Description:

Create an activity log alert for the Delete Policy Assignment event.


Rationale:

Monitoring for delete policy assignment events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.


Default Value:

By default, no monitoring alerts are created.


Audit:

From Azure Console

  1. Navigate to Monitor' / 'Alerts

  2. Select Manage alert rules

  3. Click on the Alert Name where Condition contains operationName equals Microsoft.Security/policyAssignments/delete

  4. Hover a mouse over Condition to ensure it is set to Whenever the Administrative Activity Log "Delete policy assignment (policyAssignments)" has "any" level with "any" status and event is initiated by "any"


Using Azure Command Line Interface

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/microsoft.insights/ac tivityLogAlerts?api-version=2017-04-01' | jq '.|.value[]|{location:.location,scopes:.properties.scopes,"condition":.proper ties.condition.allOf|.[]|select(.field=="operationName" and
.equals=="microsoft.authorization/policyassignments/delete"),enabled:.propert ies.enabled}'

Ensure that an alert exists where:

  • location is set to Global

  • Scopes is set to entire subscription that is /subscriptions/<Subscription_ID>

  • Enabled set to True

  • Condition Matches:

    {
    "location": "Global", "scopes": [
    "/subscriptions/<Subscription_ID>"
    ],
    "condition": {
    "field": "operationName",
    "equals": "microsoft.authorization/policyassignments/delete", "containsAny": null
    },
    "enabled": true
    }


Remediation:

From Azure Console

  1. Go to Monitor

  2. Select Alerts

  3. Click On New Alert Rule

  4. Under Scope, click Select resource

  5. Select the appropriate subscription under Filter by subscription

  6. Select Policy Assignment under Filter by resource type

  7. Select All for Filter by location

  8. Click on the subscription from the entries populated under Resource

  9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name

  10. Click Done

  11. Under Condition, click Add Condition

  12. Select Delete policy assignment signal

  13. Click Done

  14. Under Action group, select Add action groups and complete creation process or select appropriate action group

  15. Under Alert rule details, enter Alert rule name and Description

  16. Select appropriate resource group to save the alert to

  17. Check Enable alert rule upon creation checkbox

  18. Click Create alert rule


Using Azure Command Line Interface

Use the below command to create an Activity Log Alert for Delete policy assignment

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_  To  Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert
_Name>?api-version=2017-04-01 -d@"input.json"'

Where input.json contains the Request body JSON data as mentioned below.

{
   "location": "Global", "tags": {}, "properties": {
   "scopes": [ "/subscriptions/<Subscription_ID>"
],
   "enabled": true, "condition": {
  "allOf": [
{
"containsAny": null, "equals": "Administrative", "field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Authorization/policyAssignments/delete", "field": "operationName"
}
]
},
"actions": { "actionGroups": [
{
"actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Gr oup>/providers/microsoft.insights/actionGroups/<Alert_Group>",
"webhookProperties": null
}
]
},
}
}

Configurable Parameters for command line:

<Resource_Group_To Create_Alert_In>
<Unique_Alert_Name>

Configurable Parameters for input.json:

<Subscription_ID> in scopes
<Subscription_ID> in actionGroupId
<Resource_Group_For_Alert_Group> in actionGroupId
<Alert_Group> in actionGroupId


Using PowerShell AZ cmdlets

Use the below command to create an Activity Log Alert for Delete policy assignment

$ComplianceName = 'Delete Policy Assignment'
$Signal = 'Microsoft.Authorization/policyAssignments/delete'
$Category = 'Administrative'
$ResourceGroupName = 'MyResourceGroup'
$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName
$ResourceGroupName)
$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup
$ActionGroup.Id)
$Subscription = (Get-AzContext).Subscription
$location = 'Global'
$scope = "/subscriptions/$($Subscription.Id)"
$alertName = "$($Subscription.Name) - $($ComplianceName)"
$conditions = @(
New-AzActivityLogAlertCondition -Field 'category' -Equal $Category New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal
)
Set-AzActivityLogAlert -Location $location -Name $alertName - ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId - Condition $conditions


References:

  1. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity- log

  2. https://docs.microsoft.com/en- in/rest/api/monitor/activitylogalerts/createorupdate

  3. https://docs.microsoft.com/en- in/rest/api/monitor/activitylogalerts/listbysubscriptionid