Skip to main content

More Info:

Ensure that a Microsoft Azure activity log alert is fired whenever a ‘Delete Virtual Machine’ event is triggered within your cloud account. An Azure activity log alert fires each time the action event that matches the condition specified in the alert configuration is triggered. The alert condition that this rule searches for is Whenever the Administrative Activity Log 'Delete Virtual Machine (Microsoft.Compute/virtualMachines)' has 'any' level, with 'any' status and event is initiated by 'any'

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate misconfiguration of not having alerts set up for delete virtual machine events in Azure:
  1. Login to Azure portal using your credentials.
  2. Navigate to the “Virtual Machines” blade from the left-hand side menu.
  3. Select the virtual machine for which you want to set up alerts for delete events.
  4. Under the “Monitoring” section, select “Alerts” and click on the “New alert rule” button.
  5. In the “New alert rule” page, select the “Signal logic” tab.
  6. In the “Signal logic” tab, select “Virtual machines” from the “Resource type” drop-down menu.
  7. Select “Delete” from the “Signal name” drop-down menu.
  8. Set the “Aggregation type” to “Count”.
  9. Set the “Threshold value” to “1”.
  10. Set the “Evaluation frequency” to “5 minutes”.
  11. In the “Actions” tab, select “Add action group”.
  12. In the “Add action group” page, click on the “Create action group” button.
  13. In the “Create action group” page, provide a name for the action group.
  14. Select “Email/SMS/Push/Voice” as the “Action type”.
  15. Enter the email address or phone number in the “Email/SMS/Push/Voice details” field.
  16. Click on the “OK” button to create the action group.
  17. Select the newly created action group from the “Actions” tab.
  18. Click on the “Create alert rule” button to save the alert rule.
With these steps, you have successfully remediated the misconfiguration of not having alerts set up for delete virtual machine events in Azure. Now, you will receive an email or SMS notification whenever a virtual machine is deleted in your Azure environment.

To remediate the misconfiguration “Setup Alerts for Delete Virtual Machine Events” in AZURE using AZURE CLI, follow these steps:
  1. Open the AZURE CLI on your system.
  2. Run the following command to create a new action group for the alerts: 
    az monitor action-group create --name <action-group-name> --short-name <short-name> --email <email-address> --sms <phone-number>
    Replace <action-group-name> with a name for the action group, <short-name> with a short name for the action group, <email-address> with the email address to receive alerts, and <phone-number> with the phone number to receive alerts.
  3. Run the following command to create a new alert rule: 
    az monitor metrics alert create --name <alert-rule-name> --description <description> --resource <resource-id> --metric "Percentage CPU" --operator GreaterThan --threshold 90 --time-aggregation Average --evaluation-frequency 5 --actions <action-group-name>
    Replace <alert-rule-name> with a name for the alert rule, <description> with a description for the alert rule, <resource-id> with the ID of the resource to monitor (e.g. virtual machine), and <action-group-name> with the name of the action group created in step 2.
  4. Run the following command to verify the alert rule: 
    az monitor metrics alert show --name <alert-rule-name> --resource <resource-id>
    Replace <alert-rule-name> with the name of the alert rule created in step 3 and <resource-id> with the ID of the resource to monitor.
With these steps, you have successfully set up alerts for delete virtual machine events in AZURE using AZURE CLI.
To remediate the misconfiguration of not having alerts set up for delete virtual machine events in Azure, you can follow these steps using Python:
  1. Install the Azure SDK for Python using the following command: 
    pip install azure-mgmt-monitor
  2. Authenticate to your Azure account using the Azure CLI or by providing a Service Principal.
  3. Create a new alert rule using the azure-mgmt-monitor package. The following code snippet demonstrates how to create an alert rule for delete virtual machine events: 
    from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.monitor.models import (AlertRuleResource, Condition, 
                                        RuleMetricDataSource, RuleMetricDimension)

# Replace with your own values
RESOURCE_GROUP_NAME = 'my-resource-group'
VM_NAME = 'my-vm'
ALERT_NAME = 'vm-delete-alert'
ACTION_GROUP_ID = '/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/microsoft.insights/actionGroups/<action-group-name>'

# Create the rule condition
condition = Condition(
    metric_name='SuccessfulCalls',
    metric_namespace='Microsoft.Compute/virtualMachines',
    operator='==',
    threshold='0',
    time_aggregation='Total',
    dimensions=[
        RuleMetricDimension(name='ResourceId', value=f"/subscriptions/<subscription-id>/resourceGroups/{RESOURCE_GROUP_NAME}/providers/Microsoft.Compute/virtualMachines/{VM_NAME}")
    ]
)

# Create the rule data source
data_source = RuleMetricDataSource(
    resource_uri=f"/subscriptions/<subscription-id>/resourceGroups/{RESOURCE_GROUP_NAME}/providers/Microsoft.Compute/virtualMachines/{VM_NAME}",
    metric_name='SuccessfulCalls',
    metric_namespace='Microsoft.Compute/virtualMachines'
)

# Create the alert rule
alert_rule = AlertRuleResource(
    name=ALERT_NAME,
    description='Alert for virtual machine delete events',
    is_enabled=True,
    condition=condition,
    actions=[
        {
            'action_group_id': ACTION_GROUP_ID
        }
    ],
    data_source=data_source
)

# Create the MonitorManagementClient and create the alert rule
monitor_client = MonitorManagementClient(credentials, subscription_id)
monitor_client.alert_rules.create_or_update(
    RESOURCE_GROUP_NAME,
    ALERT_NAME,
    alert_rule
)
  4. Replace the placeholders in the code snippet with your own values, such as the resource group name, virtual machine name, alert name, and action group ID.
  5. Run the Python script to create the alert rule.
With these steps, you should have successfully remediated the misconfiguration of not having alerts set up for delete virtual machine events in Azure.

Additional Reading: