Control: 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
Description
Create an activity log alert for the Create Policy Assignment event.
Monitoring for create policy assignment events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes. By default, no monitoring alerts are created.
Remediation
From Console
- Login to
Azure Monitor
console - Select
Alerts
- Click On New Alert Rule
- Under Scope, click Select resource
- Select the appropriate subscription under Filter by
subscription
- Select
Policy Assignment
under Filter by resource type - Select
All
for Filter by location - Click on the
subscription resource
from the entries populated underResource
- Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
- Click Done
- Under
Condition
section click Add Condition - Select
Create policy assignment
under signal name - Click Done
- Under
Action group
inActions
section, select Add action groups and complete creation process or select appropriate action group - Under
Alert rule details
, enterAlert rule name
andDescription
- Select appropriate
resource group
to save the alert to - Check
Enable alert rule
upon creation checkbox - Click Create alert rule
From Command Line
Use the below command to create an Activity Log Alert for Create policy assignment
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" \--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H \"Content-Type:application/json" \https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_ToCreate_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"'
Where input.json contains the Request body JSON data as mentioned below.
{ "location":"Global", "tags":{
}, "properties":{ "scopes":[ "/subscriptions/<Subscription_ID>" ], "enabled":true, "condition":{ "allOf":[ { "containsAny":null, "equals":"Administrative", "field":"category" }, { "containsAny":null, "equals":"Microsoft.Authorization/policyAssignments/write", "field":"operationName" } ] }, "actions":{ "actionGroups":[ { "actionGroupId":"/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>", "webhookProperties":null } ] } }}
Configurable Parameters for command line:
<Resource_Group_To Create_Alert_In> <Unique_Alert_Name>
Configurable Parameters for input.json:
<Subscription_ID> in scopes<Subscription_ID> in actionGroupId<Resource_Group_For_Alert_Group> in actionGroupId<Alert_Group> in actionGroupId
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v140_5_2_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v140_5_2_2 --share
SQL
This control uses a named query:
monitor_log_alert_delete_policy_assignment