Description:

Create an activity log alert for the Create or Update Security Solution event.


Rationale:

Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.

Impact:

By using monitoring Alerts, it proactively notifies you when issues are found with your infrastructure or application using your monitoring data in Azure Monitor. They allow you to identify and address issues before the users of your system notice them


Default Value:

By default, no monitoring alerts are created.


Test Plan:

From Azure Console

  1. Navigate to Monitor' / 'Alerts

  2. Select Manage alert rules

  3. Click on the Alert Name where Condition contains operation name equals Microsoft.Security/securitySolutions/write

  4. Hover a mouse over Condition to ensure it is set to Whenever the Administrative Activity Log "Create or Update Security Solutions (security solutions)" has "any" level with "any" status and an event is initiated by "any"


Using Azure Command Line Interface

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/microsoft.insights/ac tivityLogAlerts?api-version=2017-04-01' | jq '.|.value[]|{location:.location,scopes:.properties.scopes,"condition":.proper ties.condition.allOf|.[]|select(.field=="operationName" and
.equals=="microsoft.security/securitysolutions/write"),enabled:.properties.en abled}'


Ensure that an alert exists where:

  • location is set to Global

  • Scopes is set to entire subscription that is /subscriptions/<Subscription_ID>

  • Enabled set to True

  • Condition Matches:

    {
    "location": "Global", "scopes": [
    "/subscriptions/<Subscription_ID>"
    ],
    "condition": {
    "field": "operationName",
    "equals": "microsoft.security/securitysolutions/write", "containsAny": null
    },
    "enabled": true
    }

Remediation:

From Azure Console

  1. Go to Monitor

  2. Select Alerts

  3. Click On New Alert Rule

  4. Under Scope, click Select resource

  5. Select the appropriate subscription under Filter by subscription

  6. Select Security Solutions under Filter by resource type

  7. Select All for Filter by location

  8. Click on the subscription resource from the entries populated under Resource

  9. Click Done

  10. Verify Selection preview shows Security Solutions and your selected subscription name

  11. Under Condition, click Add Condition

  12. Select Create or Update Security Solutions signal

  13. Click Done

  14. Under Action group, select Add action groups and complete creation process or select appropriate action group

  15. Under Alert rule details, enter Alert rule name and Description

  16. Select the appropriate resource group to save the alert to

  17. Check Enable alert rule upon creation checkbox

  18. Click Create alert rule


Using Azure Command Line Interface

Use the below command to create an Activity Log Alert for Create or Update Security Solutions

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_  To Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert
_Name>?api-version=2017-04-01 -d@"input.json"'

Where input.json contains the Request body JSON data as mentioned below.

{
"location": "Global", "tags": {}, "properties": {
"scopes": [ "/subscriptions/<Subscription_ID>"
],
"enabled": true, "condition": {
"allOf": [
{
"containsAny": null, "equals": "Security", "field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Security/securitySolutions/write", "field": "operationName"
}
]
},
"actions": { "actionGroups": [
{
"actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Gr oup>/providers/microsoft.insights/actionGroups/<Alert_Group>",
"webhookProperties": null
}
]
},
}
}

Configurable Parameters for the command line:

<Resource_Group_To Create_Alert_In>
<Unique_Alert_Name>

Configurable Parameters for input.json:

<Subscription_ID> in scopes
<Subscription_ID> in actionGroupId
<Resource_Group_For_Alert_Group> in actionGroupId
<Alert_Group> in actionGroupId

Backout Plan:

  1. Sign in to your Azure account

  2. Go to Monitor

  3. Select Alerts

  4. Select Manage alert rules

  5. Click on the Alert rule

  6. Click on Delete to delete the alert rule


Using Azure Command Line Interface:

Use the below command to delete an Activity Log Alert for Create or Update Security Solutions 

az monitor activity-log alert delete
  --name cc-create-update-security-solution-alert
  --description "Alert triggered by Create or Update Security Solution events"
  --resource-group Default-ActivityLogAlerts
  --action-group "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourcegroups/default-activitylogalerts/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group"
  --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/write

References:

  1. Classic alerts in Azure Monitor to retire in June 2019 | Azure upda... 

  2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity- log

  3. https://docs.microsoft.com/en- in/rest/api/monitor/activitylogalerts/createorupdate