Skip to main content

More Info:

Monitoring for ‘Create’ or ‘Update Security Solution’ events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

CISAZURE, CBP, SOC2, ISO27001, HIPAA

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Security Solution” in AZURE using the AZURE console, follow the below steps:
  1. Login to the AZURE console with your credentials.
  2. Navigate to the Security Center from the left-hand menu.
  3. Click on the “Policies” option under the Security Center.
  4. In the Policies page, click on the “Security policy” option.
  5. In the Security policy page, select the policy you want to remediate, in this case, “Ensure Activity Log Alert exists for Create or Update Security Solution”.
  6. Click on the “Remediate” button at the top of the page.
  7. In the Remediate dialog box, select the subscription(s) and resource group(s) you want to remediate and click on the “Remediate” button.
  8. The remediation process will start and you can monitor the progress from the “Activity log” option under the Security Center.
Once the remediation process is completed, the misconfiguration “Ensure Activity Log Alert exists for Create or Update Security Solution” will be remediated.

To remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Security Solution” for Azure using Azure CLI, follow these steps:
  1. Open the Azure CLI on your local machine.
  2. Run the following command to check if an activity log alert exists for creating or updating a security solution: 
    az monitor activity-log alert list --query "[?contains(details.operationName.value, 'Microsoft.SecurityInsights/securitySolutions/write')]"
    If no activity log alert exists, the output will be an empty array.
  3. If no activity log alert exists, run the following command to create an activity log alert: 
    az monitor activity-log alert create --name <alert_name> --description <alert_description> --condition "category=Administrative and operationName.value=Microsoft.SecurityInsights/securitySolutions/write" --action-groups <action_group_name> --enabled true
    Replace <alert_name> with the name of the alert you want to create, <alert_description> with a description for the alert, and <action_group_name> with the name of the action group to use for the alert.
  4. After running the command, you should see output similar to the following: 
    {
  "actions": {
    "action_groups": [
      {
        "action_group_id": "/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/microsoft.insights/actionGroups/<action_group_name>",
        "webhook_properties": null
      }
    ],
    "custom_emails": null,
    "email_subject": null,
    "use_common_alert_schema": null
  },
  "condition": {
    "all_of": [
      {
        "field": "category",
        "equals": "Administrative"
      },
      {
        "field": "operationName.value",
        "equals": "Microsoft.SecurityInsights/securitySolutions/write"
      }
    ]
  },
  "description": "<alert_description>",
  "enabled": true,
  "id": "/subscriptions/<subscription_id>/providers/microsoft.insights/activityLogAlerts/<alert_name>",
  "location": null,
  "name": "<alert_name>",
  "scopes": [
    "/subscriptions/<subscription_id>"
  ],
  "tags": {},
  "type": "Microsoft.Insights/activityLogAlerts"
}
    This indicates that the activity log alert has been created successfully.
  5. Verify that the activity log alert has been created by running the following command: 
    az monitor activity-log alert list --query "[?contains(details.operationName.value, 'Microsoft.SecurityInsights/securitySolutions/write')]"
    If the activity log alert was created successfully, you should see output similar to the following: 
    [
  {
    "actions": {
      "action_groups": [
        {
          "action_group_id": "/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/microsoft.insights/actionGroups/<action_group_name>",
          "webhook_properties": null
        }
      ],
      "custom_emails": null,
      "email_subject": null,
      "use_common_alert_schema": null
    },
    "condition": {
      "all_of": [
        {
          "field": "category",
          "equals": "Administrative"
        },
        {
          "field": "operationName.value",
          "equals": "Microsoft.SecurityInsights/securitySolutions/write"
        }
      ]
    },
    "description": "<alert_description>",
    "enabled": true,
    "id": "/subscriptions/<subscription_id>/providers/microsoft.insights/activityLogAlerts/<alert_name>",
    "location": null,
    "name": "<alert_name>",
    "scopes": [
      "/subscriptions/<subscription_id>"
    ],
    "tags": {},
    "type": "Microsoft.Insights/activityLogAlerts"
  }
]
    This confirms that the activity log alert has been created successfully.
To remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Security Solution” in Azure using Python, you can follow the below steps:
  1. Import the necessary libraries:
from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.monitor.models import *
  1. Create an instance of the MonitorManagementClient using the DefaultAzureCredential:
credential = DefaultAzureCredential()
monitor_client = MonitorManagementClient(credential, subscription_id)
  1. Define the required parameters for creating a new Activity Log Alert:
activity_log_alert_name = "my-activity-log-alert"
resource_group_name = "my-resource-group"
scope = "/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}"
condition_type = "Microsoft.Insights/scheduledQueryRules"
condition_data = {
    "query": "AzureActivity | where Category == 'Security' | where OperationNameValue == 'Microsoft.Security/securitySolutions/write' | where ResultType == 'Success' | where ResourceProviderValue == 'Microsoft.Security' | where ResourceId contains 'providers/Microsoft.Security/securitySolutions' | summarize AggregatedValue = count() by bin(TimeGenerated, 1m)",
    "aggregation": {
        "operator": "Count",
        "threshold": 1
    }
}
action_group_ids = ["/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/microsoft.insights/actionGroups/my-action-group"]
  1. Check if an Activity Log Alert already exists for Create or Update Security Solution:
activity_log_alerts = monitor_client.activity_log_alerts.list_by_subscription()
for activity_log_alert in activity_log_alerts:
    if activity_log_alert.name == activity_log_alert_name:
        if condition_type in activity_log_alert.condition.all_of[0].all_of[0].dimensions[0].values:
