< Back to rules searchUser has 'Create Policy Assignment' activity log alert configured
Set up the azure.activity_log integration.
Description
Create an activity log alert for the Create Policy Assignment event.
Rationale
Monitoring for create policy assignment events gives insight into changes done in “azure policy - assignments” and can reduce the time it takes to detect unsolicited changes.
From the console
- Go to Monitor.
- Select Alerts.
- Click On New Alert Rule.
- Under Scope, click Select Resource.
- Select the appropriate subscription under Filter by Subscription.
- Select Policy Assignment under Filter by Resource Type.
- Select All for Filter by Location.
- Click on the subscription resource from the entries populated under Resource.
- Verify selection preview shows All Policy assignment (policyAssignments) and your selected subscription name.
- Click Done.
- Under Condition click Add Condition.
- Select Create Policy Assignment signal.
- Click Done.
- Under Action Group, select Add Action Groups and complete creation process or select appropriate action group.
- Under Alert Rule Details, enter Alert Rule Name and Description.
- Select appropriate resource group to save the alert to.
- Check Enable alert rule upon creation checkbox.
- Click Create Alert Rule.
From the Azure Command Line Interface
To create an Activity Log Alert for Create policy, use this command:
az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1
bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type:
application/json"
https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_
To
Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert
_Name>?api-version=2017-04-01 -d@"input.json"
Where input.json
contains the request body JSON data mentioned below:
{
"location": "Global",
"tags": {},
"properties": {
"scopes": [
"/subscriptions/<Subscription_ID>"
],
"enabled": true,
"condition": {
"allOf": [{
"containsAny": null,
"equals": "Administrative",
"field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Authorization/policyAssignments/write",
"field": "operationName"
}
]
},
"actions": {
"actionGroups": [{
"actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
"webhookProperties": null
}]
}
}
}
Configurable parameters for the command line include the following:
- <Resource_Group_To Create_Alert_In>
- <Unique_Alert_Name>
Configurable parameters for input.json
include the following:
- <Subscription_ID> in scopes
- <Subscription_ID> in actionGroupId
- <Resource_Group_For_Alert_Group> in actionGroupId
- <Alert_Group> in actionGroupId
References
- https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
- https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
- https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
- https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
- https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources