0

I created an alert on activity log as described in this link

There is an option to set Event initiated by filter to any email id or "All users and services". Is there a way to set it to "All users only" (and not any service/service principal). Basically I want to trigger alert if any user changes a setting and not a service principal.

enter image description here

Garima
  • 401
  • 5
  • 29
  • can you add some steps how do you create the alert? – Ivan Glasenberg Jul 08 '20 at 08:52
  • @IvanYang done. I have added a screenshot and the highlighted part is where I am looking to select all users (not services) – Garima Jul 08 '20 at 09:08
  • 1
    Are the users in this format like xxx@xxx.com? If yes, I think it's easy to do that via custom log query, I will take a look next day:) – Ivan Glasenberg Jul 08 '20 at 09:55
  • @IvanYang yes they are of type xxx@xx.com – Garima Jul 13 '20 at 07:29
  • 1
    If that's the case, you can go to azure monitor in azure portal -> logs -> in logs, note that select the proper scope -> then write the query like below: `AzureActivity | where Caller contains "@"`, then run the query -> click the `New alert rule`. Then you can create this kind of alert:) – Ivan Glasenberg Jul 13 '20 at 09:28
  • thanks will try this! – Garima Jul 29 '20 at 08:47

1 Answers1

0

Unfortunately, this isn't supported in Activity Log Alerts. Activity log Alerts does string compare on the values of the rule and the event, so it needs explicit (or no) values.

Possible workaround: If you have the list of all users emails- you can create an Alert rule with containsAny via ARM Template. otherwise, Log Search Alerts should work.

Tami Ruas
  • 1
  • 1