Detections
Analytics
5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
Information
Create an activity log alert for the Delete Policy Assignment event.Rationale:
Monitoring for delete policy assignment events gives insight into changes done in 'azure policy - assignments' and can reduce the time it takes to detect unsolicited changes.
Solution
From Azure ConsoleGo to Monitor
Select Alerts
Click On New Alert Rule
Under Scope, click Select resource
Select the appropriate subscription under Filter by subscription
Select Policy Assignment under Filter by resource type
Select All for Filter by location
Click on the subscription from the entries populated under Resource
Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
Click Done
Under Condition click Add Condition
Select Delete policy assignment signal
Click Done
Under Action group, select Add action groups and complete creation process or select appropriate action group
Under Alert rule details, enter Alert rule name and Description
Select appropriate resource group to save the alert to
Check Enable alert rule upon creation checkbox
Click Create alert rule
Using Azure Command Line Interface
Use the below command to create an Activity Log Alert for Delete policy assignment
az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_To Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@'input.json''
Where input.json contains the Request body JSON data as mentioned below.
{
'location': 'Global',
'tags': {},
'properties': {
'scopes': [
'/subscriptions/<Subscription_ID>'
],
'enabled': true,
'condition': {
'allOf': [
{
'containsAny': null,
'equals': 'Administrative',
'field': 'category'
},
{
'containsAny': null,
'equals': 'Microsoft.Authorization/policyAssignments/delete',
'field': 'operationName'
}
]
},
'actions': {
'actionGroups': [
{
'actionGroupId': '/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>',
'webhookProperties': null
}
]
},
}
}
Configurable Parameters for command line:
<Resource_Group_To Create_Alert_In>
<Unique_Alert_Name>
Configurable Parameters for input.json:
<Subscription_ID> in scopes
<Subscription_ID> in actionGroupId
<Resource_Group_For_Alert_Group> in actionGroupId
<Alert_Group> in actionGroupId
Using PowerShell AZ cmdlets
Use the below command to create an Activity Log Alert for Delete policy assignment
$ComplianceName = 'Delete Policy Assignment'
$Signal = 'Microsoft.Authorization/policyAssignments/delete'
$Category = 'Administrative'
$ResourceGroupName = 'MyResourceGroup'
$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)
$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)
$Subscription = (Get-AzContext).Subscription
$location = 'Global'
$scope = '/subscriptions/$($Subscription.Id)'
$alertName = '$($Subscription.Name) - $($ComplianceName)'
$conditions = @(
New-AzActivityLogAlertCondition -Field 'category' -Equal $Category
New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal
)
Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions
Default Value:
By default, no monitoring alerts are created.
See Also
Item Details
Audit Name: CIS Microsoft Azure Foundations v1.3.1 L1
References: CSCv7|6.3
Plugin: microsoft_azure
Control ID: 71e3fe1224ee572fd9a784226c6e9078d262c3965e5ddc424d39cf8f6c6d49d9