Description:
Create an activity log alert for the Delete Security Solution event.
Rationale:
Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.
From Azure Console
From Azure CLI
az monitor activity-log alert create --resource-group "" --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/delete and level=<verbose | information | warning | error | critical>--scope "/subscriptions/" --name "" --subscription --action-group --location global
From PowerShell
Create the 'Conditions' object.
$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Security/securitySolutions/delete -Field operationName
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level
Retrieve the 'Action Group' information and store in a variable, then create the 'Actions' object.
$actionGroup = Get-AzActionGroup -ResourceGroupName -Name
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id
Create the 'Scope' object
$scope = "/subscriptions/"
Create the 'Activity Log Alert Rule' for 'Microsoft.Security/securitySolutions/delete'
New-AzActivityLogAlert -Name "" -ResourceGroupName "" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true