Skip to main content

lacework-global-558

Ensure that Activity Log Alert exists for Create Policy Assignment (Automated)

Profile Applicability

• Level 1

Description

Create an activity log alert for the Create Policy Assignment event.

Rationale

Monitoring for create policy assignment events gives insight into changes done in "Azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.

Audit

From Azure Portal

  1. Navigate to the Monitor blade
  2. Click on Alerts
  3. In the Alerts window, click on Alert rules
  4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Authorization/policyAssignments/write
  5. Click on the Alert Name associated with the previous step
  6. Click on the Condition name of Whenever the Activity Log has an event with Category='Administrative', Signal name='Create policy assignment (policyAssignments)
  7. In the Configure signal logic window, ensure the following is configured:
    • Event level: All selected
    • Status: All selected
    • Event initiated by: * (All services an users)
  8. Click Done
  9. Back in the Alert Name window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization.

From Azure CLI

[Azure CLI has been temporarily removed from the Activity Log Alerts section in version 1.5 and will be added back in the next release]

Remediation

From Azure Portal

  1. Navigate to the Monitor blade.
  2. Select Alerts.
  3. Select Create.
  4. Select Alert rule.
  5. Choose a subscription.
  6. Select Apply.
  7. Select the Condition tab.
  8. Click See all signals.
  9. Select Create policy assignment (Policy assignment).
  10. Click Apply.
  11. Select the Actions tab.
  12. Click Select action groups to select an existing action group, or Create action group to create a new action group.
  13. Follow the prompts to choose or create an action group.
  14. Select the Details tab.
  15. Select a Resource group, provide an Alert rule name and an optional Alert rule description.
  16. Click Review + create.
  17. Click Create.

From Azure CLI

az monitor activity-log alert create --resource-group "<resource group name>" --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/write and level=<verbose | information | warning | error | critical> --scope "/subscriptions/<subscription ID>" --name "<activity log rule name>" --subscription <subscription ID> --action-group <action group ID>

References

https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://docs.microsoft.com/en-in/rest/api/policy/policy-assignments
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log