Skip to main content

Remediation

From Azure Portal

  1. Navigate to the Monitor blade.
  2. Select Alerts.
  3. Select Create.
  4. Select Alert rule.
  5. Choose a subscription.
  6. Select Apply.
  7. Select the Condition tab.
  8. Click See all signals.
  9. Select Delete Public Ip Address (Public Ip Address).
  10. Click Apply.
  11. Select the Actions tab.
  12. Click Select action groups to select an existing action group, or Create action group to create a new action group.
  13. Follow the prompts to choose or create an action group.
  14. Select the Details tab.
  15. Select a Resource group, provide an Alert rule name and an optional Alert rule description.
  16. Click Review + create.
  17. Click Create.

From Azure CLI

az monitor activity-log alert create /
    --resource-group {{resource-group-name}} /
    --condition category=Administrative and operationName=Microsoft.Network/publicIPAddresses/delete and level={{verbose | information | warning | error | critical}} /
    --scope /subscriptions/{{subscription-id}} /
    --name {{activity-log-rule-name}} /
    --subscription {{subscription-id}} /
    --action-group {{action-group-id}}

From PowerShell

Create the Conditions object:

$conditions = @() 

$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject `
    -Equal Administrative `
    -Field category 

$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject `
    -Equal Microsoft.Network/publicIPAddresses/delete `
    -Field operationName 

$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject `
    -Equal Verbose `
    -Field level

Retrieve the Action Groupinformation and store in a variable, then create the Actions object:

$actionGroup = Get-AzActionGroup `
    -ResourceGroupName {{resource-group-name}} `
    -Name {{action-group-name}} 

$actionObject = New-AzActivityLogAlertActionGroupObject `
    -Id $actionGroup.Id

Create the Scope object:

$scope = /subscriptions/{{subscription-id}}

Create the Activity Log Alert Rule for Microsoft.Network/publicIPAddresses/delete:

New-AzActivityLogAlert `
    -Name {{activity-log-alert-rule-name}} `
    -ResourceGroupName {{resource-group-name}} `
    -Condition $conditions `
    -Scope $scope `
    -Location global `
    -Action $actionObject `
    -Subscription {{subscription-id}} `
    -Enabled $true