Description:
Create an activity log alert for the Create or Update Security Solution event.
Rationale:
Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.
Impact:
By using monitoring Alerts, it proactively notifies you when issues are found with your infrastructure or application using your monitoring data in Azure Monitor. They allow you to identify and address issues before the users of your system notice them
Default Value:
By default, no monitoring alerts are created.
Test Plan:
From Azure Console
Navigate to Monitor' / 'Alerts
Select Manage alert rules
Click on the Alert Name where Condition contains operation name equals Microsoft.Security/securitySolutions/write
Hover a mouse over Condition to ensure it is set to Whenever the Administrative Activity Log "Create or Update Security Solutions (security solutions)" has "any" level with "any" status and an event is initiated by "any"
Using Azure Command Line Interface
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/microsoft.insights/ac tivityLogAlerts?api-version=2017-04-01' | jq '.|.value[]|{location:.location,scopes:.properties.scopes,"condition":.proper ties.condition.allOf|.[]|select(.field=="operationName" and .equals=="microsoft.security/securitysolutions/write"),enabled:.properties.en abled}'
Ensure that an alert exists where:
location is set to Global
Scopes is set to entire subscription that is /subscriptions/<Subscription_ID>
Enabled set to True
Condition Matches:
{ "location": "Global", "scopes": [ "/subscriptions/<Subscription_ID>" ], "condition": { "field": "operationName", "equals": "microsoft.security/securitysolutions/write", "containsAny": null }, "enabled": true }
Remediation:
From Azure Console
Go to Monitor
Select Alerts
Click On New Alert Rule
Under Scope, click Select resource
Select the appropriate subscription under Filter by subscription
Select Security Solutions under Filter by resource type
Select All for Filter by location
Click on the subscription resource from the entries populated under Resource
Click Done
Verify Selection preview shows Security Solutions and your selected subscription name
Under Condition, click Add Condition
Select Create or Update Security Solutions signal
Click Done
Under Action group, select Add action groups and complete creation process or select appropriate action group
Under Alert rule details, enter Alert rule name and Description
Select the appropriate resource group to save the alert to
Check Enable alert rule upon creation checkbox
Click Create alert rule
Using Azure Command Line Interface
Use the below command to create an Activity Log Alert for Create or Update Security Solutions
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_ To Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert
_Name>?api-version=2017-04-01 -d@"input.json"'
Where input.json contains the Request body JSON data as mentioned below.
{
"location": "Global", "tags": {}, "properties": {
"scopes": [ "/subscriptions/<Subscription_ID>"
],
"enabled": true, "condition": {
"allOf": [
{
"containsAny": null, "equals": "Security", "field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Security/securitySolutions/write", "field": "operationName"
}
]
},
"actions": { "actionGroups": [
{
"actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Gr oup>/providers/microsoft.insights/actionGroups/<Alert_Group>",
"webhookProperties": null
}
]
},
}
}
Configurable Parameters for the command line:
<Resource_Group_To Create_Alert_In>
<Unique_Alert_Name>
Configurable Parameters for input.json:
<Subscription_ID> in scopes
<Subscription_ID> in actionGroupId
<Resource_Group_For_Alert_Group> in actionGroupId
<Alert_Group> in actionGroupId
Backout Plan:
Sign in to your Azure account
Go to Monitor
Select Alerts
Select Manage alert rules
Click on the Alert rule
Click on Delete to delete the alert rule
Using Azure Command Line Interface:
Use the below command to delete an Activity Log Alert for Create or Update Security Solutions
az monitor activity-log alert delete --name cc-create-update-security-solution-alert --description "Alert triggered by Create or Update Security Solution events" --resource-group Default-ActivityLogAlerts --action-group "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourcegroups/default-activitylogalerts/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group" --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/write