More Info:

Monitoring for ‘Delete Security Policy’ events gives insight into changes to security policy and may reduce the time it takes to detect suspicious activity.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Security Policy” in Azure using the Azure console, follow these steps:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. Click on “Resource groups” in the left-hand menu and select the resource group containing the affected security policy.
  3. Click on the security policy that needs to be remediated.
  4. In the left-hand menu, click on “Activity log”.
  5. Click on “Alerts” in the top menu bar.
  6. Click on the “New alert rule” button.
  7. In the “Basics” tab, give the alert rule a name and description.
  8. In the “Condition” tab, select the “Event count” signal type and set the threshold to greater than 0.
  9. Scroll down to the “Custom log search” section and click on “Edit”.
  10. In the query editor, paste the following query:
ResourceType=Microsoft.Network/networkSecurityGroups
OperationName=Microsoft.Network/networkSecurityGroups/delete
  1. Click on “Done” to save the query.
  2. In the “Actions” tab, select the action you want to take when the alert is triggered (e.g. send an email notification).
  3. Click on “Create alert rule” to save the alert.
Once the alert rule is created, you will receive a notification whenever the specified security policy is deleted, allowing you to take appropriate action to remediate the issue.

To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Security Policy” for AZURE using AZURE CLI, follow the below steps:Step 1: Open the Azure CLI in your terminal or command prompt.Step 2: Run the following command to check if there is an activity log alert for Delete Security Policy:
az monitor activity-log alert list --query "[?contains(details.operationName.value, 'Microsoft.Network/networkSecurityGroups/delete')]"
If the command returns an empty result, then there is no activity log alert for Delete Security Policy.Step 3: Run the following command to create an activity log alert for Delete Security Policy:
az monitor activity-log alert create --name <ALERT_NAME> --resource-group <RESOURCE_GROUP_NAME> --condition category=Administrative and operationName.value=Microsoft.Network/networkSecurityGroups/delete --action-group <ACTION_GROUP_ID>
Replace <ALERT_NAME> with the name of the activity log alert you want to create, <RESOURCE_GROUP_NAME> with the name of the resource group in which the activity log alert will be created, and <ACTION_GROUP_ID> with the ID of the action group to which the alert should send notifications.Step 4: Run the following command to verify that the activity log alert has been created:
az monitor activity-log alert list --query "[?contains(details.operationName.value, 'Microsoft.Network/networkSecurityGroups/delete')]"
The command should return the details of the activity log alert that you just created.Step 5: Verify that the activity log alert is working as expected by deleting a network security group and ensuring that a notification is sent to the action group.By following these steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Security Policy” for AZURE using AZURE CLI.
To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Security Policy” in Azure using Python, you can use the following steps:
  1. First, you need to authenticate to Azure using Python. You can use the azure.identity and azure.mgmt.monitor packages for this. Here’s an example code snippet to authenticate:
from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient

credential = DefaultAzureCredential()
monitor_client = MonitorManagementClient(credential, subscription_id)
Replace subscription_id with the ID of the Azure subscription you want to work with.
  1. Next, you need to check if an activity log alert exists for the “Delete Security Policy” event. You can do this using the monitor_client.activity_log_alerts.list_by_subscription() method. Here’s an example code snippet:
alerts = monitor_client.activity_log_alerts.list_by_subscription()

for alert in alerts:
    if alert.condition.all_of[0].field == "category" and alert.condition.all_of[0].equals == "Policy":
        if alert.condition.all_of[1].field == "operationName" and alert.condition.all_of[1].equals == "Microsoft.Network/networkSecurityGroups/delete":
            print("Activity log alert exists for Delete Security Policy")
            break
else:
    print("Activity log alert does not exist for Delete Security Policy")
  1. If an activity log alert does not exist, you can create one using the monitor_client.activity_log_alerts.create_or_update() method. Here’s an example code snippet:
from azure.mgmt.monitor.models import *

condition = AlertRuleAllOfCondition(
    field="category",
    equals="Policy"
) & AlertRuleAllOfCondition(
    field="operationName",
    equals="Microsoft.Network/networkSecurityGroups/delete"
)

action_group = ActionGroup(
    action_group_id="/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Insights/actionGroups/{action_group_name}"
)

alert = ActivityLogAlert(
    name="Delete Security Policy Alert",
    description="Alert for when a network security group is deleted",
    enabled=True,
    condition=condition,
    actions=[action_group]
)

monitor_client.activity_log_alerts.create_or_update(
    resource_group_name,
    "Delete Security Policy Alert",
    alert
)
Replace resource_group_name with the name of the resource group where you want to create the activity log alert, and replace action_group_name with the name of an existing action group that you want to use for notifications.By following these steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Security Policy” in Azure using Python.

Additional Reading: