Skip to main content

More Info:

Monitoring for ‘Create’ or ‘Update Security Policy’ events gives insight into changes to security policy and may reduce the time it takes to detect suspicious activity.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Security Policy” in Azure using the Azure console, follow the below steps:
  1. Open the Azure Portal and navigate to the resource group that contains the security policy you want to monitor.
  2. Click on “Activity Log” in the left-hand menu.
  3. Click on “Alerts” in the Activity Log blade.
  4. Click on ”+ New alert rule” to create a new alert rule.
  5. In the “Create alert rule” blade, select the “Activity Log” option under “Resource” and select the appropriate subscription from the drop-down menu.
  6. Under “Condition”, select “Signal logic” and then select “Activity log”.
  7. In the “Activity log” blade, select “Event category” and then select “Administrative”.
  8. Under “Event types”, select “Write” and then select “Microsoft.Network/networkSecurityGroups/write”.
  9. Under “Filter”, select “Add filter” and then select “Resource ID”.
  10. Enter the resource ID of the security policy you want to monitor.
  11. Under “Actions”, select “Add action group” and then select “Create action group”.
  12. In the “Create action group” blade, enter a name for the action group and select the appropriate subscription, resource group, and region.
  13. Under “Actions”, select “Add action” and then select “Email/SMS/Push/Voice”.
  14. Enter the email address of the person or group who should receive alerts.
  15. Click on “Create” to create the alert rule.
By following the above steps, you will be able to create an activity log alert for the create or update security policy in Azure.

To remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Security Policy” in Azure using Azure CLI, follow the below steps:Step 1: Open Azure CLI and login to your Azure account using the below command:
az login
Step 2: Once you are logged in, set the default subscription where your resources are deployed using the below command:
az account set --subscription <subscription-id>
Step 3: Create an Activity Log Alert using the below command:
az monitor activity-log alert create --name <alert-name> --resource-group <resource-group-name> --condition category=Policy --action-group <action-group-id> --description "Alert for Create or Update Security Policy"
Note: Replace <alert-name>, <resource-group-name> and <action-group-id> with the appropriate values.Step 4: Verify the Activity Log Alert using the below command:
az monitor activity-log alert show --name <alert-name> --resource-group <resource-group-name>
Note: Replace <alert-name> and <resource-group-name> with the appropriate values.Step 5: If the output of the above command shows the details of the Activity Log Alert, then the remediation is successful.By following the above steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Security Policy” in Azure using Azure CLI.
To remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Security Policy” in Azure using Python, you can follow the below steps:
  1. Install the Azure SDK for Python using the following command:
pip install azure-mgmt-monitor
  1. Authenticate to Azure using the Azure SDK for Python. You can use the following code to authenticate using a Service Principal:
from azure.common.credentials import ServicePrincipalCredentials

TENANT_ID = '<your tenant id>'
CLIENT_ID = '<your client id>'
CLIENT_SECRET = '<your client secret>'

credentials = ServicePrincipalCredentials(
    client_id=CLIENT_ID,
    secret=CLIENT_SECRET,
    tenant=TENANT_ID
)
  1. Use the Azure SDK for Python to check if an Activity Log Alert exists for Create or Update Security Policy. You can use the following code to check if the alert exists:
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.monitor.models import AlertRuleResource

SUBSCRIPTION_ID = '<your subscription id>'
RESOURCE_GROUP_NAME = '<your resource group name>'
ALERT_RULE_NAME = '<your alert rule name>'

monitor_client = MonitorManagementClient(credentials, SUBSCRIPTION_ID)

alert_rule = monitor_client.alert_rules.get(
    resource_group_name=RESOURCE_GROUP_NAME,
    rule_name=ALERT_RULE_NAME
)

if isinstance(alert_rule, AlertRuleResource) and alert_rule.condition.all_of[0].field == 'resourceType' and alert_rule.condition.all_of[0].equals == 'Microsoft.Network/networkSecurityGroups' and alert_rule.condition.all_of[1].field == 'operationName' and alert_rule.condition.all_of[1].equals == 'Microsoft.Network/networkSecurityGroups/securityRules/write':
    print('Activity Log Alert exists for Create or Update Security Policy')
else:
    print('Activity Log Alert does not exist for Create or Update Security Policy')
  1. If the alert does not exist, use the Azure SDK for Python to create the Activity Log Alert. You can use the following code to create the alert:
from azure.mgmt.monitor.models import AlertRuleAllOfCondition, AlertRuleAnyOfOrLeafCondition, AlertRuleActionGroup, AlertRuleActionList, AlertRuleEmailAction, AlertRuleResource

ACTION_GROUP_ID = '<your action group id>'
ALERT_RULE_NAME = '<your alert rule name>'

condition = AlertRuleAllOfCondition(
    all_of=[
        AlertRuleAnyOfOrLeafCondition(
            field='resourceType',
            equals='Microsoft.Network/networkSecurityGroups'
        ),
        AlertRuleAnyOfOrLeafCondition(
            field='operationName',
            equals='Microsoft.Network/networkSecurityGroups/securityRules/write'
        )
    ]
)

action_group = AlertRuleActionGroup(
    action_group_id=ACTION_GROUP_ID
)

action_list = AlertRuleActionList(
    email_actions=[
        AlertRuleEmailAction(
            send_to_service_owners=True
        )
    ],
    action_groups=[
        action_group
    ]
)

alert_rule = AlertRuleResource(
    location='global',
    alert_rule_name=ALERT_RULE_NAME,
    description='Activity Log Alert for Create or Update Security Policy',
    condition=condition,
    actions=action_list,
    is_enabled=True
)

monitor_client.alert_rules.create_or_update(
    resource_group_name=RESOURCE_GROUP_NAME,
    rule_name=ALERT_RULE_NAME,
    parameters=alert_rule
)

print('Activity Log Alert created for Create or Update Security Policy')
By following the above steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Security Policy” in Azure using Python.

Additional Reading: