< Back to rules searchUser has 'Delete Policy Assignment' activity log alert configured
Set up the azure.activity_log integration.
Description
Create an activity log alert for the Delete Policy Assignment event.
Rationale
By monitoring delete policy assignment events, you gain insight into changes in the Policy - Assignments page and reduce the time it takes to detect unsolicited changes.
From the console
- Navigate to Monitor.
- Select Alerts.
- Click On New Alert Rule.
- Under Scope, click Select resource.
- Select the appropriate subscription under Filter by subscription.
- Select Policy Assignment under Filter by resource type.
- Select All for Filter by location.
- Click on the subscription from the entries populated under Resource.
- Verify that Selection preview shows All Policy assignments (
policyAssignments
) and your selected subscription name. - Click Done.
- Under Condition, click Add Condition.
- Select Delete policy assignment signal.
- Click Done.
- Under Action group, select Add action groups and either complete the creation process or select the appropriate action group.
- Under Alert rule details, enter Alert rule name and Description.
- Select the appropriate resource group to save the alert to.
- Click on the Enable alert rule upon creation checkbox.
- Click Create alert rule.
From the command line
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json"
https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_To_Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"
Where input.json
contains the request body JSON data below:
{
"location": "Global",
"tags": {},
"properties": {
"scopes": [
"/subscriptions/<Subscription_ID>"
],
"enabled": true,
"condition": {
"allOf": [{
"containsAny": null,
"equals": "Administrative",
"field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Authorization/policyAssignments/delete",
"field": "operationName"
}
]
},
"actions": {
"actionGroups": [{
"actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
"webhookProperties": null
}]
}
}
}
Configurable Parameters for command line:
<Resource_Group_To_Create_Alert_In>
<Unique_Alert_Name>
Configurable Parameters for input.json
:
<Subscription_ID>
in scopes<Subscription_ID>
in actionGroupId<Resource_Group_For_Alert_Group>
in actionGroupId<Alert_Group>
in actionGroupId
Using PowerShell AZ cmdlets:
$ComplianceName = 'Delete Policy Assignment'
$Signal = 'Microsoft.Authorization/policyAssignments/delete'
$Category = 'Administrative'
$ResourceGroupName = 'MyResourceGroup'
$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)
$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)
$Subscription = (Get-AzContext).Subscription
$location = 'Global'
$scope = "/subscriptions/$($Subscription.Id)"
$alertName = "$($Subscription.Name) - $($ComplianceName)"
$conditions = @(
New-AzActivityLogAlertCondition -Field 'category' -Equal $Category
New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal
)
Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions
References
- https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
- https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
- https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
- https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources
- https://azure.microsoft.com/en-us/services/blueprints/
- This log alert also applies for Azure Blueprints.