Account should have a configured activity log alert for deleting policy assignments

Docs > Datadog Security > OOTB Rules > Account should have a configured activity log alert for deleting policy assignments

Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0

Description

Create an activity log alert for the Delete Policy Assignment event.

Rationale

By monitoring delete policy assignment events, you gain insight into changes in the Policy - Assignments page and reduce the time it takes to detect unsolicited changes.

Remediation

From the console

Navigate to Monitor.
Select Alerts.
Click On New Alert Rule.
Under Scope, click Select resource.
Select the appropriate subscription under Filter by subscription.
Select Policy Assignment under Filter by resource type.
Select All for Filter by location.
Click on the subscription from the entries populated under Resource.
Verify that Selection preview shows All Policy assignments (policyAssignments) and your selected subscription name.
Click Done.
Under Condition, click Add Condition.
Select Delete policy assignment signal.
Click Done.
Under Action group, select Add action groups and either complete the creation process or select the appropriate action group.
Under Alert rule details, enter Alert rule name and Description.
Select the appropriate resource group to save the alert to.
Click on the Enable alert rule upon creation checkbox.
Click Create alert rule.

From the command line

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json"
https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_To_Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"

Where input.json contains the request body JSON data below:

{
	"location": "Global",
	"tags": {},
	"properties": {
		"scopes": [
			"/subscriptions/<Subscription_ID>"
		],
		"enabled": true,
		"condition": {
			"allOf": [{
					"containsAny": null,
					"equals": "Administrative",
					"field": "category"
				},
				{
					"containsAny": null,
					"equals": "Microsoft.Authorization/policyAssignments/delete",
					"field": "operationName"
				}
			]
		},
		"actions": {
			"actionGroups": [{
				"actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
				"webhookProperties": null
			}]
		}
	}
}

Configurable Parameters for command line:

<Resource_Group_To_Create_Alert_In>
<Unique_Alert_Name>

Configurable Parameters for input.json:

<Subscription_ID> in scopes
<Subscription_ID> in actionGroupId
<Resource_Group_For_Alert_Group> in actionGroupId
<Alert_Group> in actionGroupId

Using PowerShell AZ cmdlets:

$ComplianceName = 'Delete Policy Assignment'
$Signal = 'Microsoft.Authorization/policyAssignments/delete'
$Category = 'Administrative'
$ResourceGroupName = 'MyResourceGroup'
$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)
$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)
$Subscription = (Get-AzContext).Subscription
$location = 'Global'
$scope = "/subscriptions/$($Subscription.Id)"
$alertName = "$($Subscription.Name) - $($ComplianceName)"
$conditions = @(
  New-AzActivityLogAlertCondition -Field 'category' -Equal $Category
  New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal
)
Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions

References

Additional Information

This log alert also applies for Azure Blueprints.