More Info:

Security solution changes have been detected within your Microsoft Azure cloud account.

Risk Level

High

Address

Security

Compliance Standards

HIPAA, CISAZURE, CBP, ISO27001

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration of creating an alert for “Delete Security Solution” events in Azure using the Azure console:
  1. Open the Azure portal and navigate to the Security Center.
  2. Click on “Security policy” from the left-hand menu.
  3. Select the policy that you want to update.
  4. Scroll down to the “Alerts” section and click on “Add alert”.
  5. In the “Create alert rule” window, select the “Activity log” option.
  6. Under “Event types”, select “Service Health” and then select “Service health status changes”.
  7. In the “Service health status changes” section, select “Resolved” and “Dismissed” as the status changes to be alerted for.
  8. Under “Actions”, select “Email/SMS/Push/Voice” and add the email addresses of the people who should be alerted.
  9. Click on “Create alert rule” to save the configuration.
Once you have followed these steps, you should receive an alert whenever a “Delete Security Solution” event is detected in Azure. This will help you to take immediate action to remediate any potential security risks.

To remediate the misconfiguration of not having an alert for “Delete Security Solution” events in Azure using Azure CLI, follow these steps:
  1. Open the Azure CLI on your local machine or Azure Cloud Shell.
  2. Run the following command to create a new activity log alert rule:
az monitor activity-log alert create --name <alert-name> --description <alert-description> --resource-group <resource-group-name> --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/delete --action <action-group-name> --enabled true
Replace the placeholders <alert-name>, <alert-description>, <resource-group-name>, and <action-group-name> with the appropriate values for your environment.
  1. The --condition parameter specifies the condition for the alert rule. In this case, it is set to trigger when an administrative action is taken to delete a security solution. You can modify this condition to suit your specific needs.
  2. The --action parameter specifies the action to take when the alert is triggered. You can specify an action group that contains one or more actions, such as sending an email notification or invoking a webhook.
  3. Once the command completes successfully, the alert rule will be created and enabled.
By following these steps, you will have successfully remediated the misconfiguration of not having an alert for “Delete Security Solution” events in Azure using Azure CLI.
To remediate the misconfiguration of not having an alert for “Delete Security Solution” events in Azure, you can follow these steps using Python:
  1. Install the Azure SDK for Python using the following command:
pip install azure-mgmt-monitor
  1. Import the required modules:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.monitor.models import RuleCondition, ManagementEventAggregationCondition, RuleDataSource, RuleMetricDataSourceConfiguration, RuleManagementEventClaimsDataSourceConfiguration, RuleEmailAction, RuleAction
  1. Set up the Azure credentials by creating a Service Principal:
subscription_id = '<your-subscription-id>'
client_id = '<your-client-id>'
client_secret = '<your-client-secret>'
tenant_id = '<your-tenant-id>'

credentials = ServicePrincipalCredentials(client_id=client_id, secret=client_secret, tenant=tenant_id)
  1. Create a MonitorManagementClient object:
monitor_client = MonitorManagementClient(credentials, subscription_id)
  1. Define the alert rule condition:
condition = RuleCondition(
    data_source=RuleDataSource(
        type='Microsoft.Insights/scheduledQueryResults',
        query='SecurityEvent\n| where EventID == "4688"\n| where TimeGenerated > ago(1d)\n| where OperationName == "Microsoft.Compute/virtualMachines/delete"\n| project ResourceId, ResourceGroupName, Computer, Caller, TimeGenerated'
    ),
    window_size='PT5M',
    all_of=[
        ManagementEventAggregationCondition(
            metric_name='count',
            operator='GreaterThan',
            threshold=0,
            metric_namespace='Microsoft.Insights/scheduledQueryResults',
            dimensions=[
                {
                    'name': 'ResourceId',
                    'operator': 'Include',
                    'values': [
                        '*'
                    ]
                }
            ],
            time_aggregation='Average'
        )
    ]
)
  1. Define the alert rule action:
action = RuleAction(
    send_email=RuleEmailAction(
        custom_emails=[
            '<your-email-address>'
        ],
        send_to_service_owners=False,
        send_to_subscription_administrators=False
    )
)
  1. Create the alert rule:
rule_name = 'Delete Security Solution Alert'
resource_group_name = '<your-resource-group-name>'
location = '<your-location>'

data_source_config = RuleMetricDataSourceConfiguration(
    metric_name='count',
    metric_namespace='Microsoft.Insights/scheduledQueryResults',
    resource_uri='/subscriptions/{0}'.format(subscription_id)
)

claims_data_source_config = RuleManagementEventClaimsDataSourceConfiguration()

monitor_client.alert_rules.create_or_update(
    resource_group_name=resource_group_name,
    rule_name=rule_name,
    parameters={
        'location': location,
        'description': 'Alert rule for detecting delete security solution events',
        'is_enabled': True,
        'condition': condition,
        'actions': [action],
        'data_source': data_source_config,
        'claims_data_source': claims_data_source_config
    }
)
This will create an alert rule in Azure that will send an email notification to the specified email address when a “Delete Security Solution” event is detected.