Create Alert for "Delete Policy Assignment" Events

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: ActivityLog-027

Ensure that an Azure activity log alert is used to detect "Delete Policy Assignment" events within your Microsoft Azure cloud account. Activity log alerts get activated when a new activity log event that matches the condition specified in the alert occurs. In this case, the condition used is 'Whenever the Policy Activity Log "Delete policy assignment (policyAssignments)" has "any" level, with "any" status and event is initiated by "any"'.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Monitoring your Azure cloud account for "Delete Policy Assignment" events can provide insights into the changes done within the "Policy Assignment" policy and can help reduce the time it takes to detect unsolicited changes.


Audit

To determine if there is an activity log alert created for "Delete Policy Assignment" events within your Azure cloud account, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the blade navigation panel, select Alerts to access the notification alerts available in your Azure cloud account.

04 On the Alerts page, choose Manage alert rules to access the alert rules management page.

05 Select the Azure subscription that you want to examine from the Subscription filter box and the Enabled option from the Status dropdown list, to return all the active alert rules created for the selected subscription.

06 Click on the name (link) of the alert rule that you want to examine.

07 On the selected alert rule configuration page, check the condition phrase available in the Condition section. If the condition phrase is different than Whenever the Activity Log has an event with Category='Administrative', Signal name='Delete policy assignment (Microsoft.Authorization/policyAssignments)', the selected alert rule is not configured to detect "Delete Policy Assignment" events.

08 Repeat step no. 6 and 7 for the rest of the alert rules available within the selected subscription. If none of the verified rules contain the right condition, there are no activity log alerts created for "Delete Policy Assignment" events in the selected Azure subscription.

09 Repeat steps no. 5 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor activity-log alert list command (Windows/macOS/Linux) with custom query filters to get the ID of each active activity log alert rule available within the current Azure subscription:

az monitor activity-log alert list
  --query '[?(enabled==`true`)].id'

02 The command output should return the requested activity log alert rule IDs:

[
  "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/Create Policy Assignment Alert",
  "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/Azure Cloud Network Access Alert"
]

03 Run monitor activity-log alert show command (Windows/macOS/Linux) using the ID of the alert rule that you want to examine as the identifier parameter and custom query filters to list the condition defined for the selected activity log alert rule:

az monitor activity-log alert show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/Create Policy Assignment Alert"
  --query 'condition'

04 The command output should return the selected alert rule condition metadata:

{
  "allOf": [
    {
      "containsAny": null,
      "equals": "Administrative",
      "field": "category",
      "odata.type": null
    },
    {
      "containsAny": null,
      "equals": "Microsoft.Authorization/policyAssignments/write",
      "field": "operationName",
      "odata.type": null
    }
  ],
  "odata.type": null
}

Check the monitor activity-log alert show command output for the object with the "field" property set to "operationName". If the object's "equals" property is not set to "Microsoft.Authorization/policyAssignments/delete", the selected alert rule is not configured to detect "Delete Policy Assignment" events.

05 Repeat step no. 3 and 4 for the rest of the alert rules available in the current subscription. If none of the verified rules contain the right condition, there are no activity log alerts created for "Delete Policy Assignment" events in the selected Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To create a Microsoft Azure activity log alert for detecting "Delete Policy Assignment" events within your Azure cloud account, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the blade navigation panel, select Alerts to access the notification alerts available in your Azure cloud account.

04 On the Alerts page, choose Manage alert rules to access the alert rules management page.

05 Select the Azure subscription that you want to access from the Subscription filter box.

06 Choose + New alert rule to create a new Azure Monitor alert rule.

07 On the Create alert rule page, perform the following operations:

  1. For Scope, choose Select resource and configure the target that you wish to monitor. In this case, select the appropriate Azure account subscription, then click Done.
  2. For Condition, choose Add condition to configure the alert rule condition (i.e. a signal and its logic). On the Select a signal panel, find and select the signal with the name Delete policy assignment (Microsoft.Authorization/policyAssignments). To obtain the right configuration for the condition (i.e. Whenever the Activity Log has an event with Category='Administrative', Signal name='Delete policy assignment (Microsoft.Authorization/policyAssignments)'), leave the default settings available for the signal logic unchanged, then click Done.
  3. For Actions, choose Add action groups to select an existing action group to attach to this alert rule or choose Create action group to create a new one. An action group is a collection of alert notification preferences defined for the selected Azure subscription. Azure Monitor alerts use action groups to notify users that an alert has been triggered.
  4. For Alert rule details, provide a unique name for the new alert rule in the Alert rule name box, enter a short description in the Description box, and choose the resource group in which the alert will be created from the Resource group dropdown list.
  5. Make sure that Enable alert rule upon creation option is selected, then choose Create alert rule to complete the rule setup process. It can take up to 5 minutes for an alert rule to become active.

08 Repeat steps no. 5 – 7 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor activity-log alert create command (Windows/macOS/Linux) to create a new Azure activity log alert for detecting "Delete Policy Assignment" events within the current Microsoft Azure subscription. For example, the following monitor activity-log alert create command request creates an activity log alert rule with the name "cc-delete-policy-assignment-alert", associated with an action group identified by ID "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/default-activitylogalerts/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group", with a condition defined by "category=Policy and operationName=Microsoft.Authorization/policyAssignments/delete":

az monitor activity-log alert create
  --name cc-delete-policy-assignment-alert
  --description "Alert triggered by Delete Policy Assignment events"
  --resource-group Default-ActivityLogAlerts
  --action-group "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/default-activitylogalerts/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group"
  --condition category=Policy and operationName=Microsoft.Authorization/policyAssignments/delete

02 The command output should return the configuration metadata for the newly created alert:

{
  "actions": {
    "actionGroups": [
      {
        "actionGroupId":
        "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/default-activitylogalerts/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group",
        "webhookProperties": null
      }
    ]
  },
  "condition": {
    "allOf": [
      {
        "containsAny": null,
        "equals": "Policy",
        "field": "category",
        "odata.type": null
      },
      {
        "containsAny": null,
        "equals": "Microsoft.Authorization/policyAssignments/delete",
        "field": "operationName",
        "odata.type": null
      }
    ],
    "odata.type": null
  },
  "description": "Alert triggered by Delete Policy Assignment events",
  "enabled": true,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/Default-ActivityLogAlerts/providers/microsoft.insights/activityLogAlerts/cc-delete-policy-assignment-alert",
  "identity": null,
  "kind": null,
  "location": "Global",
  "name": "cc-delete-policy-assignment-alert",
  "resourceGroup": "Default-ActivityLogAlerts",
  "scopes": [
    "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/Default-ActivityLogAlerts"
  ],
  "tags": {},
  "type": "Microsoft.Insights/ActivityLogAlerts"
}

03 Repeat steps no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2021

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Create Alert for "Delete Policy Assignment" Events

Risk level: High