Ensure that an activity log alert is created for Delete PostgreSQL Database events

Create an activity log alert specifically for 'Delete PostgreSQL Database' events. This alert will promptly notify you when any deletion activity occurs within your PostgreSQL databases, helping you stay informed about critical changes in your environment. Stay proactive and maintain control over your data with this targeted alert in place.

Risk Level: High
Cloud Entity: Azure Alert Rule
CloudGuard Rule ID: D9.AZU.MON.88
Covered by Spectral: No
Category: Management Tools

GSL LOGIC

ActivityLogAlertRule should have condition.allOf contain [ equals='Microsoft.DBforPostgreSQL/servers/delete' ]

REMEDIATION

From Portal

  1. Go to the 'Monitor' page.
  2. Go to the 'Alerts' section and create a new 'Alert rule'.
  3. In the 'Resource Types' scpoe select 'Azure Database for PostgreSQL server', choose your subscription and click 'Apply'.
  4. In the 'Signal name' select 'Delete PostgreSQL Server' and click 'Apply'.
  5. In the 'Action' tab, select action groups as your needs.
  6. Create the new alert rule.

From TF

resource 'azurerm_monitor_activity_log_alert' 'test' {
	name                = 'delete-postgreSQL-alert'
	resource_group_name = var.test-rg
	scopes              = [var.postgresql_resource_id]
	
	criteria {
		category = 'Administrative'
		condition {
			field     = 'operationName'
			operator  = 'Equals'
			value     = 'Microsoft.DBforPostgreSQL/servers/databases/delete'
		}
	}
	
	action {
		action_group_id = azurerm_monitor_action_group.test.id
	}
}

From Command Line

  1. Run this command to create a new Alert rule.
az monitor activity-log alert create --name NAME --description DESCRIPTION --resource-group RESOURCE_GROUP --action-group ACTION_GROUP --condition category=Administrative and operationName=Microsoft.DBforPostgreSQL/servers/databases/delete

References

  1. https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=metric
  2. https://saturncloud.io/blog/creating-an-azure-alert-rule-for-a-webtest-with-terraform-a-comprehensive-guide/

Azure Alert Rule

Alerts proactively notify you when issues are found with your infrastructure or application using your monitoring data in Azure Monitor. They allow you to identify and address issues before the users of your system notice them.Alert rules are separated from alerts and the actions taken when an alert fires. The alert rule captures the target and criteria for alerting. The alert rule can be in an enabled or a disabled state. Alerts only fire when enabled.

Compliance Frameworks

  • CloudGuard Azure All Rules Ruleset