Control: 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
Description
Create an activity log alert for the Create Policy Assignment event.
Monitoring for create policy assignment events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes. By default, no monitoring alerts are created.
Remediation
From Console
- Login to
Azure Monitorconsole - Select
Alerts - Click On New Alert Rule
- Under Scope, click Select resource
- Select the appropriate subscription under Filter by
subscription - Select
Policy Assignmentunder Filter by resource type - Select
Allfor Filter by location - Click on the
subscription resourcefrom the entries populated underResource - Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
- Click Done
- Under
Conditionsection click Add Condition - Select
Create policy assignmentunder signal name - Click Done
- Under
Action groupinActionssection, select Add action groups and complete creation process or select appropriate action group - Under
Alert rule details, enterAlert rule nameandDescription - Select appropriate
resource groupto save the alert to - Check
Enable alert ruleupon creation checkbox - Click Create alert rule
From Command Line
Use the below command to create an Activity Log Alert for Create policy assignment
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" \--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H \"Content-Type:application/json" \https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_ToCreate_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"'
Where input.json contains the Request body JSON data as mentioned below.
{ "location":"Global", "tags":{
}, "properties":{ "scopes":[ "/subscriptions/<Subscription_ID>" ], "enabled":true, "condition":{ "allOf":[ { "containsAny":null, "equals":"Administrative", "field":"category" }, { "containsAny":null, "equals":"Microsoft.Authorization/policyAssignments/write", "field":"operationName" } ] }, "actions":{ "actionGroups":[ { "actionGroupId":"/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>", "webhookProperties":null } ] } }}
Configurable Parameters for command line:
<Resource_Group_To Create_Alert_In> <Unique_Alert_Name>
Configurable Parameters for input.json:
<Subscription_ID> in scopes<Subscription_ID> in actionGroupId<Resource_Group_For_Alert_Group> in actionGroupId<Alert_Group> in actionGroupId
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v140_5_2_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v140_5_2_2 --shareSQL
This control uses a named query:
with alert_rule as ( select alert.id as alert_id, alert.name as alert_name, alert.enabled, alert.location, alert.subscription_id from azure_log_alert as alert, jsonb_array_elements_text(scopes) as sc where alert.location = 'global' and alert.enabled and sc = '/subscriptions/' || alert.subscription_id and alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' limit 1)select sub.subscription_id as resource, case when count(a.subscription_id) > 0 then 'ok' else 'alarm' end as status, case when count(a.subscription_id) > 0 then 'Activity log alert exists for delete policy assignment event.' else 'Activity log alert does not exists for delete policy assignment event.' end as reason , sub.display_name as subscriptionfrom azure_subscription sub left join alert_rule a on sub.subscription_id = a.subscription_idgroup by sub._ctx, sub.subscription_id, sub.display_name;