Azure_Monitor_7

Ensure that Activity Log Alert exists for Delete Security Solution

Description

Create an activity log alert for the Delete Security Solution event.

Remediation

Azure Command Line Interface 2.0:

Use the below command to create an Activity Log Alert for Delete Security Solutions.

az account get-access-token –query {subscription:subscription,accessToken:accessToken} –out tsv | xargs -L1 bash -c ‘ curl – X PUT – H Authorization : Bearer $1 – H Content – Type : application / json https :// management.azure.com / subscriptions / $0 / resourceGroups /& lt;Resource_Group_ToCreate_Alert_In & gt;/ providers / microsoft.insights / activityLogAlerts /& lt;Unique_Alert_Name & gt;?api – version = 2017 – 04 – 01 – d@input.json ‘

Where input.json contains the Request body JSON data as mentioned below.

{location:Global,tags:{},properties:{scopes:[/subscriptions/<Subscription_ID>],enabled:true,condition:{allOf:[{containsAny:null,equals:Administrative,field:category},{containsAny:null,equals:Microsoft.Security/securitySolutions/delete,field:operationName}]},actions:{actionGroups:[{actionGroupId:/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>,webhookProperties:null}]}}}

Configurable Parameters for command line:

  1. <Resource_Group_To Create_Alert_In>
  2. <Unique_Alert_Name>

Configurable Parameters for input.json:

  1. <Subscription_ID> in scopes
  2. <Subscription_ID> in actionGroupId
  3. <Resource_Group_For_Alert_Group> in actionGroupId
  4. <Alert_Group> in actionGroupId

References:

  1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
  2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
  3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
  4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid 

Service

Logging and Monitoring

Severity

Medium

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!