More Info:

Monitoring for ‘Delete Security Solution’ events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

CISAZURE, CBP, SOC2, ISO27001, HIPAA

Triage and Remediation

Remediation

To remediate the misconfiguration of ensuring Activity Log Alert exists for Delete Security Solution in Azure using the Azure console, follow the below steps:

  1. Log in to the Azure portal (https://portal.azure.com/).

  2. In the left-hand side menu, click on the “Monitor” option.

  3. Under the “Monitor” menu, click on “Activity log”.

  4. In the “Activity log” page, click on “Alerts” in the left-hand side menu.

  5. Click on the ”+ New alert rule” button to create a new alert rule.

  6. In the “Create alert rule” page, provide a name for the alert rule.

  7. In the “Condition” section, select “Activity log” in the “Signal type” dropdown menu.

  8. In the “Filter” section, select “Resource type” in the first dropdown menu and type “Microsoft.Security/solutions” in the second dropdown menu.

  9. In the “Actions” section, select “Email/SMS/Push/Voice” in the “Action group” dropdown menu and select the appropriate action group.

  10. In the “Alert rule details” section, set the “Severity” level to “Critical”.

  11. Click on the “Create alert rule” button to create the alert rule.

After following these steps, an Activity Log Alert will be created for Delete Security Solution in Azure.

Additional Reading: