You are an admin to many subscriptions, and for auditing purposes, you need to know when a new Windows VM on any one of your subscriptions has been created by other people. You might have to ask the creators about the type of license they have used on this Windows VM and that’s why you need to know.
This is a very typical scenario. There might be many ways to accomplish this but here are my steps to achieve it:
- Create a central Log Analytics Workspace
- Connect all your Azure Subscriptions Activity Logs to this workspace
- Create an Alert which sends you an email when a specific log pattern is discovered
1. Create a central Log Analytics Workspace
It is easily achievable via the Azure portal. Make sure you use the Free Tier because at least for this scenario, nothing more is needed:
2. Connect all your Azure Subscriptions Activity Logs to this workspace
Open the Log Analytics Workspace you just created. From the left menu, select Azure Activity Log and on the right pane, you should be able to see all your subscriptions:
Select one of them and click Connect. Repeat the same steps for all of them. This way you are sending all Activity Logs from all your subscriptions to this central Log Analytics Workspace:
3. Create an Alert which sends you an email when a specific log pattern is discovered
From the left menu click Logs. In the query space paste the following query:
AzureActivity | where OperationName contains "Create Deployment" and ResourceId contains "Windows" and ActivityStatus contains "Succeeded"
The query above lists the logs generated across all your subscriptions when new Windows VMs were deployed. If you just finished step 2 above, you may need to wait a little bit more before the logs downstream to Log Analytics. Also take note, the logs will appear onwards from the time you connected the subscriptions.
Click Save to save your query. (I don’t really go into the details on how to save it and how to create a query category. I trust you could learn to do it yourself. It is easy enough)
From the left menu on the Workspace click Alerts and then click New alert aule. On the RESOURCE section click Select and choose your Log Analytics workspace:
On the CONDITION section, click ADD CONDITION and then select your saved query and click Done. Under your Alert logic, make sure the threshold is set like below and depending on how often you want your rule to check the logs, select the Period and Frequency:
On the ACTION GROUPS section, click Create New and create a new action group. Select Email/SMS/Push/Voice as the ACTION TYPE and enter the recepient’s email address into the Email field. Also enter an Email subject line. Give your new aler a name and description and click Create alert rule.
You are pretty much done. Now when an Azure user deploys a new VM with Windows, you will receive an alert email with the information you need to know about that VM. Here is a screenshot of one of those emails: