while creating an Azure alert, I dont see an option to create an alert for disabling soft delete feature for Azure Recovery Vault
Can anyone please give me the screenshot of the same. Should i go through Custom log query on log analytics workspace ?
Right now upon disabling soft delete, i get an automatic alert, but i want the alert to go to 3 other recipients as well.
@MSTechie-7364 Azure backup sends alerts by default when somebody disables soft delete. Customer doesn't need to create an alert rule explicitly. If you want to configure notification for the same, you can do it. Reference: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-built-in-monitor#azure-monitor-alerts-for-azure-backup-preview
do we have an ARM template to enable these notifications for 3 more recipients ?
Or do we have any Azure Power CLI to accomplish this task ?
2) Also there is no way to move the logs for disabling soft-delete feature into into Log analytics and then raise alerts based on log analytics query results . This is because , we have over 500 subscriptions with recovery vault in each subscription. So instead of enabling alerts in each individual subscription, we thought of moving the audit logs or any logs from the recovery vault into a centralized Log Analytics , from where , we could raise the alerts , based on the querying the log analytics workspace.
3) Also i think there is no logs for Stop Protection and delete backup data , that can be sent to log analytics workspace , since it does not get captured either in audit logs. Can you please confirm on this point , as well ?
Please help
Hi @MSTechie-7364,
I did some tests in my subscriptions and found the following information on this topic:
TESTS
There is no predefined signal name in an Azure Monitor Alert Rule on the Activity Log for catching disabling Soft Delete on Azure Recovery Services Vault (ARSV)
In the Azure Activity Logs on the ARSV / Subscription, for ARSV operations, you don't find something specific to this setting (Soft Delete), but just a
generic info in the Properties field of the Log, containing "message": "Microsoft.RecoveryServices/vaults/backupconfig/write" and I believe that this will catch more operations than just the soft delete disabling.
Also, if you configure the Diagnostic Logs from ARSV to be sent in a Log Analytics Workspace, in the resulted logs you also don't find any information about disabling Soft-Delete option.
POSSIBLE SOLUTION
Still, there is a good new, as in every Azure Recovery Services Vault Resource, you can find Backup Alerts (in the Monitoring section of the resource), and there you will automatically (out of the box) get an Alert when Soft Delete is disabled, and from the same page, you can also Configure Notifications so that you receive an email notification when this operation is performed:
I hope this provides you with the answer you were looking for (if so, please remember to mark this as an Answer).
Thank you!
BR,
George
1) do we have an ARM template to enable these notifications for 3 more recipients ?
Or do we have any Azure Power CLI to accomplish this task ?
2) Also there is no way to move the logs for disabling soft-delete feature into into Log analytics and then raise alerts based on log analytics query results . This is because , we have over 500 subscriptions with recovery vault in each subscription. So instead of enabling alerts in each individual subscription, we thought of moving the audit logs or any logs from the recovery vault into a centralized Log Analytics , from where , we could raise the alerts , based on the querying the log analytics workspace.
3) Also i think there is no logs for Stop Protection and delete backup data , that can be sent to log analytics workspace , since it does not get captured either in audit logs. Can you please confirm on this point , as well ?
Please help
@MSTechie-7364 If you are using azure monitor based alerts, it should be possible to configure notifications using any of the programmatic methods. Here is an arm template sample for the same.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.4.1272.37030",
"templateHash": "11639040158394753667"
}
},
"parameters": {
"emailAddress": {
"type": "array",
"metadata": {
"description": "Email addresses to add in action group"
}
},
"actionGroupName": {
"type": "string",
"defaultValue": "[format('ActionGroup-{0}', resourceGroup().name)]",
"metadata": {
"description": "Unique name (within the Resource Group) for the Action group."
}
},
"actionGroupShortName": {
"type": "string",
"defaultValue": "[format('ag-{0}', if(greaterOrEquals(length(resourceGroup().name), 9),substring(resourceGroup().name, 0, 9),resourceGroup().name))]",
"metadata": {
"description": "Short name (maximum 12 characters) for the Action group."
