lacework-global-558
5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Automated)
Profile Applicability
• Level 1
Description
Create an activity log alert for the Create Policy Assignment event.
Rationale
Monitoring for create policy assignment events gives insight into changes done in "Azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.
Audit
From Azure Portal
- Navigate to the
Monitor
blade - Click on
Alerts
- In the Alerts window, click on
Alert rules
- Hover mouse over the values in the Condition column to find an alert where
Operation name=Microsoft.Authorization/policyAssignments/write
- Click on the Alert
Name
associated with the previous step - Click on the Condition name of
Whenever the Activity Log has an event with Category='Administrative', Signal name='Create policy assignment (policyAssignments)
- In the Configure signal logic window, ensure the following is configured:
- Event level:
All selected
- Status:
All selected
- Event initiated by:
* (All services an users)
- Event level:
- Click
Done
- Back in the < Alert Name > window, review
Actions
to ensure that an Action group is assigned to notify the appropriate personnel in your organization.
From Azure CLI
[Azure CLI has been temporarily removed from the Activity Log Alerts section in version 1.5 and will be added back in the next release]
Remediation
From Azure Portal
- Navigate to the
Monitor
blade - Click on
Alerts
- Click on
Create
- Click on
Alert rule
- Under the Scope tab, click
Select scope
- In the
Select a resource
window, select the appropriate filters:- Filter by subscription:
< choose the subscription alerts are needed for >
- Filter by resource location:
Policy assignment (policyAssignments)
- Filter by location:
All
- Filter by subscription:
- Verify that the selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
- Click
Done
- Under the Condition tab, click
Add Condition
(theSelect a signal
window may automatically open without clicking) - In the
Select a signal
window, under the "Signal Name" heading, clickCreate policy assignment (Microsoft.Authorization/policyAssignments)
- Under the Actions tab, choose appropriately:
- Select action groups - If you have an existing action group to notify the necessary personnel.
- Create action group - If you do not have an existing action group or want to create a new one.
- Under the Details tab, fill in:
- Resource group - Select the resource group you want the alert rule to reside in.
- Alert rule name - Give your alert a recognizable and standardized name.
- Alert rule description - (Optional)
- Click
Review + create
then verify the summary details - Click
Create
From Azure CLI
[Azure CLI has been temporarily removed from the Activity Log Alerts section in version 1.5 and will be added back in the next release]
References
https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://docs.microsoft.com/en-in/rest/api/policy/policy-assignments
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log