Azure_Monitor_3

Ensure that Activity Log Alert exists for Delete Network Security Group

Description

Create an activity log alert for the Delete Network Security Group event.

Remediation

Azure Command Line Interface 2.0:

Use the below command to create an Activity Log Alert for Delete Network Security Groups.

az account get-access-token –query {subscription:subscription,accessToken:accessToken} –out tsv | xargs -L1 bash -c ‘ curl – X PUT – H Authorization : Bearer $1 – H Content – Type : application / json https :// management.azure.com / subscriptions / $0 / resourceGroups /& lt;Resource_Group_ToCreate_Alert_In & gt;/ providers / microsoft.insights / activityLogAlerts /& lt;Unique_Alert_Name & gt;?api – version = 2017 – 04 – 01 – d@input.json ‘

Where input.json contains the Request body JSON data as mentioned below.

{location:Global,tags:{},properties:{scopes:[/subscriptions/<Subscription_ID>],enabled:true,condition:{allOf:[{containsAny:null,equals:Administrative,field:category},{containsAny:null,equals:Microsoft.Network/networkSecurityGroups/delete,field:operationName}]},actions:{actionGroups:[{actionGroupId:/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>,webhookProperties:null}]}}}

Configurable Parameters for command line:

  1. <Resource_Group_To Create_Alert_In>
  2. <Unique_Alert_Name>

Configurable Parameters for input.json :

  1. <Subscription_ID> in scopes
  2. <Subscription_ID> in actionGroupId
  3. <Resource_Group_For_Alert_Group> in actionGroupId
  4. <Alert_Group> in actionGroupId

References:

  1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
  2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
  3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
  4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid 

Service

Logging and Monitoring

Severity

Medium

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!