Account should have a activity log alert configured for deallocating virtual machines

Description

Create an activity log alert for the Deallocate Virtual Machine event.

Rationale

By implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.

Remediation

From the console

  1. Using the Azure Portal search bar, search for Monitor.
  2. Select Alerts from the left-hand panel.
  3. Click Create and from the drop down select Alert rule.
  4. Under Scope, click Select scope.
  5. Select the appropriate subscription under Filter by subscription.
  6. Select Virtual machines under Filter by resource type.
  7. Select All for Filter by location.
  8. Click on the subscription resource from the entries populated under Resource.
  9. Click Done.
  10. Verify that Selection preview shows your selected Virtual Machine(s) and subscription name.
  11. Under Condition, click Add Condition.
  12. Select Deallocate Virtual Machine signal name.
  13. Navigate to Actions.
  14. Under Action group, select Add action groups and either complete the creation process, or select the appropriate action group.
  15. Navigate to Details and select the appropriate resource group to save the alert to.
  16. Enter Alert rule name and Alert rule description.
  17. Under the Advanced options drop-down menu, click on the Enable alert rule upon creation checkbox.
  18. Click Review + create and verify all of the alert settings are correct.
  19. Click Create.

From the command line

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "AuthorizationBearer $1" -H "Content-Typeapplication/json" https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_To Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"'

input.json contains the request body JSON data mentioned below.

{
  "location": "Global",
  "tags": {},
  "properties": {
    "scopes": [
      "/subscriptions/<Subscription_ID>"
    ],
    "enabled": true,
    "condition": {
      "allOf": [
        {
          "containsAny": null,
          "equals": "Administrative",
          "field": "category"
        },
        {
          "containsAny": null,
          "equals": "Microsoft.Compute/virtualMachines/deallocate",
          "field": "operationName"
        }
      ]
    },
    "actions": {
      "actionGroups": [
        {
          "actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
"webhookProperties": null
        }
      ]
    },
  }
}

Using PowerShell AZ cmdlets:

$ComplianceName = 'Deallocatete Virtual Machine'
$Signal = 'Microsoft.Compute/virtualMachines/deallocate'
$Category = 'Administrative'
$ResourceGroupName = 'MyResourceGroup'
$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)
$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)
$Subscription = (Get-AzContext).Subscription
$location = 'Global'
$scope = "/subscriptions/$($Subscription.Id)"
$alertName = "$($Subscription.Name) - $($ComplianceName)"
$conditions = @(
  New-AzActivityLogAlertCondition -Field 'category' -Equal $Category
  New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal
)
Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions

References

  1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview
  2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
  3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
  4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
  5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources