Skip to main content

More Info:

Monitoring for ‘Delete Security Solution’ events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

CISAZURE, CBP, SOC2, ISO27001, HIPAA

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of ensuring Activity Log Alert exists for Delete Security Solution in Azure using the Azure console, follow the below steps:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. In the left-hand side menu, click on the “Monitor” option.
  3. Under the “Monitor” menu, click on “Activity log”.
  4. In the “Activity log” page, click on “Alerts” in the left-hand side menu.
  5. Click on the ”+ New alert rule” button to create a new alert rule.
  6. In the “Create alert rule” page, provide a name for the alert rule.
  7. In the “Condition” section, select “Activity log” in the “Signal type” dropdown menu.
  8. In the “Filter” section, select “Resource type” in the first dropdown menu and type “Microsoft.Security/solutions” in the second dropdown menu.
  9. In the “Actions” section, select “Email/SMS/Push/Voice” in the “Action group” dropdown menu and select the appropriate action group.
  10. In the “Alert rule details” section, set the “Severity” level to “Critical”.
  11. Click on the “Create alert rule” button to create the alert rule.
After following these steps, an Activity Log Alert will be created for Delete Security Solution in Azure.

To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Security Solution” in Azure using Azure CLI, you can follow the below steps:Step 1: Open the Azure CLI and log in to your Azure account using the command below:
az login
Step 2: Check if there is an existing Activity Log Alert for Delete Security Solution by running the command below:
az monitor activity-log alert list --query "[?contains(name, 'Delete Security Solution')]"
If there is an existing Activity Log Alert for Delete Security Solution, you can skip to Step 5. If there is no existing Activity Log Alert, proceed to the next step.Step 3: Create an Activity Log Alert for Delete Security Solution using the command below:
az monitor activity-log alert create --name "Delete Security Solution Alert" --description "Alert for Delete Security Solution" --condition category=Administrative and operationName=Microsoft.SecurityInsights/alertSolutions/delete --action-group "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Insights/actionGroups/{actionGroupName}" --enabled true
Note: Replace , , and with the appropriate values.Step 4: Verify that the Activity Log Alert has been created successfully by running the command below:
az monitor activity-log alert list --query "[?contains(name, 'Delete Security Solution')]"
Step 5: Verify that the Activity Log Alert is enabled by running the command below:
az monitor activity-log alert show --name "Delete Security Solution Alert" --query "enabled"
If the output is “true”, the Activity Log Alert is enabled. If the output is “false”, you can enable it using the command below:
az monitor activity-log alert update --name "Delete Security Solution Alert" --set enabled=true
That’s it! You have successfully remediated the misconfiguration “Ensure Activity Log Alert exists for Delete Security Solution” in Azure using Azure CLI.
To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Security Solution” in Azure using Python, you can follow the below steps:Step 1: Import the required libraries
from azure.mgmt.monitor import MonitorManagementClient
from azure.common.credentials import ServicePrincipalCredentials
Step 2: Authenticate with Azure using Service Principal credentials
credentials = ServicePrincipalCredentials(
    client_id='<client_id>',
    secret='<client_secret>',
    tenant='<tenant_id>'
)
Step 3: Create a MonitorManagementClient object
subscription_id = '<subscription_id>'
monitor_client = MonitorManagementClient(credentials, subscription_id)
Step 4: Define the required parameters for the Activity Log Alert
resource_group_name = '<resource_group_name>'
alert_rule_name = '<alert_rule_name>'
alert_description = '<alert_description>'
Step 5: Check if the Activity Log Alert already exists
alert_exists = False
for alert in monitor_client.activity_log_alerts.list_by_resource_group(resource_group_name):
    if alert.name == alert_rule_name:
        alert_exists = True
        break
Step 6: Create the Activity Log Alert if it does not exist
if not alert_exists:
    condition = {
        'allOf': [
            {
                'field': 'category',
                'equals': 'Administrative'
            },
            {
                'field': 'operationName',
                'equals': 'Microsoft.Security/securitySolutions/delete'
            }
        ]
    }
    action_group_id = '<action_group_id>'
    monitor_client.activity_log_alerts.create_or_update(
        resource_group_name,
        alert_rule_name,
        {
            'name': alert_rule_name,
            'description': alert_description,
            'condition': condition,
            'actions': {
                'action_groups': [{
                    'action_group_id': action_group_id
                }]
            }
        }
    )
Once you run the above code, it will create an Activity Log Alert for the misconfiguration “Ensure Activity Log Alert exists for Delete Security Solution” in Azure.

Additional Reading: