Description:

An Activity Log Alert for the Create or Update Public IP Address rule ensures that any action to create or update a Public IP Address in your Azure environment triggers a notification. Public IP Addresses are critical networking resources, and changes to their configuration, such as creation or update, should be closely monitored to avoid unintended consequences, such as misconfigurations or security vulnerabilities.

Creating an Activity Log Alert for Create or Update Public IP Address events helps track these changes and ensures that administrators are immediately informed when critical IP addresses are created or modified.

Rationale:

By configuring an Activity Log Alert for Create or Update Public IP Address events, you can:

  • Monitor creation and updates to Public IP Addresses in real-time.

  • Ensure that any changes to Public IP Addresses are reviewed and approved to prevent misconfigurations.

  • Improve security by being alerted to changes in the network, which could expose services to unintended access or compromise.

  • Support compliance by maintaining logs of changes to key resources.

Impact:

This alert helps ensure that any changes to Public IP Addresses are logged and that administrators are notified immediately. It enables you to quickly review and act on any unauthorized or unexpected changes to Public IPs, preventing accidental disruptions or exposures. The only downside might be an increase in the number of alerts, particularly in dynamic environments where Public IPs are frequently updated.

Default Value:

By default, there is no Activity Log Alert for Create or Update Public IP Address actions. You need to manually create and configure this alert to track and respond to these events.

Pre-requisites:

  • Azure subscription.

  • Owner or Contributor role permissions to create Activity Log Alerts.

  • Azure Monitor enabled for logging.

  • Log Analytics workspace (optional, if you're using it for storing telemetry data).

Audit:

  1. Sign in to Azure portal as an Owner, Contributor, or Monitoring Contributor.

  2. Navigate to Azure Monitor and review the Activity Log Alerts to ensure that alerts for Create or Update Public IP Address actions are configured.

  3. Verify that the configured alert is properly notifying users of Public IP Address creation or update events.

Implementation Steps (Automated):

  1. Sign in to Azure portal:

    • Use an account with Owner, Contributor, or Monitoring Contributor permissions.

  2. Navigate to Azure Monitor:

    • In the Azure portal, search for Azure Monitor and select it from the search results.

  3. Go to Activity Log Alerts:

    • In Azure Monitor, go to Activity Log under Monitoring.

    • Click on Alerts and then select + New alert rule.

  4. Create a New Alert for Create or Update Public IP Address:

    • Under Scope, select your subscription or resource group.

    • Under Condition, choose Activity Log as the signal type.

    • Set the Event Category to Write and the Resource Type to Microsoft.Network/publicIPAddresses.

    • Filter further by Operation Name: Create or Update Public IP Address.

  5. Example of criteria:

    • Event Category: Write

    • Operation Name: Create Public IP Address, Update Public IP Address

    • Resource Type: Microsoft.Network/publicIPAddresses

  6. Set Up Action Group:

    • Under Action Group, select or create an Action Group to define how the alert will notify you (e.g., via Email, SMS, Webhook).

    • You can send notifications to specific security teams or network administrators whenever a Public IP Address is created or updated.

  7. Review and Create:

    • Review the configuration and ensure the alert is set to notify you when a Public IP Address is created or updated.

    • Click Create to save the alert rule.

Automate Alert Creation Using Azure CLI: To automate the creation of an Activity Log Alert for Create or Update Public IP Address using Azure CLI, run the following command:

az monitor activity-log alert create \

    --name "CreateOrUpdatePublicIPAlert" \

    --resource-group <Resource-Group-Name> \

    --condition "operationName in ['Create Public IP Address', 'Update Public IP Address']" \

    --action-group <Action-Group-ID> \

    --description "Alert for creation or update of Public IP Address" \

    --enabled true

  1.  Replace <Resource-Group-Name> and <Action-Group-ID> with the appropriate values for your environment.

  2. Test the Alert:

    • After configuring the Activity Log Alert, test it by creating or updating a Public IP Address and ensuring that the alert is triggered and the notification is sent to the designated recipients.

  3. Monitor and Review Alerts:

    • Use Azure Monitor to track the alert history and ensure that it is functioning as expected.

    • Review the alert history to verify that Public IP Address creation or update events are being logged.

Backout Plan (Automated):

  1. Sign in to Azure portal:

    • Use an account with Owner, Contributor, or Monitoring Contributor permissions.

  2. Navigate to Azure Monitor:

    • Go to Azure Monitor in the Azure portal.

  3. Delete or Modify the Alert:

    • In Activity Log Alerts, locate the Create or Update Public IP Address alert you created.

    • Select the alert and either delete it or modify its parameters as needed (e.g., adjust the notification action group, change alert criteria).

  4. Verify Alert Removal:

    • After removing or modifying the alert, ensure that it no longer triggers notifications for Create or Update Public IP Address events.

  5. Test the Backout:

    • Test the configuration by creating or updating a Public IP Address to ensure that the alert no longer triggers or functions as expected after the backout.

References: