Detections
Analytics

7.1.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment

Information

Create an activity log alert for the Delete Policy Assignment event.

Monitoring for delete policy assignment events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.

Solution

Remediate from Azure Portal

 - Navigate to the Monitor blade.
 - Select Alerts
 - Select Create
 - Select Alert rule
 - Choose a subscription.
 - Select Apply
 - Select the Condition tab.
 - Click See all signals
 - Select Delete policy assignment (Policy assignment)
 - Click Apply
 - Select the Actions tab.
 - Click Select action groups to select an existing action group, or Create action group to create a new action group.
 - Follow the prompts to choose or create an action group.
 - Select the Details tab.
 - Select a Resource group provide an Alert rule name and an optional Alert rule description
 - Click Review + create
 - Click Create

Remediate from Azure CLI

az monitor activity-log alert create --resource-group "<resource group name>" --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/delete and level=<verbose | information | warning | error | critical> --scope "/subscriptions/<subscription ID>" --name "<activity log rule name>" --subscription <subscription id> --action-group <action group ID>

Remediate from PowerShell

Create the conditions object

$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Authorization/policyAssignments/delete -Field operationName
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level

Retrieve the Action Group information and store in a variable, then create the Action object.

$actionGroup = Get-AzActionGroup -ResourceGroupName <resource group name> -Name <action group name>
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id

Create the Scope variable.

$scope = "/subscriptions/<subscription id>"

Create the Activity Log Alert Rule for Microsoft.Authorization/policyAssignments/delete

New-AzActivityLogAlert -Name "<activity log alert rule name>" -ResourceGroupName "<resource group name>" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription <subscription ID> -Enabled $true

See Also

https://workbench.cisecurity.org/benchmarks/19304

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, CSCv7|6.3

Plugin: microsoft_azure

Control ID: eff870ab98e36903404d8724bb93e2d4bcc828c2a5a76fabdfdc4129002b279c