Description:

Create an activity log alert for the Create Policy Assignment event.


Rationale:

Monitoring for create policy assignment events gives insight into changes done in"Azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.


Audit:


From Azure Portal

1. Navigate to the Monitor blade

2. Click on Alerts

3. In the Alerts window, click on Alert rules

4. Hover mouse over the values in the Condition column to find an alert where

Operation name=Microsoft.Authorization/policyAssignments/write

5. Click on the Alert Name associated with the previous step

6. Click on the Condition name of Whenever the Activity Log has an event with

Category='Administrative', Signal name='Create policy assignment

(policyAssignments)

7. In the Configure signal logic window, ensure the following is configured:

o Event level: All selected

o Status: All selected

o Event initiated by: * (All services and users)

8. Click Done

9. Back in the < Alert Name > window, review Actions to ensure that an Action

group is assigned to notify the appropriate personnel in your organization.


From Azure CLI

az monitor activity-log alert list --subscription <subscription ID> --query

"[].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions}"

Look for Microsoft.Authorization/policyAssignments/write in the output. If it's

missing, generate a finding.


From PowerShell

Get-AzActivityLogAlert -SubscriptionId <subscription ID>|where-object

{$_.ConditionAllOf.Equal -match

"Microsoft.Authorization/policyAssignments/write"}|select-object

Location,Name,Enabled,ResourceGroupName,ConditionAllOf

If the output is empty, an alert rule for Create Policy Assignments is not configured.


Remediation:


From Azure Portal

1. Navigate to the Monitor blade.

2. Select Alerts.

3. Select Create.

4. Select Alert rule.

5. Under Filter by subscription, choose a subscription.

6. Under Filter by resource type, select Policy assignment (policyAssignments).

7. Under Filter by location, select All.

8. From the results, select the subscription.

9. Select Done.

10.Select the Condition tab.

11.Under Signal name, click Create policy assignment (Microsoft.Authorization/policyAssignments).

12.Select the Actions tab.

13.To use an existing action group, click elect action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection.

14.Select the Details tab.

15.Select a Resource group, provide an Alert rule name and an optional Alert rule description.

16.Click Review + create.

17.Click Create.


From Azure CLI

az monitor activity-log alert create --resource-group "<resource group name>"

--condition category=Administrative and

operationName=Microsoft.Authorization/policyAssignments/write and

level=<verbose | information | warning | error | critical> --scope

"/subscriptions/<subscription ID>" --name "<activity log rule name>" --

subscription <subscription ID> --action-group <action group ID> --location

global


From PowerShell

Create the conditions object.

$conditions = @()

$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -

Equal Administrative -Field category

$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -

Equal Microsoft.Authorization/policyAssignments/write -Field operationName

$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -

Equal Verbose -Field level

Get the Action Group information and store it in a variable, then create a new Action object.

$actionGroup = Get-AzActionGroup -ResourceGroupName <resource group name> -

Name <action group name>

$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id

Create the Scope variable.

$scope = "/subscriptions/<subscription ID>"

Create the Activity Log Alert Rule for Microsoft.Authorization/policyAssignments/write

New-AzActivityLogAlert -Name "<activity alert rule name>" -ResourceGroupName

"<resource group name>" -Condition $conditions -Scope $scope -Location global

-Action $actionObject -Subscription <subscription ID> -Enabled $true


Default Value:

By default, no monitoring alerts are created.


References:

1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement

2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log

3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate

4. https://docs.microsoft.com/enin/rest/api/monitor/activitylogalerts/listbysubscriptionid

5. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3- logging-threat-detection#lt-3-enable-logging-for-security-investigation

6. https://docs.microsoft.com/en-in/rest/api/policy/policy-assignments

7. https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log