Remediation

From Azure Portal

1. Navigate to the Monitor blade.
2. Select Alerts.
3. Select Create.
4. Select Alert rule.
5. Choose a subscription.
6. Select Apply.
7. Select the Condition tab.
8. Click See all signals.
9. Select Create or Update Security Solutions (Security Solutions).
10. Click Apply.
11. Select the Actions tab.
12. Click Select action groups to select an existing action group, or Create action group to create a new action group.
13. Follow the prompts to choose or create an action group.
14. Select the Details tab.
15. Select a Resource group, provide an Alert rule name and an optional Alert rule description.
16. Click Review + create.
17. Click Create.

From Azure CLI

az monitor activity-log alert create --resource-group "<resource group name>" --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/write and level=<verbose | information | warning | error | critical> --scope "/subscriptions/<subscription ID>" --name "<activity log rule name>" --subscription <subscription id> --action-group <action group ID>

From PowerShell

Create the Conditions object:

$conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Security/securitySolutions/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level

Retrieve the Action Group information and store in a variable, then create the Actions object:

$actionGroup = Get-AzActionGroup -ResourceGroupName <resource group name> -Name <action group name> $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id

Create the Scope object:

$scope = "/subscriptions/<subscription ID>"

Create the Activity Log Alert Rule for Microsoft.Security/securitySolutions/write:

New-AzActivityLogAlert -Name "<activity log alert rule name>" -ResourceGroupName "<resource group name>" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription <subscription ID> -Enabled $true