Skip to main content

More Info:

Ensure that a Microsoft Azure activity log alert is fired whenever a ‘Power Off Virtual Machine’ event is triggered within your cloud account. An Azure activity log alert fires each time the action event that matches the condition defined in the alert configuration is triggered. The alert condition that this conformity rule checks for is Whenever the Administrative Activity Log 'Power Off Virtual Machine (Microsoft.Compute/virtualMachines)' has 'any' level, with 'any' status and event is initiated by 'any'

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

  • Remediation

Remediation

Using Console

Sure, I can help you with that. Here are the step-by-step instructions to remediate the misconfiguration in Azure:
  1. Open the Azure portal and navigate to the Virtual Machines blade.
  2. Select the virtual machine for which you want to set up alerts.
  3. In the virtual machine’s Overview pane, click on the “Monitoring” option.
  4. In the Monitoring pane, click on the “Alerts” option.
  5. Click on the ”+ New alert rule” button to create a new alert rule.
  6. In the “Create rule” page, under the “Resource” section, select the virtual machine for which you want to set up alerts.
  7. Under the “Condition” section, click on the ”+ Add condition” button.
  8. In the “Add condition” page, select the “Virtual Machine” category and then select the “Power state” metric.
  9. Set the condition to “Power state” equals “VM deallocated”.
  10. Under the “Actions” section, click on the ”+ Add action group” button.
  11. In the “Add action group” page, click on the ”+ Create action group” button.
  12. In the “Create action group” page, enter a name for the action group and fill out the required fields.
  13. Under the “Actions” section, click on the ”+ Add action” button.
  14. In the “Add action” page, select the “Email/SMS/Push/Voice” option.
  15. Fill out the required fields, including the email address or phone number where you want to receive the alerts.
  16. Click on the “OK” button to save the action.
  17. Click on the “OK” button to save the action group.
  18. Click on the “OK” button to save the alert rule.
That’s it! You have successfully set up alerts for Power Off Virtual Machine Events in Azure. Now, whenever the virtual machine is deallocated, you will receive an email or SMS notification.

To remediate the misconfiguration “Setup Alerts for Power Off Virtual Machine Events” in AZURE using AZURE CLI, follow the below steps:Step 1: Open the AZURE CLI on your local machine or use the AZURE Cloud Shell.Step 2: Use the below command to create an action group that will be used to send alerts in case of any virtual machine power off events.
az monitor action-group create --name <action-group-name> --short-name <short-name> --resource-group <resource-group-name> --email <email-address> --sms <phone-number> --action webhook https://<webhook-url>
Here, replace the <action-group-name> with the name of the action group that you want to create, <short-name> with a short name for the action group, <resource-group-name> with the name of the resource group where the virtual machines are located, <email-address> with the email address where you want to receive the alerts, <phone-number> with the phone number where you want to receive the alerts and <webhook-url> with the URL of the webhook that you want to use to send alerts.Step 3: Use the below command to create a metric alert rule that will trigger an alert when a virtual machine is powered off.
az monitor metrics alert create --name <alert-rule-name> --resource-group <resource-group-name> --scopes <virtual-machine-id> --metric "Percentage CPU" --operator LessThan --threshold 1 --time-aggregation Average --action <action-group-name>
Here, replace the <alert-rule-name> with the name of the alert rule that you want to create, <resource-group-name> with the name of the resource group where the virtual machines are located, <virtual-machine-id> with the ID of the virtual machine for which you want to create the alert rule, and <action-group-name> with the name of the action group that you created in step 2.Step 4: Verify that the alert rule has been created successfully by using the below command:
az monitor metrics alert show --name <alert-rule-name> --resource-group <resource-group-name>
Here, replace the <alert-rule-name> with the name of the alert rule that you created in step 3, and <resource-group-name> with the name of the resource group where the virtual machines are located.That’s it! You have successfully remediated the misconfiguration “Setup Alerts for Power Off Virtual Machine Events” in AZURE using AZURE CLI. Now, you will receive alerts whenever a virtual machine is powered off.
To remediate the misconfiguration “Setup Alerts for Power Off Virtual Machine Events” in AZURE using python, you can follow the below steps:Step 1: Install the Azure SDK for Python using the following command:
!pip install azure
Step 2: Authenticate with Azure using the Azure CLI or Azure Active Directory. You can use the following command to authenticate using Azure CLI:
!az login
Step 3: Once you are authenticated, you can create an Azure Monitor Alert Rule using the following code:
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.monitor.models import *

# Replace the values with your own
subscription_id = 'your-subscription-id'
resource_group_name = 'your-resource-group-name'
vm_name = 'your-vm-name'

# Authenticate with Azure
credentials = ServicePrincipalCredentials(
    client_id='your-client-id',
    secret='your-client-secret',
    tenant='your-tenant-id'
)

# Create a Monitor Management Client
monitor_client = MonitorManagementClient(credentials, subscription_id)

# Create an Alert Rule
alert_rule = AlertRule(
    location='global',
    alert_rule_resource_group_id=f'/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}',
    alert_rule_name='power-off-vm-alert',
    description='Alert when a virtual machine is powered off',
    alert_criteria=AlertRuleAllOf(
        dimensions=[
            AlertRuleDimension(
                name='ResourceId',
                operator='Include',
                values=[f'/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Compute/virtualMachines/{vm_name}']
            ),
            AlertRuleDimension(
                name='ResourceType',
                operator='Include',
                values=['Microsoft.Compute/virtualMachines']
            ),
            AlertRuleDimension(
                name='OperationName',
                operator='Include',
                values=['Microsoft.Compute/virtualMachines/deallocate/action']
            )
        ]
    ),
    actions=[
        AlertRuleAction(
            action_group_id='your-action-group-id'
        )
    ]
)

# Create the Alert Rule
monitor_client.alert_rules.create_or_update(
    resource_group_name=resource_group_name,
    rule_name=alert_rule.alert_rule_name,
    parameters=alert_rule
)
In the above code, you need to replace the values for subscription_id, resource_group_name, vm_name, client_id, client_secret, tenant_id, and action_group_id with your own values.This code will create an alert rule that will trigger whenever a virtual machine is powered off and will send an alert to the specified action group.Note: You need to have the necessary permissions to create an alert rule and an action group in Azure.

Additional Reading: