Create Alert for "Create or Update Public IP Address" Events

01 Sign in to the Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the blade navigation panel, select Alerts to access the notification alerts available in your Azure cloud account.

04 On the Alerts page, choose Alert rules to access the alert rules management page.

05 Select the Azure subscription that you want to examine from the Subscription filter box and the Enabled option from the Status dropdown list, to return all the active alert rules created for the selected subscription.

06 Click on the name (link) of the alert rule that you want to examine.

07 On the alert rule configuration panel, check the condition phrase available in the Condition section. If the condition phrase is different from Whenever the Activity Log has an event with Category='Administrative', Operation name='Create or Update Public Ip Address', the selected alert rule is not configured to detect "Create or Update Public IP Address" events. If the condition phrase is set to Whenever the Activity Log has an event with Category='Administrative', Operation name='Create or Update Public Ip Address, choose Edit, and check the Actions section to ensure that an action group is configured to send notification alerts when the alert rule triggers. If there are no action groups assigned to manage alert notifications, the selected alert rule is not configured to send alerts when "Create or Update Public IP Address" events are triggered.

08 Repeat steps no. 6 and 7 for the rest of the alert rules available within the selected subscription. If none of the verified rules contain the right condition and configuration, there are no activity log alerts created for "Create or Update Public IP Address" events in the selected Azure subscription.

09 Repeat steps no. 5 – 8 for each subscription created within your Microsoft Azure cloud account.

01 Run monitor activity-log alert list command (Windows/macOS/Linux) with custom query filters to get the ID of each active activity log alert rule available within the current Azure subscription:

az monitor activity-log alert list
  --query '[?(enabled==`true`)].id'

02 The command output should return the requested activity log alert rule IDs:

[
  "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/CreatePolicyAssignmentAlert",
  "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/AzureCloudNetworkAccessAlert"
]

03 Run monitor activity-log alert show command (Windows/macOS/Linux) using the ID of the activity log alert rule that you want to examine as the identifier parameter to describe the alert rule configuration:

az monitor activity-log alert show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/CreatePolicyAssignmentAlert"

04 The command output should return the configuration available for the selected alert rule:

{
  "actions": {
    "actionGroups": []
  },
  "condition": {
    "allOf": [
      {
        "equals": "Administrative",
        "field": "category"
      },
      {
        "equals": "Microsoft.Authorization/policyAssignments/write",
        "field": "operationName"
      }
    ]
  },
  "description": "",
  "enabled": true,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/CreatePolicyAssignmentAlert",
  "location": "Global",
  "name": "CreatePolicyAssignmentAlert",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "scopes": [
    "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd"
  ],
  "tags": {},
  "type": "Microsoft.Insights/ActivityLogAlerts"
}

05 Repeat step no. 3 and 4 for the rest of the alert rules available in the current subscription. If none of the verified rules contain the right condition, there are no activity log alerts created for "Create or Update Public IP Address" events in the selected Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

01 Sign in to the Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the blade navigation panel, select Alerts to access the notification alerts available in your Azure cloud account.

04 On the Alerts page, choose Alert rules to access the alert rules management page.

05 Select the Azure subscription that you want to access from the Subscription filter box.

06 Choose + Create to create a new Azure Monitor alert rule.

07 On the Create an alert rule page, perform the following operations:

1. For Scope, choose Select resource and configure the target that you wish to monitor. In this case, select the appropriate Azure account subscription, then select Done. Choose Next: Condition >.
2. For Condition, choose Add condition to configure the alert rule condition (i.e. a signal and its logic). On the Select a signal panel, find and select the signal with the name Create or Update Public Ip Address (Microsoft.Network/publicIPAddresses). To obtain the right configuration for the condition (i.e. Whenever the Activity Log has an event with Category='Administrative', Signal name='Create or Update Public Ip Address (Microsoft.Network/publicIPAddresses)'), leave the default settings available for the signal logic unchanged. Choose Next: Actions >.
3. For Actions, choose Select action groups to select an existing action group to attach to your new alert rule or choose Create action group to create a new one. An action group is a collection of alert notification preferences defined for the selected Azure subscription. Azure Monitor alerts use action groups to notify users that an alert has been triggered. Choose Next: Details >.
4. For Details, provide a unique name for the new alert rule in the Alert rule name box, enter a short description in the Alert rule description box, and choose the resource group in which the alert will be created from the Resource group dropdown list. Choose Advanced options and make sure that Enable alert rule upon creation option is selected. Choose Next: Tags >.
5. For Tags, provide any required tags sets for your new activity log alert rule. Choose Next: Review + create >.
6. Choose Create to complete the rule setup process. It can take up to 5 minutes for an alert rule to become active.

08 Repeat steps no. 5 – 7 for each subscription created within your Microsoft Azure cloud account.

01 Run monitor activity-log alert create command (Windows/macOS/Linux) to create a new Azure activity log alert for detecting "Create or Update Public IP Address" events within the current Microsoft Azure subscription:

az monitor activity-log alert create
  --name cc-create-update-public-ip-alert
  --description "Alert triggered by Create or Update Public IP Address"
  --resource-group cloud-shell-storage-westeurope
  --action-group "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group"
  --condition category=Policy and operationName=Microsoft.Network/publicIPAddresses/write

02 The command output should return the configuration information available for the newly created alert:

{
  "actions": {
    "actionGroups": [
      {
        "actionGroupId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/default-activitylogalerts/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group",
        "webhookProperties": null
      }
    ]
  },
  "condition": {
    "allOf": [
      {
        "containsAny": null,
        "equals": "Policy",
        "field": "category",
        "odata.type": null
      },
      {
        "containsAny": null,
        "equals": "Microsoft.Network/publicIPAddresses/write",
        "field": "operationName",
        "odata.type": null
      }
    ],
    "odata.type": null
  },
  "description": "Alert triggered by Create or Update Public IP Address",
  "enabled": true,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/Default-ActivityLogAlerts/providers/microsoft.insights/activityLogAlerts/cc-create-update-public-ip-alert",
  "identity": null,
  "kind": null,
  "location": "Global",
  "name": "cc-create-update-public-ip-alert",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "scopes": [
    "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope"
  ],
  "tags": {},
  "type": "Microsoft.Insights/ActivityLogAlerts"
}

03 Repeat steps no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.