How to create Azure Monitor Alerts based on policy definitions?

1. First of all, you need to have Log Analytics Workspace with logs from Activity log:

   

   More info: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

2. Please go to Monitor.
3. Go to Tab Alerts (You can go to directly to this link: https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/alertsV2)
4. Press New alert rule
5. Press Resource
6. Select subscription and Log Analytics that have like here:

    

   

    

7. To use custom queries, you should be able to see here something like this:

   

8. Choose:

   

9. Select
10. Type a query e.g.: AzureActivity| where TimeGenerated > ago(60d) and OperationNameValue starts with “Microsoft.Authorization/roleDefinitions/write”
11. Configure e.g. Number of results greater than 0. Period and Frequency.
12. Create action groups – who should receive alerts.
13. Specify Subject line and Alert rule name
14. Save Alert

References 1: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

References 2: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-log