Azure Introduction
Azure Pricing
Azure Threats
Enable Monitoring of Deprecated Accounts
More Info:
Ensure that monitoring of deprecated accounts within your Azure subscription(s) is enabled.
Risk Level
Medium
Address
Operational Maturity, Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Enable Monitoring of Deprecated Accounts” for AZURE using the AZURE console, you can follow the below steps:
-
Log in to the AZURE portal (https://portal.azure.com/).
-
Click on the “Security Center” option from the left-hand side menu.
-
In the Security Center dashboard, click on the “Security policy” option from the top menu.
-
In the Security policy page, click on the “Edit” button to edit the policy.
-
Scroll down to the “Monitoring of deprecated accounts” policy and ensure that it is set to “Enabled”.
-
If it is not enabled, click on the “Enabled” option to turn it on.
-
Once enabled, click on the “Save” button to save the changes.
-
Verify that the policy is now enabled by checking the “Policy Status” column for the “Monitoring of deprecated accounts” policy. It should show “Compliant”.
By following these steps, you will have successfully remediated the “Enable Monitoring of Deprecated Accounts” misconfiguration for AZURE using the AZURE console.
To remediate the misconfiguration “Enable Monitoring of Deprecated Accounts” for Azure using Azure CLI, you can follow the below steps:
-
Open Azure CLI and login to your Azure account using the command:
az login -
Once you are logged in, you need to select the subscription for which you want to remediate the misconfiguration using the command:
az account set --subscription <subscription-id>Replace
<subscription-id>with the ID of the subscription you want to select. -
After selecting the subscription, you need to enable the monitoring of deprecated accounts by creating an activity log alert. To do this, run the following command:
az monitor activity-log alert create --name <alert-name> --description <alert-description> --condition category=ServiceHealth severity=warning --action email <email-address>Replace
<alert-name>with the name of the alert you want to create,<alert-description>with the description of the alert, and<email-address>with the email address where you want to receive the alert notifications. -
Once the activity log alert is created, you need to enable it using the command:
az monitor activity-log alert update --name <alert-name> --enable trueReplace
<alert-name>with the name of the alert you created in step 3. -
Finally, you can verify that the activity log alert is enabled by running the following command:
az monitor activity-log alert show --name <alert-name>Replace
<alert-name>with the name of the alert you created in step 3.
By following these steps, you can remediate the misconfiguration “Enable Monitoring of Deprecated Accounts” for Azure using Azure CLI.
To remediate the misconfiguration “Enable Monitoring of Deprecated Accounts” for AZURE using Python, you can follow these steps:
- Import the necessary libraries:
from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.monitor.models import ActionGroup, ActionGroupPatchBody, ActionGroupResource
- Set the credentials to access the Azure account:
credential = DefaultAzureCredential()
- Instantiate the
MonitorManagementClientobject:
monitor_client = MonitorManagementClient(credential, subscription_id)
- Get the list of action groups:
action_groups = monitor_client.action_groups.list()
- Check if there is an action group named “Deprecated Accounts” in the list. If it does not exist, create it:
action_group_name = "Deprecated Accounts"
action_group_exists = False
for ag in action_groups:
if ag.name == action_group_name:
action_group_exists = True
break
if not action_group_exists:
email_address = "[email protected]"
sms_recipient = "+1234567890"
webhook_url = "https://your_webhook_url.com"
action_group = ActionGroupResource(
enabled=True,
name=action_group_name,
short_name=action_group_name,
email_receivers=[email_address],
sms_receivers=[sms_recipient],
webhook_receivers=[webhook_url]
)
monitor_client.action_groups.create_or_update(resource_group_name, action_group_name, action_group)
- Once the action group is created, you can set up the alert rule to monitor the deprecated accounts:
alert_rule_name = "Deprecated Accounts Alert Rule"
alert_rule_exists = False
for rule in monitor_client.alert_rules.list_by_resource_group(resource_group_name):
if rule.name == alert_rule_name:
alert_rule_exists = True
break
if not alert_rule_exists:
criteria = {
"odata.type": "Microsoft.Azure.Monitor.Query.Models.NumericThresholdCriteria",
"dataSourceId": "/subscriptions/{subscriptionId}/providers/Microsoft.Insights/metrics",
"metricName": "DeprecatedAccounts",
"operator": "GreaterThan",
"threshold": 0,
"timeAggregation": "Average",
"dimensions": [
{
"name": "ResourceId",
"value": "/subscriptions/{subscriptionId}"
}
],
"metricNamespace": "Microsoft.Authorization"
}
action_group_ids = [ag.id for ag in monitor_client.action_groups.list()]
alert_rule = {
"name": alert_rule_name,
"description": "Alert rule to monitor deprecated accounts.",
"isEnabled": True,
"condition": {
"odata.type": "Microsoft.Azure.Management.Monitor.Models.ThresholdRuleCondition",
"dataSource": {
"odata.type": "Microsoft.Azure.Management.Monitor.Models.RuleMetricDataSource",
"resourceUri": "/subscriptions/{subscriptionId}",
"metricNamespace": "Microsoft.Authorization",
"metricName": "DeprecatedAccounts",
"aggregation": {
"odata.type": "Microsoft.Azure.Management.Monitor.Models.RuleMetricDataSourceAggregation",
"metricName": "DeprecatedAccounts",
"function": "Average"
}
},
"operator": {
"odata.type": "Microsoft.Azure.Management.Monitor.Models.ThresholdOperator",
"name": "GreaterThan"
},
"threshold": 0,
"windowSize": "PT5M"
},
"actions": [
{
"odata.type": "Microsoft.Azure.Management.Monitor.Models.RuleEmailAction",
"sendToServiceOwners": False,
"customEmails": []
},
{
"odata.type": "Microsoft.Azure.Management.Monitor.Models.RuleActionGroup",
"actionGroupId": action_group_ids[0]
}
]
}
monitor_client.alert_rules.create_or_update(resource_group_name, alert_rule_name, alert_rule)
- Finally, you can verify that the alert rule is set up correctly by checking the Azure portal or by running the following command:
alert_rules = monitor_client.alert_rules.list_by_resource_group(resource_group_name)
for rule in alert_rules:
if rule.name == alert_rule_name:
print("Alert rule {} is enabled.".format(alert_rule_name))
break
These steps will enable monitoring of deprecated accounts in Azure and send alerts to the specified action group when any deprecated accounts are detected.