More Info:

Monitoring for ‘Create’ or ‘Update Security Policy’ events gives insight into changes to security policy and may reduce the time it takes to detect suspicious activity.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

Triage and Remediation

Remediation

To remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Security Policy” in Azure using the Azure console, follow the below steps:

  1. Open the Azure Portal and navigate to the resource group that contains the security policy you want to monitor.
  2. Click on “Activity Log” in the left-hand menu.
  3. Click on “Alerts” in the Activity Log blade.
  4. Click on ”+ New alert rule” to create a new alert rule.
  5. In the “Create alert rule” blade, select the “Activity Log” option under “Resource” and select the appropriate subscription from the drop-down menu.
  6. Under “Condition”, select “Signal logic” and then select “Activity log”.
  7. In the “Activity log” blade, select “Event category” and then select “Administrative”.
  8. Under “Event types”, select “Write” and then select “Microsoft.Network/networkSecurityGroups/write”.
  9. Under “Filter”, select “Add filter” and then select “Resource ID”.
  10. Enter the resource ID of the security policy you want to monitor.
  11. Under “Actions”, select “Add action group” and then select “Create action group”.
  12. In the “Create action group” blade, enter a name for the action group and select the appropriate subscription, resource group, and region.
  13. Under “Actions”, select “Add action” and then select “Email/SMS/Push/Voice”.
  14. Enter the email address of the person or group who should receive alerts.
  15. Click on “Create” to create the alert rule.

By following the above steps, you will be able to create an activity log alert for the create or update security policy in Azure.

Additional Reading: