Description:
Create an activity log alert for the Delete Policy Assignment event.
Rationale:
Monitoring for delete policy assignment events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.
Default Value:
By default, no monitoring alerts are created.
Audit:
From Azure Console
Navigate to Monitor' / 'Alerts
Select Manage alert rules
Click on the Alert Name where Condition contains operationName equals Microsoft.Security/policyAssignments/delete
Hover a mouse over Condition to ensure it is set to Whenever the Administrative Activity Log "Delete policy assignment (policyAssignments)" has "any" level with "any" status and event is initiated by "any"
Using Azure Command Line Interface
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/microsoft.insights/ac tivityLogAlerts?api-version=2017-04-01' | jq '.|.value[]|{location:.location,scopes:.properties.scopes,"condition":.proper ties.condition.allOf|.[]|select(.field=="operationName" and
.equals=="microsoft.authorization/policyassignments/delete"),enabled:.propert ies.enabled}'
Ensure that an alert exists where:
location is set to Global
Scopes is set to entire subscription that is /subscriptions/<Subscription_ID>
Enabled set to True
Condition Matches:
{ "location": "Global", "scopes": [ "/subscriptions/<Subscription_ID>" ], "condition": { "field": "operationName", "equals": "microsoft.authorization/policyassignments/delete", "containsAny": null }, "enabled": true }
Remediation:
From Azure Console
Go to Monitor
Select Alerts
Click On New Alert Rule
Under Scope, click Select resource
Select the appropriate subscription under Filter by subscription
Select Policy Assignment under Filter by resource type
Select All for Filter by location
Click on the subscription from the entries populated under Resource
Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
Click Done
Under Condition, click Add Condition
Select Delete policy assignment signal
Click Done
Under Action group, select Add action groups and complete creation process or select appropriate action group
Under Alert rule details, enter Alert rule name and Description
Select appropriate resource group to save the alert to
Check Enable alert rule upon creation checkbox
Click Create alert rule
Using Azure Command Line Interface
Use the below command to create an Activity Log Alert for Delete policy assignment
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_ To Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert
_Name>?api-version=2017-04-01 -d@"input.json"'
Where input.json contains the Request body JSON data as mentioned below.
{
"location": "Global", "tags": {}, "properties": {
"scopes": [ "/subscriptions/<Subscription_ID>"
],
"enabled": true, "condition": {
"allOf": [
{
"containsAny": null, "equals": "Administrative", "field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Authorization/policyAssignments/delete", "field": "operationName"
}
]
},
"actions": { "actionGroups": [
{
"actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Gr oup>/providers/microsoft.insights/actionGroups/<Alert_Group>",
"webhookProperties": null
}
]
},
}
}
Configurable Parameters for command line:
<Resource_Group_To Create_Alert_In>
<Unique_Alert_Name>
Configurable Parameters for input.json:
<Subscription_ID> in scopes
<Subscription_ID> in actionGroupId
<Resource_Group_For_Alert_Group> in actionGroupId
<Alert_Group> in actionGroupId
Using PowerShell AZ cmdlets
Use the below command to create an Activity Log Alert for Delete policy assignment
$ComplianceName = 'Delete Policy Assignment'
$Signal = 'Microsoft.Authorization/policyAssignments/delete'
$Category = 'Administrative'
$ResourceGroupName = 'MyResourceGroup'
$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName
$ResourceGroupName)
$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup
$ActionGroup.Id)
$Subscription = (Get-AzContext).Subscription
$location = 'Global'
$scope = "/subscriptions/$($Subscription.Id)"
$alertName = "$($Subscription.Name) - $($ComplianceName)"
$conditions = @(
New-AzActivityLogAlertCondition -Field 'category' -Equal $Category New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal
)
Set-AzActivityLogAlert -Location $location -Name $alertName - ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId - Condition $conditions