Skip to main content

lacework-global-558

5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Automated)

Profile Applicability

• Level 1

Description

Create an activity log alert for the Create Policy Assignment event.

Rationale

Monitoring for create policy assignment events gives insight into changes done in "Azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.

Audit

From Azure Portal

  1. Navigate to the Monitor blade
  2. Click on Alerts
  3. In the Alerts window, click on Alert rules
  4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Authorization/policyAssignments/write
  5. Click on the Alert Name associated with the previous step
  6. Click on the Condition name of Whenever the Activity Log has an event with Category='Administrative', Signal name='Create policy assignment (policyAssignments)
  7. In the Configure signal logic window, ensure the following is configured:
    • Event level: All selected
    • Status: All selected
    • Event initiated by: * (All services an users)
  8. Click Done
  9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization.

From Azure CLI

[Azure CLI has been temporarily removed from the Activity Log Alerts section in version 1.5 and will be added back in the next release]

Remediation

From Azure Portal

  1. Navigate to the Monitor blade
  2. Click on Alerts
  3. Click on Create
  4. Click on Alert rule
  5. Under the Scope tab, click Select scope
  6. In the Select a resource window, select the appropriate filters:
    • Filter by subscription: < choose the subscription alerts are needed for >
    • Filter by resource location: Policy assignment (policyAssignments)
    • Filter by location: All
  7. Verify that the selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
  8. Click Done
  9. Under the Condition tab, click Add Condition (the Select a signal window may automatically open without clicking)
  10. In the Select a signal window, under the "Signal Name" heading, click Create policy assignment (Microsoft.Authorization/policyAssignments)
  11. Under the Actions tab, choose appropriately:
    • Select action groups - If you have an existing action group to notify the necessary personnel.
    • Create action group - If you do not have an existing action group or want to create a new one.
  12. Under the Details tab, fill in:
    • Resource group - Select the resource group you want the alert rule to reside in.
    • Alert rule name - Give your alert a recognizable and standardized name.
    • Alert rule description - (Optional)
  13. Click Review + create then verify the summary details
  14. Click Create

From Azure CLI

[Azure CLI has been temporarily removed from the Activity Log Alerts section in version 1.5 and will be added back in the next release]

References

https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://docs.microsoft.com/en-in/rest/api/policy/policy-assignments
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log