Ensure that Activity Log Alert exists for Create Policy Assignment

Monitoring for create policy assignment events gives insight into changes done in 'azure policy - assignments' and can reduce the time it takes to detect unsolicited changes.

Risk Level: Low
Cloud Entity: Azure Alert Rule
CloudGuard Rule ID: D9.AZU.MON.26
Covered by Spectral: Yes
Category: Management Tools

GSL LOGIC

List<ActivityLogAlertRule> should have items with [condition.allOf contain [ field='operationName' and equals='Microsoft.Authorization/policyAssignments/write' ] and enabled=true and not condition.allOf contain [ field='level' ] and not condition.allOf contain [ field='status' ] ]

REMEDIATION

From Portal
1.Navigate to the Monitor blade.
2.Click on Alerts.
3.Select Create. Select Alert rule.
4.In the 'Select a resource' section, configure the target that you wish to monitor. In this case, select the appropriate Azure account subscription then click Apply.
5.In the Condition Tab, for the 'Signal name' dropdown, list all signals. Now, Select a signal called 'Create policy assignment (Policy assignment)' and Apply.
6.Select the Actions tab. To use an existing action group, click select action groups.
7.To create a new action group, click Create action group. Fill out the appropriate details for the selection.
8.Select the Details tab.
9.Select a Resource group, provide an Alert rule name and an optional Alert rule description.
10.Click Review + create. Click Create.

From Command Line
Run

az monitor activity-log alert create --resource-group RESOURCEGROUP --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/write and level=<verbose | information | warning | error | critical> --scope SUBSCRIPTION --name ACTIVITYRULENAME --subscription SUBSCRIPTIONID --action-group ACTIONGROUPID --location global

References

  1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
  2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
  3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
  4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
  5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources

Azure Alert Rule

Alerts proactively notify you when issues are found with your infrastructure or application using your monitoring data in Azure Monitor. They allow you to identify and address issues before the users of your system notice them.Alert rules are separated from alerts and the actions taken when an alert fires. The alert rule captures the target and criteria for alerting. The alert rule can be in an enabled or a disabled state. Alerts only fire when enabled.

Compliance Frameworks

  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset