iCompaas Support

Description:

Azure Security Solutions include integrations such as vulnerability scanners, endpoint protection services, SIEM connectors, and third-party tools managed through Microsoft Defender for Cloud. Any creation or modification of these solutions can alter the security posture of an environment. This control ensures that an Activity Log Alert exists to detect Create or Update operations on Security Solutions using the operation Microsoft.Security/securitySolutions/write. This alert provides visibility into security configuration changes and ensures that administrators are notified of relevant updates.

Rationale:

This check verifies whether an Activity Log Alert monitors write operations for Security Solutions. Without this alert, changes to integrated security tools may go undetected, leading to misconfigurations or unauthorized updates. Monitoring these operations supports security governance requirements, incident response processes, and auditing practices, and reduces the risk associated with unapproved or incorrect changes to security controls.

Impact:

• Ensures rapid detection of changes to security integrations.

• Helps maintain compliance with regulatory requirements for auditing security control modifications.

• Detects unauthorized updates or misconfigurations that could weaken security posture.

• Supports incident response teams in reviewing changes tied to security tools.

Default Value:

Azure does not enable Activity Log Alerts for Create or Update Security Solution operations by default. Administrators must manually configure the alert in Azure Monitor.

Pre-Requisites:

• Permissions such as Microsoft.Insights/activityLogAlerts/write and Microsoft.Security/securitySolutions/read.

• Ability to create or manage Action Groups.

• An Action Group for notifications (email, SMS, webhook, Teams, ITSM, etc.)

Test Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Navigate to Monitor

3. Select Alerts

4. Open Alert rules

5. Verify an Activity Log Alert exists for Create or Update Security Solution

6. Verify the alert scope includes the required subscription

7. Verify that an Action Group is associated

8. If the alert does not exist, follow the implementation steps

Implementation Steps:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Navigate to Monitor

3. Select Alerts

4. Click Create and select Alert rule

5. Set the Scope to the appropriate subscription

6. Under Condition, click See all signals, search for Create or Update Security Solution, and select the signal.

7. Associate with an existing Action Group or create a new one

8. Provide an alert rule name and resource group

9. Click Review + Create

10. Click Create

Backout Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Navigate to Monitor

3. Select Alerts

4. Open Alert rules

5. Locate the Create or Update Security Solution alert

6. Disable the alert if temporarily not required

7. Delete the alert rule if it is no longer needed

8. Confirm the deletion

Reference:

• https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-activity-log

• https://learn.microsoft.com/rest/api/monitor/activitylogalerts

• https://learn.microsoft.com/azure/security-benchmark/security-controls-v3-logging-threat-detection