            print("Activity Log Alert already exists for Create or Update Security Solution")
            return
  1. If an Activity Log Alert does not exist, create a new one:
activity_log_alert_resource = ActivityLogAlertResource(
    location="global",
    enabled=True,
    description="Activity Log Alert for Create or Update Security Solution",
    scopes=[scope],
    condition=ActivityLogAlertAllOfCondition(
        all_of=[
            ActivityLogAlertLeafCondition(
                field="category",
                equals="Administrative"
            ),
            ActivityLogAlertLeafCondition(
                field="operationName",
                equals="Microsoft.Security/securitySolutions/write"
            ),
            ActivityLogAlertLeafCondition(
                field="resultType",
                equals="Success"
            ),
            ActivityLogAlertLeafCondition(
                field="resourceProvider",
                equals="Microsoft.Security"
            ),
            ActivityLogAlertLeafCondition(
                field="resourceId",
                contains="providers/Microsoft.Security/securitySolutions"
            ),
            ActivityLogAlertAllOfCondition(
                all_of=[
                    ActivityLogAlertLeafCondition(
                        field="level",
                        equals="Critical"
                    ),
                    ActivityLogAlertLeafCondition(
                        field="status",
                        equals="Active"
                    ),
                    ActivityLogAlertAllOfCondition(
                        all_of=[
                            ActivityLogAlertLeafCondition(
                                field="category",
                                equals="Security"
                            ),
                            ActivityLogAlertLeafCondition(
                                field="operationName",
                                equals="Microsoft.Security/securitySolutions/write"
                            ),
                            ActivityLogAlertLeafCondition(
                                field="resultType",
                                equals="Success"
                            ),
                            ActivityLogAlertLeafCondition(
                                field="resourceProvider",
                                equals="Microsoft.Security"
                            ),
                            ActivityLogAlertLeafCondition(
                                field="resourceId",
                                contains="providers/Microsoft.Security/securitySolutions"
                            ),
                            ActivityLogAlertAllOfCondition(
                                all_of=[
                                    ActivityLogAlertLeafCondition(
                                        field="category",
                                        equals="Security"
                                    ),
                                    ActivityLogAlertLeafCondition(
                                        field="operationName",
                                        equals="Microsoft.Security/securitySolutions/write"
                                    ),
                                    ActivityLogAlertLeafCondition(
                                        field="resultType",
                                        equals="Success"
                                    ),
                                    ActivityLogAlertLeafCondition(
                                        field="resourceProvider",
                                        equals="Microsoft.Security"
                                    ),
                                    ActivityLogAlertLeafCondition(
                                        field="resourceId",
                                        contains="providers/Microsoft.Security/securitySolutions"
                                    ),
                                    ActivityLogAlertAllOfCondition(
                                        all_of=[
                                            ActivityLogAlertLeafCondition(
                                                field="category",
                                                equals="Security"
                                            ),
                                            ActivityLogAlertLeafCondition(
                                                field="operationName",
                                                equals="Microsoft.Security/securitySolutions/write"
                                            ),
                                            ActivityLogAlertLeafCondition(
                                                field="resultType",
                                                equals="Success"
                                            ),
                                            ActivityLogAlertLeafCondition(
                                                field="resourceProvider",
                                                equals="Microsoft.Security"
                                            ),
                                            ActivityLogAlertLeafCondition(
                                                field="resourceId",
                                                contains="providers/Microsoft.Security/securitySolutions"
                                            ),
                                            ActivityLogAlertLeafCondition(
                                                field="category",
                                                equals=condition_type
                                            )
                                        ]
                                    )
                                ]
                            )
                        ]
                    )
                ]
            )
        ]
    ),
    actions=ActivityLogAlertActionList(
        action_groups=action_group_ids
    )
)

monitor_client.activity_log_alerts.create_or_update(
    resource_group_name=resource_group_name,
    activity_log_alert_name=activity_log_alert_name,
    activity_log_alert_resource=activity_log_alert_resource
)

print("Activity Log Alert created for Create or Update Security Solution")
By following the above steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Security Solution” in Azure using Python.

Additional Reading: