More Info:

Monitoring for Delete policy assignment events gives insight into changes done in ‘azure policy - assignments’ and may reduce the time it takes to detect unsolicited changes.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Policy Assignment” in Azure using the Azure console, please follow the below steps:
  1. Log in to the Azure portal using your credentials.
  2. Navigate to the “Activity Log Alerts” page.
  3. Click on the “Add” button to create a new activity log alert.
  4. In the “Basics” tab, provide a name and description for the alert.
  5. In the “Condition” tab, select the “Delete Policy Assignment” option from the “Event name” dropdown list.
  6. In the “Actions” tab, select the action that you want to perform when the alert is triggered. For example, you can send an email notification to the concerned team.
  7. In the “Review + create” tab, review the alert configuration and click on the “Create” button to create the alert.
Once the activity log alert is created, it will trigger whenever a policy assignment is deleted in your Azure environment, and you will be notified via the configured action. This will help you to detect and remediate any unauthorized policy assignment deletions and ensure the security of your Azure resources.

To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Policy Assignment” in Azure using Azure CLI, you can follow the below steps:Step 1: Open the Azure CLI and login to your Azure account using the command:
az login
Step 2: Check if there is any existing activity log alert for Delete Policy Assignment using the command:
az monitor activity-log alert list --query '[?contains(details.operationName.displayValue, `Microsoft.Authorization/policyAssignments/delete`)]'
If the output of the above command is empty, it means there is no activity log alert for Delete Policy Assignment.Step 3: Create an activity log alert for Delete Policy Assignment using the command:
az monitor activity-log alert create --name <AlertName> --description <Description> --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/delete --action-groups <ActionGroupResourceId> --enabled true
Replace <AlertName> with a name for the alert, <Description> with a description for the alert, and <ActionGroupResourceId> with the resource ID of the action group to which the alert should send notifications.Step 4: Verify that the activity log alert for Delete Policy Assignment has been created using the command:
az monitor activity-log alert list --query '[?contains(details.operationName.displayValue, `Microsoft.Authorization/policyAssignments/delete`)]'
The output of the above command should show the newly created activity log alert.By following the above steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Policy Assignment” in Azure using Azure CLI.
To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Policy Assignment” in Azure using Python, you can follow the below steps:Step 1: Login to Azure using Python SDK.
from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.resource import ResourceManagementClient

credential = DefaultAzureCredential()
subscription_id = '<subscription_id>'

resource_client = ResourceManagementClient(credential, subscription_id)
monitor_client = MonitorManagementClient(credential, subscription_id)
Step 2: Check if an Activity Log Alert exists for Delete Policy Assignment.
alert_name = '<alert_name>'
alert_resource_group_name = '<alert_resource_group_name>'

alerts = monitor_client.activity_log_alerts.list_by_resource_group(resource_group_name=alert_resource_group_name)

for alert in alerts:
    if alert_name.lower() in alert.name.lower() and alert.condition.all_of[0].field == "category" and alert.condition.all_of[0].equals == "Policy":
        print("Activity Log Alert exists for Delete Policy Assignment")
        break
else:
    print("Activity Log Alert does not exist for Delete Policy Assignment")
Step 3: Create an Activity Log Alert for Delete Policy Assignment if it does not exist.
if not any(alert_name.lower() in alert.name.lower() for alert in alerts):
    action_group_id = '<action_group_id>'
    scopes = ['/subscriptions/<subscription_id>']
    condition = "category = 'Policy' and operationName.value = 'Microsoft.Authorization/policyAssignments/delete'"
    email_subject = 'Alert: Delete Policy Assignment'
    email_body = 'Delete Policy Assignment occurred in your subscription'
    
    activity_log_alert = {
        "name": alert_name,
        "description": "Activity Log Alert for Delete Policy Assignment",
        "enabled": True,
        "scopes": scopes,
        "condition": {
            "allOf": [
                {
                    "field": "category",
                    "equals": "Policy"
                },
                {
                    "field": "operationName.value",
                    "equals": "Microsoft.Authorization/policyAssignments/delete"
                }
            ]
        },
        "actions": {
            "action_groups": [
                {
                    "action_group_id": action_group_id
                }
            ],
            "custom_emails": {
                "send_to_subscription_administrator": True,
                "custom_email_subject": email_subject,
                "custom_email_body": email_body
            }
        }
    }
    
    activity_log_alert = monitor_client.activity_log_alerts.create_or_update(
        resource_group_name=alert_resource_group_name,
        activity_log_alert_name=alert_name,
        parameters=activity_log_alert
    )
    
    print("Activity Log Alert created for Delete Policy Assignment")
By following these steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Policy Assignment” in Azure using Python.

Additional Reading: