This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Alert on Vm creation (not deletion)

Question
0

Sign in to vote
Hello,

I have created an Alert based on the "Create or Update Virtual Machine" OperationName, the problem it also alerts on other Vm related activities as Vm deletion.

Is it possible to create an alert only on Vm creation?

Thank you.
- Edited by CloudMe Wednesday, August 21, 2019 12:12 PM
Wednesday, August 21, 2019 12:11 PM

Answers

0

Sign in to vote
Hi CloudMe,

Yes, it is possible.

If you have enabled sending Azure Activity logs to an Azure Log Analytics workspace then query to check only VM's creation would be something like shown below.

AzureActivity| where (OperationNameValue == "Microsoft.Compute/virtualMachines/write") and (ActivitySubstatusValue == "Created")

Similarly, query to check only VM's deletion would be something like shown below.

AzureActivity| where (OperationNameValue == "Microsoft.Compute/virtualMachines/delete") and (ActivitySubstatusValue == "Accepted")

Hope this helps!!
- Proposed as answer by KrishnaG - MSFTMicrosoft employee Wednesday, August 21, 2019 7:34 PM
- Edited by KrishnaG - MSFTMicrosoft employee Wednesday, August 21, 2019 7:34 PM
- Marked as answer by CloudMe Wednesday, August 21, 2019 11:33 PM
Wednesday, August 21, 2019 7:33 PM

All replies

0

Sign in to vote
Hi CloudMe,

Yes, it is possible.

If you have enabled sending Azure Activity logs to an Azure Log Analytics workspace then query to check only VM's creation would be something like shown below.

AzureActivity| where (OperationNameValue == "Microsoft.Compute/virtualMachines/write") and (ActivitySubstatusValue == "Created")

Similarly, query to check only VM's deletion would be something like shown below.

AzureActivity| where (OperationNameValue == "Microsoft.Compute/virtualMachines/delete") and (ActivitySubstatusValue == "Accepted")

Hope this helps!!
- Proposed as answer by KrishnaG - MSFTMicrosoft employee Wednesday, August 21, 2019 7:34 PM
- Edited by KrishnaG - MSFTMicrosoft employee Wednesday, August 21, 2019 7:34 PM
- Marked as answer by CloudMe Wednesday, August 21, 2019 11:33 PM
Wednesday, August 21, 2019 7:33 PM
0

Sign in to vote
Hope this helps!!

Absolutely, Thank you !
- Edited by CloudMe Wednesday, August 21, 2019 11:34 PM
Wednesday, August 21, 2019 11:33 PM