lacework-global-559
5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment (Automated)
Profile Applicability
• Level 1
Description
Create an activity log alert for the Delete Policy Assignment event.
Rationale
Monitoring for delete policy assignment events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.
Audit
From Azure Portal
- Navigate to the
Monitor
blade - Click on
Alerts
- In the Alerts window, click on
Alert rules
- Hover mouse over the values in the Condition column to find an alert where
Operation name=Microsoft.Authorization/policyAssignments/delete
- Click on the Alert
Name
associated with the previous step - Click on the Condition name of
Whenever the Activity Log has an event with Category='Administrative', Signal name='Delete policy assignment (policyAssignments)'
- In the Configure signal logic window, ensure the following is configured:
- Event level:
All selected
- Status:
All selected
- Event initiated by:
* (All services an users)
- Event level:
- Click
Done
- Back in the < Alert Name > window, review
Actions
to ensure that an Action group is assigned to notify the appropriate personnel in your organization.
From Azure CLI
[Azure CLI has been temporarily removed from the Activity Log Alerts section in version 1.5 and will be added back in the next release]
Remediation
From Azure Portal
- Navigate to the
Monitor
blade - Click on
Alerts
- Click on
Create
- Click on
Alert rule
- Under the Scope tab, click
Select scope
- In the
Select a resource
window, select the appropriate filters:- Filter by subscription:
< choose the subscription alerts are needed for >
- Filter by resource location:
Policy assignment (policyAssignments)
- Filter by location:
All
- Click on the
subscription name
orresource group
to apply the Log Alert Rule to
- Filter by subscription:
- Verify that the selection preview shows:
All Policy assignment (policyAssignments)
< Resource Name >
- The subscription, group, or resource you selected
- Click
Done
- Under the Condition tab, click
Add Condition
(theSelect a signal
window may automatically open without clicking) - In the
Select a signal
window, under the "Signal Name" heading, clickDelete policy assignment (Microsoft.Authorization/policyAssignments)
- Under the Actions tab, choose appropriately:
- Select action groups - If you have an existing action group to notify the necessary personnel.
- Create action group - If you do not have an existing action group or want to create a new one.
- Under the Details tab, fill in:
- Resource group - Select the resource group you want the alert rule to reside in.
- Alert rule name - Give your alert a recognizable and standardized name.
- Alert rule description - (Optional)
- Click
Review + create
then verify the summary details - Click
Create
From Azure CLI
[Azure CLI has been temporarily removed from the Activity Log Alerts section in version 1.5 and will be added back in the next release]
References
https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://azure.microsoft.com/en-us/services/blueprints/
Additional Information
This log alert also applies for Azure Blueprints.