}
},
"alertProcessingRuleName": {
"type": "string",
"defaultValue": "[format('AlertProcessingRule-{0}', resourceGroup().name)]",
"metadata": {
"description": "Unique name for the Alert Processing Rule."
}
},
"alertProcessingRuleDescription": {
"type": "string",
"defaultValue":"Sample alert processing rule",
"metadata": {
"description": "Description of the alert processing rule"
}
},
"alertProcessingRuleScope": {
"type": "array",
"defaultValue": [ "[subscription().id]" ],
"metadata": {
"description": "The list of scopes on which the alert processing rule will be enabled."
}
}
},
"resources": [
{
"type": "microsoft.insights/actionGroups",
"apiVersion": "2019-06-01",
"name": "[parameters('actionGroupName')]",
"location": "Global",
"properties": {
"copy": [
{
"name": "emailReceivers",
"count": "[length(parameters('emailAddress'))]",
"input": {
"name": "[format('emailReceivers-{0}', uniqueString(parameters('emailAddress')[copyIndex('emailReceivers')]))]",
"emailAddress": "[parameters('emailAddress')[copyIndex('emailReceivers')]]",
"useCommonAlertSchema": true
}
}
],
"groupShortName": "[parameters('actionGroupShortName')]",
"enabled": true
}
},
{
"type": "Microsoft.AlertsManagement/actionRules",
"apiVersion": "2021-08-08",
"name": "[parameters('alertProcessingRuleName')]",
"location": "Global",
"properties": {
"scopes": "[parameters('alertProcessingRuleScope')]",
"conditions": [
{
"field": "TargetResourceType",
"operator": "Equals",
"values": ["microsoft.recoveryservices/vaults"]
}
],
"description": "[parameters('alertProcessingRuleDescription')]",
"enabled": true,
"actions": [
{
"actionGroupIds": [
"[resourceId('microsoft.insights/actionGroups', parameters('actionGroupName'))]"
],
"actionType": "AddActionGroups"
}
]
},
"dependsOn": [
"[resourceId('microsoft.insights/actionGroups', parameters('actionGroupName'))]"
]
}
],
"outputs": {
"actionGroupId": {
"type": "string",
"value": "[resourceId('microsoft.insights/actionGroups', parameters('actionGroupName'))]"
},
"alertProcessingRuleId": {
"type": "string",
"value": "[resourceId('Microsoft.AlertsManagement/actionRules', parameters('alertProcessingRuleName'))]"
}
}
}`
Hope this helps!
If the response helped, do "Accept Answer" and up-vote it
2) Also there is no way to move the logs for disabling soft-delete feature into into Log analytics and then raise alerts based on log analytics query results . This is because , we have over 500 subscriptions with recovery vault in each subscription. So instead of enabling alerts in each individual subscription, we thought of moving the audit logs or any logs from the recovery vault into a centralized Log Analytics , from where , we could raise the alerts , based on the querying the log analytics workspace.
3) Also i think there is no logs for Stop Protection and delete backup data , that can be sent to log analytics workspace , since it does not get captured either in audit logs. Can you please confirm on this point , as well ?
2) it is on the roadmap of Azure Monitor team to send alerts to Log analytics.
Currently, as you mentioned the workaround is to use Activity Logs. One challenge though is that since the Activity log data for this is generic (eg. "vault updated"), there might be some additional scripting needed to validate whether it refers to a soft-delete disable operation. When we have alerts being sent to LA, this will be a much simpler process.
3) Since it is a user triggered operation, this should be available in Activity Logs. In the case of VM backup, this operation also gets recorded in AddonAzureBackupJobs table in LA so Activity Logs may not be needed in this scenario.
Disable soft delete is not recorded in activity logs
If this operation loggedin addonazurebackuojobs table, then how to track it ?
15 people are following this question.
