Azure Introduction
Azure Pricing
Azure Threats
Ensure Activity Log Alert exists for Create Policy Assignment
More Info:
Monitoring for create policy assignment events gives insight into changes done in ‘azure policy - assignments’ and may reduce the time it takes to detect unsolicited changes.
Risk Level
Low
Address
Security, Operational Maturity
Compliance Standards
CISAZURE, CBP, HIPAA, ISO27001, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the misconfiguration “Ensure Activity Log Alert exists for Create Policy Assignment” in Azure using the Azure console:
- Log in to the Azure portal using your credentials.
- Click on the “Monitor” option from the left-hand side menu.
- Click on the “Activity log alerts” option from the “Monitor” menu.
- Click on the “New alert rule” button to create a new alert rule.
- In the “Basics” tab, provide a name for the alert rule and select the subscription to which it applies.
- In the “Condition” tab, select the “Signal logic” as “Activity log”.
- In the “Target” section, select “Resource Manager” as the “Resource type”.
- In the “Event types” section, select “Policy Assignment Created” as the event type.
- In the “Actions” tab, select the “Action group” that you want to associate with this alert rule.
- In the “Review + create” tab, review the alert rule configuration and click on the “Create” button to create the alert rule.
Once the alert rule is created, you will receive notifications whenever a policy assignment is created in your Azure environment. This will help you to ensure that all policy assignments are being created as per the defined policies and standards.
To remediate the misconfiguration “Ensure Activity Log Alert exists for Create Policy Assignment” in AZURE using AZURE CLI, follow the below steps:
-
Open the AZURE CLI on your local machine or connect to the AZURE CLI in the AZURE portal.
-
Run the following command to check if an activity log alert exists for Create Policy Assignment:
az monitor activity-log alert list --query "[?contains(name, 'Create Policy Assignment')]"
If the command returns an empty array, then there is no activity log alert for Create Policy Assignment.
-
Run the following command to create an activity log alert for Create Policy Assignment:
az monitor activity-log alert create --name "Create Policy Assignment Alert" --description "Alert for Create Policy Assignment" --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/write --action-group <action-group-id>
Replace
<action-group-id>
with the ID of the action group that you want to use for this alert. -
Run the following command to verify that the activity log alert has been created:
az monitor activity-log alert list --query "[?contains(name, 'Create Policy Assignment')]"
The command should return the details of the newly created activity log alert.
By following these steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Create Policy Assignment” in AZURE using AZURE CLI.
To remediate the misconfiguration “Ensure Activity Log Alert exists for Create Policy Assignment” in Azure using Python, you can follow these steps:
- Import the necessary libraries:
from azure.mgmt.monitor import MonitorManagementClient
from azure.identity import ClientSecretCredential
- Set the Azure credentials:
tenant_id = '<your-tenant-id>'
client_id = '<your-client-id>'
client_secret = '<your-client-secret>'
subscription_id = '<your-subscription-id>'
credentials = ClientSecretCredential(
tenant_id=tenant_id,
client_id=client_id,
client_secret=client_secret
)
- Create a MonitorManagementClient:
monitor_client = MonitorManagementClient(
credentials=credentials,
subscription_id=subscription_id
)
- Define the activity log alert properties:
activity_log_alert_properties = {
'name': 'create-policy-assignment-alert',
'description': 'Activity log alert for create policy assignment',
'enabled': True,
'condition': {
'allOf': [
{
'field': 'category',
'equals': 'Policy'
},
{
'field': 'operationName',
'equals': 'Microsoft.Authorization/policyAssignments/write'
},
{
'field': 'resourceType',
'equals': 'Microsoft.Authorization/policyAssignments'
}
]
},
'actions': {
'action_groups': [
{
'action_group_id': '/subscriptions/<your-subscription-id>/resourceGroups/<your-resource-group-name>/providers/microsoft.insights/actionGroups/<your-action-group-name>'
}
]
}
}
- Create the activity log alert:
monitor_client.activity_log_alerts.create_or_update(
resource_group_name='<your-resource-group-name>',
activity_log_alert_name=activity_log_alert_properties['name'],
parameters=activity_log_alert_properties
)
- Verify that the activity log alert has been created successfully:
activity_log_alert = monitor_client.activity_log_alerts.get(
resource_group_name='<your-resource-group-name>',
activity_log_alert_name=activity_log_alert_properties['name']
)
print(activity_log_alert)
These steps will create an activity log alert in Azure that will trigger when a policy assignment is created. You can customize the alert properties as necessary to meet your specific requirements.