Create an activity log alert for the Delete Security Solution event.


Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.


From Azure Console

1. Navigate to the Monitor blade

2. Click on Alerts

3. In the Alerts window, click on Alert rules

4. Hover mouse over the values in the Condition column to find an alert where

Operation name=Microsoft.Security/securitySolutions/delete

5. Click on the Alert Name associated with the previous step

6. Click on the Condition name of Whenever the Activity Log has an event with Category='Security', Signal name='Delete Security Solutions (securitySolutions)'

7. In the Configure signal logic window, ensure the following is configured:

o Event level: All selected

o Status: All selected

o Event initiated by: * (All services and users)

8. Click Done

9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization.

From Azure CLI

az monitor activity-log alert list --subscription <subscription Id> --query


Look for Microsoft.Security/securitySolutions/delete in the output

From PowerShell

Get-AzActivityLogAlert -SubscriptionId <subscription ID>|where-object

{$_.ConditionAllOf.Equal -match




From Azure Console

1. Navigate to the Monitor blade.

2. Select Alerts.

3. Select Create.

4. Select Alert rule.

5. Under Filter by subscription, choose a subscription.

6. Under Filter by resource type, select Security Solutions


7. Under Filter by location, select All.

8. From the results, select the subscription.

9. Select Done.

10.Select the Condition tab.

11.Under Signal name, click Delete Security Solutions


12.Select the Actions tab.

13.To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection.

14.Select the Details tab.

15.Select a Resource group, provide an Alert rule name and an optional Alert rule description.

16.Click Review + create.

17.Click Create.

From Azure CLI

az monitor activity-log alert create --resource-group "<resource group name>"--condition category=Administrative and

operationName=Microsoft.Security/securitySolutions/delete and level=<verbose

| information | warning | error | critical>--scope

"/subscriptions/<subscription ID>" --name "<activity log rule name>" --

subscription <subscription id> --action-group <action group ID> --location global

From PowerShell

Create the Conditions object.

$conditions = @()

$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category

$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Security/securitySolutions/delete -Field operationName

$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level

Retrieve the Action Group information and store in a variable, then create the Actions


$actionGroup = Get-AzActionGroup -ResourceGroupName <resource group name> -

Name <action group name>

$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id

Create the Scope object

$scope = "/subscriptions/<subscription ID>"

Create the Activity Log Alert Rule for


New-AzActivityLogAlert -Name "<activity log alert rule name>" -

ResourceGroupName "<resource group name>" -Condition $conditions -Scope

$scope -Location global -Action $actionObject -Subscription <subscription ID>

-Enabled $true

Default Value:

By default, no monitoring alerts are created.