'Create Policy Assignment' activity log alert should be configured

Description

To improve detection of unsolicited changes and gain insight into modifications made in “Azure policy - assignments,” it is recommended to create an activity log alert specifically for the Create Policy Assignment event. This alert will help monitor and track any occurrences of policy assignment creation, reducing the time it takes to identify and respond to any unauthorized changes.

Remediation

From the console

  1. Go to Monitor and select Alerts.
  2. Click New Alert Rule.
  3. Under Scope, click Select Resource.
  4. Under Filter by Subscription, select the appropriate subscription.
  5. Under Filter by Resource Type, select Policy Assignment.
  6. Select All for Filter by Location.
  7. Click the subscription resource from the entries populated under Resource. Verify that the selection preview shows All Policy assignment (policyAssignments) and the selected subscription name.
  8. Click Done.
  9. Under Condition, click Add Condition, then select the Create Policy Assignment signal.
  10. Click Done.
  11. Under Action Group, select Add Action Groups and complete the creation process or select the appropriate action group.
  12. Under Alert Rule Details, enter the Alert Rule Name and Description.
  13. Select the appropriate resource group to save the alert to.
  14. Select the Enable alert rule upon creation checkbox.
  15. Click Create Alert Rule.