lacework-global-558
Ensure that Activity Log Alert exists for Create Policy Assignment (Automated)
Profile Applicability
• Level 1
Description
Create an activity log alert for the Create Policy Assignment event.
Rationale
Monitoring for create policy assignment events gives insight into changes done in "Azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.
Audit
From Azure Portal
- Navigate to the
Monitor
blade - Click on
Alerts
- In the Alerts window, click on
Alert rules
- Hover mouse over the values in the Condition column to find an alert where
Operation name=Microsoft.Authorization/policyAssignments/write
- Click on the Alert
Name
associated with the previous step - Click on the Condition name of
Whenever the Activity Log has an event with Category='Administrative', Signal name='Create policy assignment (policyAssignments)
- In the Configure signal logic window, ensure the following is configured:
- Event level:
All selected
- Status:
All selected
- Event initiated by:
* (All services an users)
- Event level:
- Click
Done
- Back in the Alert Name window, review
Actions
to ensure that an Action group is assigned to notify the appropriate personnel in your organization.
From Azure CLI
[Azure CLI has been temporarily removed from the Activity Log Alerts section in version 1.5 and will be added back in the next release]
Remediation
From Azure Portal
- Navigate to the
Monitor
blade. - Select
Alerts
. - Select
Create
. - Select
Alert rule
. - Choose a subscription.
- Select
Apply
. - Select the
Condition
tab. - Click
See all signals
. - Select
Create policy assignment (Policy assignment)
. - Click
Apply
. - Select the
Actions
tab. - Click
Select action groups
to select an existing action group, orCreate action group
to create a new action group. - Follow the prompts to choose or create an action group.
- Select the
Details
tab. - Select a
Resource group
, provide anAlert rule name
and an optionalAlert rule description
. - Click
Review + create
. - Click
Create
.
From Azure CLI
az monitor activity-log alert create --resource-group "<resource group name>" --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/write and level=<verbose | information | warning | error | critical> --scope "/subscriptions/<subscription ID>" --name "<activity log rule name>" --subscription <subscription ID> --action-group <action group ID>
References
https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://docs.microsoft.com/en-in/rest/api/policy/policy-assignments
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log