0

I have created an Activity Log Alert in Azure using the following Terraform Code

// We need to define the action group for Security Alerts
resource "azurerm_monitor_action_group" "monitor_action_group_soc" {
  name                = "sec-alert"
  resource_group_name = data.azurerm_resource_group.tenant-global.name
  short_name          = "sec-alert"

   email_receiver {
    name                    = "sendtoAdmin"
    email_address           = var.email_address
    use_common_alert_schema = true
  }
}

data "azurerm_monitor_action_group" "monitor_action_group_soc" {
  name                = "sec-alert"
  resource_group_name = var.tenant-global-rg

  depends_on = [
    azurerm_monitor_action_group.monitor_action_group_soc
  ]
}

// Monitor Activity Log and Alert
resource "azurerm_monitor_activity_log_alert" "activity_log_alert_cu_security_group" {
  name                = "Activity Log Alert for Create or Update Security Group"
  resource_group_name = data.azurerm_resource_group.ipz12-dat-np-mgmt-rg.name
  scopes              = [data.azurerm_subscription.current.id]
  description         = "Monitoring for Create or Update Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity"

  criteria {
    category       = "Security"
    operation_name = "Microsoft.Network/networkSecurityGroups/write"
  }

  action {
    action_group_id = data.azurerm_monitor_action_group.monitor_action_group_soc.id
  }
}

enter image description here

I have created the Network Security Group, added a Rule, deleted the Rule and finally deleted the Network Security Group but I didn't receive any Alerts.

One Developer
  • 99
  • 5
  • 43
  • 103

1 Answers1

0

Azure Activity Log Alerts are not working:

These are the modifications I made to your code to achieve the expected result.

provider "azurerm" { 
features {} 
}

resource "azurerm_resource_group" "<resourcegroup>"{
name = "<resourcegroup>"
location = "Central US"
}
resource "azurerm_monitor_action_group" "<actiongroup>" {
  name                = "sec-alert"
  resource_group_name = "<resourcegroup>"
  short_name          = "sec-alert"

   email_receiver {
    name                    = "xxxxx"
    email_address           = "xxxxxxx@gmail.com"
    use_common_alert_schema = true
  }
}

data "azurerm_monitor_action_group" "<actiongroup>" {
  name                = "sec-alert"
  resource_group_name = "<resourcegroup>"

  depends_on = [
    azurerm_monitor_action_group.<actiongroup>
  ]
}
resource "azurerm_monitor_activity_log_alert" "azurerm_monitor_activity_log_alert_securitygroup" {
  name                = "Activity Log Alert for Create or Update Security Group"
  resource_group_name = "<resourcegroup>"
  scopes              = [data.azurerm_subscription.current.id] #My scope is /subscriptions/<subscriptionID>/resourceGroups/<resourcegroup>/providers/Microsoft.Network/networkSecurityGroups/<NetworkSecurityGroup>
  description         = "Monitoring for Create or Update Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity"

  criteria {
    category       = "Security"
    operation_name = "Microsoft.Network/networkSecurityGroups/write"
  }

  action {
    action_group_id = data.azurerm_monitor_action_group.<actiongroup>.id
  }
}

Created Security alert by running "terraform apply" in AzCLI :

enter image description here

Received a mail once it is added to the Network Security Group:

enter image description here

Jahnavi
  • 3,076
  • 1
  • 3
  • 10
  • Thank you for your time and suggestion. I see that you have updated the scope to a specific NSG however I want to alert at the Subscription level.. I will give another try. – One Developer Nov 03 '22 at 13:44
  • We can give scope accordingly for our subscription. – Jahnavi Nov 03 '22 at 13:51