More Info:
Monitoring for ‘Delete Security Policy’ events gives insight into changes to security policy and may reduce the time it takes to detect suspicious activity.Risk Level
LowAddress
Security, Operational MaturityCompliance Standards
Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Security Policy” in Azure using the Azure console, follow these steps:
- Log in to the Azure portal (https://portal.azure.com/).
- Click on “Resource groups” in the left-hand menu and select the resource group containing the affected security policy.
- Click on the security policy that needs to be remediated.
- In the left-hand menu, click on “Activity log”.
- Click on “Alerts” in the top menu bar.
- Click on the “New alert rule” button.
- In the “Basics” tab, give the alert rule a name and description.
- In the “Condition” tab, select the “Event count” signal type and set the threshold to greater than 0.
- Scroll down to the “Custom log search” section and click on “Edit”.
- In the query editor, paste the following query:
- Click on “Done” to save the query.
- In the “Actions” tab, select the action you want to take when the alert is triggered (e.g. send an email notification).
- Click on “Create alert rule” to save the alert.
Using CLI
Using CLI
To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Security Policy” for AZURE using AZURE CLI, follow the below steps:Step 1: Open the Azure CLI in your terminal or command prompt.Step 2: Run the following command to check if there is an activity log alert for Delete Security Policy:If the command returns an empty result, then there is no activity log alert for Delete Security Policy.Step 3: Run the following command to create an activity log alert for Delete Security Policy:Replace The command should return the details of the activity log alert that you just created.Step 5: Verify that the activity log alert is working as expected by deleting a network security group and ensuring that a notification is sent to the action group.By following these steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Security Policy” for AZURE using AZURE CLI.
<ALERT_NAME>
with the name of the activity log alert you want to create, <RESOURCE_GROUP_NAME>
with the name of the resource group in which the activity log alert will be created, and <ACTION_GROUP_ID>
with the ID of the action group to which the alert should send notifications.Step 4: Run the following command to verify that the activity log alert has been created:Using Python
Using Python
To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Security Policy” in Azure using Python, you can use the following steps:Replace Replace
- First, you need to authenticate to Azure using Python. You can use the
azure.identity
andazure.mgmt.monitor
packages for this. Here’s an example code snippet to authenticate:
subscription_id
with the ID of the Azure subscription you want to work with.- Next, you need to check if an activity log alert exists for the “Delete Security Policy” event. You can do this using the
monitor_client.activity_log_alerts.list_by_subscription()
method. Here’s an example code snippet:
- If an activity log alert does not exist, you can create one using the
monitor_client.activity_log_alerts.create_or_update()
method. Here’s an example code snippet:
resource_group_name
with the name of the resource group where you want to create the activity log alert, and replace action_group_name
with the name of an existing action group that you want to use for notifications.By following these steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Security Policy” in Azure using Python.