlerts",
            "apiVersion": "2017-04-01",
            "name": "[parameters('activityLogAlertName')]",
            "location": "Global",
            "properties": {
                "enabled": "[parameters('activityLogAlertEnabled')]",
                "scopes": [
                    "[subscription().id]"
                ],
                "condition": {
                    "allOf": [
                        {
                            "field": "Category",
                            "equals": "[parameters('condition1')]"
                        },
                        {
                            "field": "operationName",
                            "equals": "[parameters('condition2')]"
                        },
                        {
                            "field": "resourceType",
                            "equals": "[parameters('condition3')]"
                        },
                        {
                            "field": "Status",
                            "equals": "[parameters('condition4')]"
                        },
                        {
                            "field": "subStatus",
                            "equals": "[parameters('condition5')]"
                        }
                    ]
                },
                "actions": {
                    "actionGroups": [
                        {
                            "actionGroupId": "[parameters('actionGroupResourceId')]"
                        }
                    ]
                }
            }
        }
    ]
}

ARM template result: enter image description here

Automation account runbook:

$RG = "Lab"
$location = 'Global'
$alertName = "Test Storage Account Administrative Operations"
$scope = "/subscriptions/[subID]/[RG]/providers/Microsoft.Storage/storageAccounts/staccountname"

$condition1 = New-AzActivityLogAlertCondition -Field 'Category' -Equal 'Administrative'
$condition2 = New-AzActivityLogAlertCondition -Field 'operationName' -Equal 'Microsoft.Storage/storageAccounts/blobServices/containers/write'

$dict = New-Object "System.Collections.Generic.Dictionary``2[System.String,System.String]"
$dict.Add('key1', 'Value1')
$actionGrp1 = New-AzActionGroup -ActionGroupId $actiongroupid -WebhookProperty $dict

set-AzActivityLogAlert -Location $location -Name $alertname -ResourceGroupName $rg -Scope $scope -Action $actionGrp1 -Condition $condition1, $condition2

Automation Account error:

10:27:45 AM - *** The namespace for all the model classes will change from 
Microsoft.Azure.Management.Monitor.Management.Models to Microsoft.Azure.Management.Monitor.Models in future releases.
10:27:45 AM - *** The namespace for output classes will be uniform for all classes in future releases to make it 
independent of modifications in the model classes.
set-AzActivityLogAlert : Exception type: MissingMethodException, Message: System.MissingMethodException: Method not 
found: 'System.String 
Microsoft.WindowsAzure.Commands.Utilities.Common.GeneralUtilities.GetLog(System.Net.Http.HttpRequestMessage)'.
   at Microsoft.Azure.Commands.ResourceManager.Common.ServiceClientTracingInterceptor.SendRequest(String invocationId, 
HttpRequestMessage request)
   at Microsoft.Rest.ServiceClientTracing.SendRequest(String invocationId, HttpRequestMessage request)
   at 
Microsoft.Azure.Management.Monitor.ActivityLogAlertsOperations.<CreateOrUpdateWithHttpMessagesAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.Management.Monitor.ActivityLogAlertsOperationsExtensions.<CreateOrUpdateAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at 
Microsoft.Azure.Management.Monitor.ActivityLogAlertsOperationsExtensions.CreateOrUpdate(IActivityLogAlertsOperations 
operations, String resourceGroupName, String activityLogAlertName, ActivityLogAlertResource activityLogAlert)
   at Microsoft.Azure.Commands.Insights.ActivityLogAlert.SetAzureRmActivityLogAlertCommand.ProcessRecordInternal()
   at Microsoft.Azure.Commands.Insights.MonitorCmdletBase.ExecuteCmdlet(), Code: Null, Status code:Null, Reason phrase: 
Null
At line:24 char:1
+ set-AzActivityLogAlert -Location $location -Name $alertname -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Set-AzActivityLogAlert], PSInvalidOperationException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Insights.ActivityLogAlert.SetAzureRmActivityLogAlertCommand

References:

set-azactivitylogalert method -

https://docs.microsoft.com/en-us/powershell/module/az.monitor/set-azactivitylogalert?view=azps-5.4.0

ARM template method -

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log#azure-resource-manager-template

Any help on this would be great!

i2D
  • 21
  • 3

1 Answers1

0

OK I managed to figure out how to create this rule, only option that works is a JSON template deployment, my example below:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "activityLogAlertName": {
            "defaultValue": "Test rule name",
            "type": "String",
            "metadata": {
                "description": "Unique name (within the Resource Group) for the Activity log alert."
            }
        },
        "activityLogAlertEnabled": {
            "defaultValue": true,
            "type": "Bool",
            "metadata": {
                "description": "Indicates whether or not the alert is enabled."
            }
        },
        "actionGroupResourceId": {
            "defaultValue": "/subscriptions/{SUBID}/resourceGroups/{RG}/providers/microsoft.insights/actionGroups/actiongroup1",
            "type": "String",
            "metadata": {
                "description": "Resource Id for the Action group."
            }
        },
        "Category": {
            "defaultValue": "Administrative",
            "type": "String",
            "metadata": {
                "description": "category value"
            }
        },
        "Level": {
            "defaultValue": "Informational",
            "type": "String",
            "metadata": {
                "description": "level value"
            }
        },
        "operationName": {
            "defaultValue": "Microsoft.Storage/storageAccounts/blobServices/containers/write",
            "type": "String",
            "metadata": {
                "description": "operationName value"
            }
        },
        "Status": {
            "defaultValue": "Succeeded",
            "type": "String",
            "metadata": {
                "description": "Status value"
            }
        },
        "subStatus": {
            "defaultValue": "Created",
            "type": "String",
            "metadata": {
                "description": "subStatus value"
            }
        },
        "resourceType": {
            "defaultValue": "Microsoft.Storage/storageAccounts/blobServices/containers",
            "type": "String",
            "metadata": {
                "description": "resourceType value"
            }
        }
    },
    "resources": [
        {
            "type": "Microsoft.Insights/activityLogAlerts",
            "apiVersion": "2017-04-01",
            "name": "[parameters('activityLogAlertName')]",
            "location": "Global",
            "properties": {
                "enabled": "[parameters('activityLogAlertEnabled')]",
                "scopes": [
                    "/subscriptions/{SUBID}/resourceGroups/{RG}/providers/Microsoft.Storage/storageAccounts/STAccountName"
                ],
                "condition": {
                    "allOf": [
                        {
                            "field": "Category",
                            "equals": "[parameters('Category')]"
                        },
                        {
                            "field": "Level",
                            "equals": "[parameters('Level')]"
                        },
                        {
                            "field": "operationName",
                            "equals": "[parameters('operationName')]"
                        },
                        {
                            "field": "Status",
                            "equals": "[parameters('Status')]"
                        },
                        {
                            "field": "subStatus",
                            "equals": "[parameters('subStatus')]"
                        }
                    ]
                },
                "actions": {
                    "actionGroups": [
                        {
                            "actionGroupId": "[parameters('actionGroupResourceId')]"
                        }
                    ]
                }
            }
        }
    ]
}
i2D
  • 21
  • 3