Description:

An Activity Log Alert for the Delete Public IP Address rule ensures that any attempt to delete a Public IP Address in your Azure environment triggers a notification. Public IP Addresses are critical resources in Azure, and deleting them inadvertently can cause disruptions in service, such as breaking access to virtual machines, load balancers, or other services. Configuring an Activity Log Alert for deletions helps track such critical actions and prevents unintended service outages.

This alert provides proactive notifications whenever a Public IP Address is deleted, allowing your team to investigate, restore, or react quickly.

Rationale:

By configuring an Activity Log Alert for the deletion of Public IP Addresses, you can:

  • Track and monitor deletions of critical networking resources.

  • Prevent accidental or unauthorized deletions that could disrupt services or business operations.

  • Improve security by ensuring that any deletions are logged and alerts are sent to the relevant administrators for immediate action.

Impact:

The impact of configuring this alert is that you'll be notified immediately if any Public IP Address is deleted. However, it may increase the volume of alerts, especially if there are frequent changes to your network infrastructure. Configuring the alert appropriately will help balance monitoring without generating unnecessary noise.

Default Value:

By default, there is no Activity Log Alert for Delete Public IP Address actions. It must be manually configured to track and respond to these events.

Pre-requisites:

  • Azure subscription.

  • Owner or Contributor permissions to create Activity Log Alerts.

  • Azure Monitor enabled for logging.

  • Log Analytics workspace for storing and analyzing logs (optional but recommended).

Audit:

  1. Sign in to Azure portal as an Owner, Contributor, or Monitoring Contributor.

  2. Navigate to Azure Monitor and review the Activity Log Alerts for the deletion of Public IP Addresses.

  3. Ensure that an alert is created for Delete Public IP Address actions.

Implementation Steps (Automated):

  1. Sign in to Azure portal:

    • Use an account with Owner, Contributor, or Monitoring Contributor permissions.

  2. Navigate to Azure Monitor:

    • In the Azure portal, go to Azure Monitor and select Activity Log under Monitoring.

  3. Create a New Alert for Deleting Public IP Addresses:

    • In Activity Log Alerts, click on + New alert rule.

    • Under Scope, select your subscription or resource group.

    • Under Condition, choose Activity Log as the signal type.

      • Set the Event Category to Delete and the Resource Type to Microsoft.Network/publicIPAddresses.

      • This ensures the alert is triggered whenever a Public IP Address is deleted.

    • You can filter further to capture deletions of Public IP Addresses by using the Operation Name (e.g., "Delete Public IP Address").

  4. Example of Condition:

    • Event Category: Delete

    • Operation Name: Delete Public IP Address

    • Resource Type: Microsoft.Network/publicIPAddresses

  5. Set Up Action Group:

    • Under Action Group, either select an existing action group or create a new one to define how the alert will notify you (e.g., via Email, SMS, or Webhook).

    • Set up an action group to notify your security team or network administrators immediately when a Public IP Address deletion occurs.

  6. Example action for email:

    • Create an Action Group that sends an email to a specific distribution list or sends a webhook to an automation tool.

  7. Review and Create:

    • Review the configuration and ensure the alert is set to trigger notifications for Delete Public IP Address actions.

    • Click Create to save the alert rule.

Automate Alert Creation Using Azure CLI: To automate the creation of an Activity Log Alert for Delete Public IP Address using Azure CLI, use the following command:

az monitor activity-log alert create \

    --name "DeletePublicIPAlert" \

    --resource-group <Resource-Group-Name> \

    --condition "operationName == 'Delete Public IP Address'" \

    --action-group <Action-Group-ID> \

    --description "Alert for deletion of Public IP Address" \

    --enabled true

  1.  Replace <Resource-Group-Name> and <Action-Group-ID> with the appropriate names for your environment.

  2. Test the Alert:

    • After configuring the Activity Log Alert, test it by attempting to delete a Public IP Address in your environment and ensuring that the alert is triggered and the notification is sent to the designated recipients.

  3. Monitor and Review Alerts:

    • Use Azure Monitor to track the alert history and ensure that it is functioning as expected. Review the alert history to verify that Public IP Address deletions are being logged.

Backout Plan (Automated):

  1. Sign in to Azure portal:

    • Use an account with Owner, Contributor, or Monitoring Contributor permissions.

  2. Navigate to Azure Monitor:

    • Go to Azure Monitor in the Azure portal.

  3. Delete or Modify the Alert:

    • In Activity Log Alerts, locate the Delete Public IP Address alert you created.

    • Select the alert and either delete it or modify its parameters as needed (e.g., change the notification action group, adjust alert criteria).

  4. Verify Alert Removal:

    • After removing or modifying the alert, ensure that it no longer triggers notifications for Delete Public IP Address events.

  5. Test the Backout:

    • Test the configuration by deleting a Public IP Address to ensure that the alert no longer triggers or functions as expected after the backout.

References: