Description:
Create an activity log alert for the Delete Network Security Group event.
Rationale:
Monitoring for "Delete Network Security Group" events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
From Azure Portal
From Azure CLI
az monitor activity-log alert create --resource-group "" --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/delete and level=<verbose | information | warning | error | critical>--scope "/subscriptions/" --name "" --subscription --action-group --location global
From PowerShell
Create the 'Conditions' object.
$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Network/networkSecurityGroups/delete -Field operationName
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level
Retrieve the 'Action Group' information and store in a variable, then create the 'Actions' object.
$actionGroup = Get-AzActionGroup -ResourceGroupName -Name
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id
Create the 'Scope' object
$scope = "/subscriptions/"
Create the 'Activity Log Alert Rule' for 'Microsoft.Network/networkSecurityGroups/delete'
New-AzActivityLogAlert -Name "" -ResourceGroupName "" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true