Account should have a activity log alert configured for deallocating virtual machines

Docs > Datadog Security > OOTB Rules > Account should have a activity log alert configured for deallocating virtual machines

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Create an activity log alert for the Deallocate Virtual Machine event.

Rationale

By implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.

Remediation

From the console

Using the Azure Portal search bar, search for Monitor.
Select Alerts from the left-hand panel.
Click Create and from the drop down select Alert rule.
Under Scope, click Select scope.
Select the appropriate subscription under Filter by subscription.
Select Virtual machines under Filter by resource type.
Select All for Filter by location.
Click on the subscription resource from the entries populated under Resource.
Click Done.
Verify that Selection preview shows your selected Virtual Machine(s) and subscription name.
Under Condition, click Add Condition.
Select Deallocate Virtual Machine signal name.
Navigate to Actions.
Under Action group, select Add action groups and either complete the creation process, or select the appropriate action group.
Navigate to Details and select the appropriate resource group to save the alert to.
Enter Alert rule name and Alert rule description.
Under the Advanced options drop-down menu, click on the Enable alert rule upon creation checkbox.
Click Review + create and verify all of the alert settings are correct.
Click Create.

From the command line

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "AuthorizationBearer $1" -H "Content-Typeapplication/json" https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_To Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"'

input.json contains the request body JSON data mentioned below.

{
  "location": "Global",
  "tags": {},
  "properties": {
    "scopes": [
      "/subscriptions/<Subscription_ID>"
    ],
    "enabled": true,
    "condition": {
      "allOf": [
        {
          "containsAny": null,
          "equals": "Administrative",
          "field": "category"
        },
        {
          "containsAny": null,
          "equals": "Microsoft.Compute/virtualMachines/deallocate",
          "field": "operationName"
        }
      ]
    },
    "actions": {
      "actionGroups": [
        {
          "actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
"webhookProperties": null
        }
      ]
    },
  }
}

Using PowerShell AZ cmdlets:

$ComplianceName = 'Deallocatete Virtual Machine'
$Signal = 'Microsoft.Compute/virtualMachines/deallocate'
$Category = 'Administrative'
$ResourceGroupName = 'MyResourceGroup'
$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)
$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)
$Subscription = (Get-AzContext).Subscription
$location = 'Global'
$scope = "/subscriptions/$($Subscription.Id)"
$alertName = "$($Subscription.Name) - $($ComplianceName)"
$conditions = @(
  New-AzActivityLogAlertCondition -Field 'category' -Equal $Category
  New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal
)
Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions