Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution

Description

Create an activity log alert for the Create or Update Security Solution event.

Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.

Remediation

From Console

  1. Login to Azure Monitor console
  2. Select Alerts
  3. Click On New Alert Rule
  4. Under Scope, click Select resource
  5. Select the appropriate subscription under Filter by subscription
  6. Select Policy Assignment under Filter by resource type
  7. Select All for Filter by location
  8. Click on the subscription resource from the entries populated under Resource
  9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
  10. Click Done
  11. Under Condition section click Add Condition
  12. Select Create or Update Security Solutions signal
  13. Click Done
  14. Under Action group in Actions section, select Add action groups and complete creation process or select appropriate action group
  15. Under Alert rule details, enter Alert rule name and Description
  16. Select appropriate resource group to save the alert to
  17. Check Enable alert rule upon creation checkbox
  18. Click Create alert rule

From Command Line

Use the below command to create an Activity Log Alert for Create or Update Network Security Groups

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" \
--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H \
"Content-Type:application/json" \
https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_ToCreate_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"'

Where input.json contains the Request body JSON data as mentioned below.

{
  "location":"Global",
  "tags":{


  },
  "properties":{
     "scopes":[
        "/subscriptions/<Subscription_ID>"
     ],
     "enabled":true,
     "condition":{
        "allOf":[
           {
              "containsAny":null,
              "equals":"Administrative",
              "field":"category"
           },
           {
              "containsAny":null,
              "equals":"Microsoft.Security/securitySolutions/write",
              "field":"operationName"
           }
        ]
     },
     "actions":{
        "actionGroups":[
           {
              "actionGroupId":"/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
              "webhookProperties":null
           }
        ]
     }
  }
}

Configurable Parameters for command line:

<Resource_Group_To Create_Alert_In> <Unique_Alert_Name>

Configurable Parameters for input.json:

<Subscription_ID> in scopes
<Subscription_ID> in actionGroupId
<Resource_Group_For_Alert_Group> in actionGroupId
<Alert_Group> in actionGroupId

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v130_5_2_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v130_5_2_7 --share

SQL

This control uses a named query:

with alert_rule as (
  select
    alert.id as alert_id,
    alert.name as alert_name,
    alert.enabled,
    alert.location,
    alert.subscription_id
  from
    azure_log_alert as alert,
    jsonb_array_elements_text(scopes) as sc
  where
    alert.location = 'global'
    and alert.enabled
    and sc = '/subscriptions/' || alert.subscription_id
    and (
      (
        alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]'
        and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]'
      )
      or
      (
        alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]'
        and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]'
        and jsonb_array_length(alert.condition -> 'allOf') = 2
      )
    )
  limit 1
)
select
  sub.subscription_id as resource,
  case
    when count(a.subscription_id) > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when count(a.subscription_id) > 0 then 'Activity log alert exists for create or update Security Solution event.'
    else 'Activity log alert does not exists for create or update Security Solution event.'
  end as reason
  
  , sub.display_name as subscription
from
  azure_subscription sub
  left join alert_rule a on sub.subscription_id = a.subscription_id
group by
  sub._ctx,
  sub.subscription_id,
  sub.display_name;

Tags

category = Compliance
cis = true
cis_item_id = 5.2.7
cis_level = 1
cis_section_id = 5.2
cis_type = automated
cis_version = v1.3.0
plugin = azure
service = Azure/Monitor