Ensure Activity Log Alert exists for Delete Policy Assignment

More Info:

Monitoring for Delete policy assignment events gives insight into changes done in ‘azure policy - assignments’ and may reduce the time it takes to detect unsolicited changes.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Policy Assignment” in Azure using Azure CLI, you can follow the below steps:Step 1: Open the Azure CLI and login to your Azure account using the command:

az login

Step 2: Check if there is any existing activity log alert for Delete Policy Assignment using the command:

az monitor activity-log alert list --query '[?contains(details.operationName.displayValue, `Microsoft.Authorization/policyAssignments/delete`)]'

If the output of the above command is empty, it means there is no activity log alert for Delete Policy Assignment.Step 3: Create an activity log alert for Delete Policy Assignment using the command:

az monitor activity-log alert create --name <AlertName> --description <Description> --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/delete --action-groups <ActionGroupResourceId> --enabled true

Replace <AlertName> with a name for the alert, <Description> with a description for the alert, and <ActionGroupResourceId> with the resource ID of the action group to which the alert should send notifications.Step 4: Verify that the activity log alert for Delete Policy Assignment has been created using the command:

az monitor activity-log alert list --query '[?contains(details.operationName.displayValue, `Microsoft.Authorization/policyAssignments/delete`)]'

The output of the above command should show the newly created activity log alert.By following the above steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Policy Assignment” in Azure using Azure CLI.

Using Python

To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Policy Assignment” in Azure using Python, you can follow the below steps:Step 1: Login to Azure using Python SDK.

from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.resource import ResourceManagementClient

credential = DefaultAzureCredential()
subscription_id = '<subscription_id>'

resource_client = ResourceManagementClient(credential, subscription_id)
monitor_client = MonitorManagementClient(credential, subscription_id)

Step 2: Check if an Activity Log Alert exists for Delete Policy Assignment.

alert_name = '<alert_name>'
alert_resource_group_name = '<alert_resource_group_name>'

alerts = monitor_client.activity_log_alerts.list_by_resource_group(resource_group_name=alert_resource_group_name)

for alert in alerts:
    if alert_name.lower() in alert.name.lower() and alert.condition.all_of[0].field == "category" and alert.condition.all_of[0].equals == "Policy":
        print("Activity Log Alert exists for Delete Policy Assignment")
        break
else:
    print("Activity Log Alert does not exist for Delete Policy Assignment")

Step 3: Create an Activity Log Alert for Delete Policy Assignment if it does not exist.

if not any(alert_name.lower() in alert.name.lower() for alert in alerts):
    action_group_id = '<action_group_id>'
    scopes = ['/subscriptions/<subscription_id>']
    condition = "category = 'Policy' and operationName.value = 'Microsoft.Authorization/policyAssignments/delete'"
    email_subject = 'Alert: Delete Policy Assignment'
    email_body = 'Delete Policy Assignment occurred in your subscription'
    
    activity_log_alert = {
        "name": alert_name,
        "description": "Activity Log Alert for Delete Policy Assignment",
        "enabled": True,
        "scopes": scopes,
        "condition": {
            "allOf": [
                {
                    "field": "category",
                    "equals": "Policy"
                },
                {
                    "field": "operationName.value",
                    "equals": "Microsoft.Authorization/policyAssignments/delete"
                }
            ]
        },
        "actions": {
            "action_groups": [
                {
                    "action_group_id": action_group_id
                }
            ],
            "custom_emails": {
                "send_to_subscription_administrator": True,
                "custom_email_subject": email_subject,
                "custom_email_body": email_body
            }
        }
    }
    
    activity_log_alert = monitor_client.activity_log_alerts.create_or_update(
        resource_group_name=alert_resource_group_name,
        activity_log_alert_name=alert_name,
        parameters=activity_log_alert
    )
    
    print("Activity Log Alert created for Delete Policy Assignment")

By following these steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Policy Assignment” in Azure using Python.

Additional Reading:

https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Ensure Activity Log Alert exists for Delete Policy Assignment

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: