Skip to main content

lacework-global-559

5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment (Automated)

Profile Applicability

• Level 1

Description

Create an activity log alert for the Delete Policy Assignment event.

Rationale

Monitoring for delete policy assignment events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.

Audit

From Azure Portal

  1. Navigate to the Monitor blade
  2. Click on Alerts
  3. In the Alerts window, click on Alert rules
  4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Authorization/policyAssignments/delete
  5. Click on the Alert Name associated with the previous step
  6. Click on the Condition name of Whenever the Activity Log has an event with Category='Administrative', Signal name='Delete policy assignment (policyAssignments)'
  7. In the Configure signal logic window, ensure the following is configured:
    • Event level: All selected
    • Status: All selected
    • Event initiated by: * (All services an users)
  8. Click Done
  9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization.

From Azure CLI

[Azure CLI has been temporarily removed from the Activity Log Alerts section in version 1.5 and will be added back in the next release]

Remediation

From Azure Portal

  1. Navigate to the Monitor blade
  2. Click on Alerts
  3. Click on Create
  4. Click on Alert rule
  5. Under the Scope tab, click Select scope
  6. In the Select a resource window, select the appropriate filters:
    • Filter by subscription: < choose the subscription alerts are needed for >
    • Filter by resource location: Policy assignment (policyAssignments)
    • Filter by location: All
    • Click on the subscription name or resource group to apply the Log Alert Rule to
  7. Verify that the selection preview shows:
    • All Policy assignment (policyAssignments)
    • < Resource Name > - The subscription, group, or resource you selected
  8. Click Done
  9. Under the Condition tab, click Add Condition (the Select a signal window may automatically open without clicking)
  10. In the Select a signal window, under the "Signal Name" heading, click Delete policy assignment (Microsoft.Authorization/policyAssignments)
  11. Under the Actions tab, choose appropriately:
    • Select action groups - If you have an existing action group to notify the necessary personnel.
    • Create action group - If you do not have an existing action group or want to create a new one.
  12. Under the Details tab, fill in:
    • Resource group - Select the resource group you want the alert rule to reside in.
    • Alert rule name - Give your alert a recognizable and standardized name.
    • Alert rule description - (Optional)
  13. Click Review + create then verify the summary details
  14. Click Create

From Azure CLI

[Azure CLI has been temporarily removed from the Activity Log Alerts section in version 1.5 and will be added back in the next release]

References

https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://azure.microsoft.com/en-us/services/blueprints/

Additional Information

This log alert also applies for Azure Blueprints.