Create Alert for "Delete Security Solution" Events

More Info:

Security solution changes have been detected within your Microsoft Azure cloud account.

Risk Level

High

Address

Security

Compliance Standards

HIPAA, CISAZURE, CBP, ISO27001

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of not having an alert for “Delete Security Solution” events in Azure using Azure CLI, follow these steps:

Open the Azure CLI on your local machine or Azure Cloud Shell.
Run the following command to create a new activity log alert rule:

az monitor activity-log alert create --name <alert-name> --description <alert-description> --resource-group <resource-group-name> --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/delete --action <action-group-name> --enabled true

Replace the placeholders <alert-name>, <alert-description>, <resource-group-name>, and <action-group-name> with the appropriate values for your environment.

The --condition parameter specifies the condition for the alert rule. In this case, it is set to trigger when an administrative action is taken to delete a security solution. You can modify this condition to suit your specific needs.
The --action parameter specifies the action to take when the alert is triggered. You can specify an action group that contains one or more actions, such as sending an email notification or invoking a webhook.
Once the command completes successfully, the alert rule will be created and enabled.

By following these steps, you will have successfully remediated the misconfiguration of not having an alert for “Delete Security Solution” events in Azure using Azure CLI.

Using Python

To remediate the misconfiguration of not having an alert for “Delete Security Solution” events in Azure, you can follow these steps using Python:

Install the Azure SDK for Python using the following command:

pip install azure-mgmt-monitor

Import the required modules:

from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.monitor.models import RuleCondition, ManagementEventAggregationCondition, RuleDataSource, RuleMetricDataSourceConfiguration, RuleManagementEventClaimsDataSourceConfiguration, RuleEmailAction, RuleAction

Set up the Azure credentials by creating a Service Principal:

subscription_id = '<your-subscription-id>'
client_id = '<your-client-id>'
client_secret = '<your-client-secret>'
tenant_id = '<your-tenant-id>'

credentials = ServicePrincipalCredentials(client_id=client_id, secret=client_secret, tenant=tenant_id)

Create a MonitorManagementClient object:

monitor_client = MonitorManagementClient(credentials, subscription_id)

Define the alert rule condition:

condition = RuleCondition(
    data_source=RuleDataSource(
        type='Microsoft.Insights/scheduledQueryResults',
        query='SecurityEvent\n| where EventID == "4688"\n| where TimeGenerated > ago(1d)\n| where OperationName == "Microsoft.Compute/virtualMachines/delete"\n| project ResourceId, ResourceGroupName, Computer, Caller, TimeGenerated'
    ),
    window_size='PT5M',
    all_of=[
        ManagementEventAggregationCondition(
            metric_name='count',
            operator='GreaterThan',
            threshold=0,
            metric_namespace='Microsoft.Insights/scheduledQueryResults',
            dimensions=[
                {
                    'name': 'ResourceId',
                    'operator': 'Include',
                    'values': [
                        '*'
                    ]
                }
            ],
            time_aggregation='Average'
        )
    ]
)

Define the alert rule action:

action = RuleAction(
    send_email=RuleEmailAction(
        custom_emails=[
            '<your-email-address>'
        ],
        send_to_service_owners=False,
        send_to_subscription_administrators=False
    )
)

Create the alert rule:

rule_name = 'Delete Security Solution Alert'
resource_group_name = '<your-resource-group-name>'
location = '<your-location>'

data_source_config = RuleMetricDataSourceConfiguration(
    metric_name='count',
    metric_namespace='Microsoft.Insights/scheduledQueryResults',
    resource_uri='/subscriptions/{0}'.format(subscription_id)
)

claims_data_source_config = RuleManagementEventClaimsDataSourceConfiguration()

monitor_client.alert_rules.create_or_update(
    resource_group_name=resource_group_name,
    rule_name=rule_name,
    parameters={
        'location': location,
        'description': 'Alert rule for detecting delete security solution events',
        'is_enabled': True,
        'condition': condition,
        'actions': [action],
        'data_source': data_source_config,
        'claims_data_source': claims_data_source_config
    }
)

This will create an alert rule in Azure that will send an email notification to the specified email address when a “Delete Security Solution” event is detected.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Create Alert for "Delete Security Solution" Events

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation