iCompaas Support

Description:

An Activity Log Alert for Delete Security Solution ensures that any attempt to delete a Security Solution in your Azure environment triggers a notification. Security Solutions in Azure, such as Microsoft Defender or other third-party security services, play a critical role in protecting your resources. Deleting a security solution can expose your environment to security vulnerabilities, making it essential to track and respond to such deletions immediately.

By creating an Activity Log Alert for Delete Security Solution actions, you can ensure that any changes to your security posture are immediately flagged and acted upon to prevent security risks.

Rationale:

By setting up an Activity Log Alert for Delete Security Solution actions, you can:

              Monitor the deletion of critical security solutions.

• Track and prevent unauthorized changes to your security configurations.
  

• Improve security by notifying security teams when a security solution is removed, ensuring that any accidental or malicious deletions are investigated immediately.
  

• Ensure compliance with your organization's security policies and regulatory requirements.
  

Impact:

Configuring this Activity Log Alert ensures that you are notified promptly when a Security Solution is deleted, allowing you to respond quickly to prevent potential breaches. However, this may generate notifications in cases where security solutions are intentionally removed for maintenance or reconfiguration. Proper alert filtering and handling procedures should be in place to avoid alert fatigue.

Default Value:

By default, there are no Activity Log Alerts configured for Delete Security Solution actions. You need to manually create and configure these alerts to track and respond to such events.

Pre-requisites:

• Azure subscription.
  

• Owner or Contributor role permissions to create Activity Log Alerts.
  

• Azure Monitor enabled for logging.
  

• Log Analytics workspace (optional, for storing telemetry data).
  

• Security solutions such as Microsoft Defender for Cloud or third-party security solutions deployed in your environment.
  

Audit:

1. Sign in to Azure portal as an Owner, Contributor, or Monitoring Contributor.
   

2. Navigate to Azure Monitor and review the Activity Log Alerts to ensure that alerts for Delete Security Solution actions are configured.
   

3. Verify that the configured alert is properly notifying users when a Security Solution is deleted.
   

Implementation Steps (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Monitoring Contributor permissions.
     

2. Navigate to Azure Monitor:
   

   • In the Azure portal, go to Azure Monitor and select Activity Log under Monitoring.
     

3. Create a New Alert for Delete Security Solution:
   

   • In Activity Log Alerts, click on + New alert rule.
     

   • Under Scope, select your subscription or resource group.
     

   • Under Condition, choose Activity Log as the signal type.
     

   • Set the Event Category to Delete and the Resource Type to Microsoft.Security/solutions or the specific security solution you are using (e.g., Microsoft Defender for Cloud).
     

   • Filter further by Operation Name: Delete Security Solution.
     

4. Example of criteria:
   

   • Event Category: Delete
     

   • Operation Name: Delete Security Solution
     

   • Resource Type: Microsoft.Security/solutions
     

5. Set Up Action Group:
   

   • Under Action Group, either select an existing action group or create a new one to define how the alert will notify you (e.g., via Email, SMS, Webhook).
     

   • You can send notifications to security teams or administrators whenever a Security Solution is deleted.
     

6. Review and Create:
   

   • Review the configuration and ensure the alert is set to notify you when a Security Solution is deleted.
     

   • Click Create to save the alert rule.
     

Automate Alert Creation Using Azure CLI: To automate the creation of an Activity Log Alert for Delete Security Solution using Azure CLI, run the following command:

az monitor activity-log alert create \

    --name "DeleteSecuritySolutionAlert" \

    --resource-group <Resource-Group-Name> \

    --condition "operationName == 'Delete Security Solution'" \

    --action-group <Action-Group-ID> \

    --description "Alert for deletion of Security Solution" \

    --enabled true

7.  Replace <Resource-Group-Name> and <Action-Group-ID> with the appropriate values for your environment.
   

8. Test the Alert:
   

   • After configuring the Activity Log Alert, test it by deleting a Security Solution and ensuring that the alert is triggered and the notification is sent to the designated recipients.
     

9. Monitor and Review Alerts:
   

   • Use Azure Monitor to track the alert history and ensure that it is functioning as expected.
     

   • Review the alert history to verify that Security Solution deletions are being logged.
     

Backout Plan (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Monitoring Contributor permissions.
     

2. Navigate to Azure Monitor:
   

   • Go to Azure Monitor in the Azure portal.
     

3. Delete or Modify the Alert:
   

   • In Activity Log Alerts, locate the Delete Security Solution alert you created.
     

   • Select the alert and either delete it or modify its parameters as needed (e.g., change the notification action group, adjust alert criteria).
     

4. Verify Alert Removal:
   

   • After removing or modifying the alert, ensure that it no longer triggers notifications for Delete Security Solution events.
     

5. Test the Backout:
   

   • Test the configuration by deleting a Security Solution to ensure that the alert no longer triggers or functions as expected after the backout.
     

References:

• Activity Log Alerts Overview
  

• Azure Monitor - Service Health Alerts
  Azure CLI - Activity Log Alerts