User should have a 'Create Policy Assignment' activity log alert configured

azure.activity_log

Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0

Description

Create an activity log alert for the Create Policy Assignment event.

Rationale

Monitoring for create policy assignment events gives insight into changes done in “azure policy - assignments” and can reduce the time it takes to detect unsolicited changes.

Remediation

From the console

  1. Go to Monitor.
  2. Select Alerts.
  3. Click On New Alert Rule.
  4. Under Scope, click Select Resource.
  5. Select the appropriate subscription under Filter by Subscription.
  6. Select Policy Assignment under Filter by Resource Type.
  7. Select All for Filter by Location.
  8. Click on the subscription resource from the entries populated under Resource.
  9. Verify selection preview shows All Policy assignment (policyAssignments) and your selected subscription name.
  10. Click Done.
  11. Under Condition click Add Condition.
  12. Select Create Policy Assignment signal.
  13. Click Done.
  14. Under Action Group, select Add Action Groups and complete creation process or select appropriate action group.
  15. Under Alert Rule Details, enter Alert Rule Name and Description.
  16. Select appropriate resource group to save the alert to.
  17. Check Enable alert rule upon creation checkbox.
  18. Click Create Alert Rule.

From the Azure Command Line Interface

To create an Activity Log Alert for Create policy, use this command:

az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1
bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type:
application/json"
https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_
To
Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert
_Name>?api-version=2017-04-01 -d@"input.json"

Where input.json contains the request body JSON data mentioned below:

{
	"location": "Global",
	"tags": {},
	"properties": {
		"scopes": [
			"/subscriptions/<Subscription_ID>"
		],
		"enabled": true,
		"condition": {
			"allOf": [{
					"containsAny": null,
					"equals": "Administrative",
					"field": "category"
				},
				{
					"containsAny": null,
					"equals": "Microsoft.Authorization/policyAssignments/write",
					"field": "operationName"
				}
			]
		},
		"actions": {
			"actionGroups": [{
				"actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
				"webhookProperties": null
			}]
		}
	}
}

Configurable parameters for the command line include the following:

  • <Resource_Group_To Create_Alert_In>
  • <Unique_Alert_Name>

Configurable parameters for input.json include the following:

  • <Subscription_ID> in scopes
  • <Subscription_ID> in actionGroupId
  • <Resource_Group_For_Alert_Group> in actionGroupId
  • <Alert_Group> in actionGroupId

References

  1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
  2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
  3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
  4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
  5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources