Skip to main content

πŸ“ Azure Subscription Activity Log Alert for Delete Policy Assignment does not exist 🟒

  • Contextual name: πŸ“ Activity Log Alert for Delete Policy Assignment does not exist 🟒
  • ID: /ce/ca/azure/subscription/activity-log-alert-for-delete-policy-assignment
  • Located in: πŸ“ Azure Subscription

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-9002886f1

Logic​

Description​

Open File

Description​

Create an activity log alert for the Delete Policy Assignment event.

Rationale​

Monitoring for delete policy assignment events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.

Audit​

This policy evaluates Azure Subscriptions for the presence of an Azure Activity Log Alert that captures Delete Policy Assignment events. A subscription is marked asΒ INCOMPLIANTΒ if it does not have an Activity Log Alert whose Condition JSON filters on theΒ Microsoft.Authorization/policyAssignments/deleteΒ operation.

Default Value​

By default, no monitoring alerts are created.

References​

  1. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
  2. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
  3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
  4. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Navigate to the Monitor blade.
  2. Select Alerts.
  3. Select Create.
  4. Select Alert rule.
  5. Choose a subscription.
  6. Select Apply.
  7. Select the Condition tab.
  8. Click See all signals.
  9. Select Delete policy assignment (Policy assignment).
  10. Click Apply.
  11. Select the Actions tab.
  12. Click Select action groups to select an existing action group, or Create action group to create a new action group.
  13. Follow the prompts to choose or create an action group.
  14. Select the Details tab.
  15. Select a Resource group, provide an Alert rule name and an optional Alert rule description.
  16. Click Review + create.
  17. Click Create.

From Azure CLI​

az monitor activity-log alert create --resource-group "<resource group name>" --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/delete and level=<verbose | information | warning | error | critical> --scope "/subscriptions/<subscription ID>" --name "<activity log rule name>" --subscription <subscription id> --action-group <action group ID>

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16b situational awareness and intelligence;67
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36a change management β€”information security is addressed as part of the change management process and the information asset inventory is updated;78
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 44b deletion or corruption of both production and backup data, either through malicious intent, user error or system malfunction;67
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67b scanning for unauthorised hardware, software and changes to configurations;78
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment - Level 1 (Automated)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment - Level 1 (Automated)11
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment - Level 1 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 6.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment (Automated)1
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 7.1.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Alerting and Notification26
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)16
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)67
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)726
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-3(1) Additional Audit Information (M)(H)14
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62030
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)3810
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)1618
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)265
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-5(1) Automated Access Enforcement and Audit Records (M)(H)78
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4851
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)24
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)10
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)18
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)7
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)26
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-3(1) Additional Audit Information (M)(H)14
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)230
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)110
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)18
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-5(1) Automated Access Enforcement and Audit Records (M)(H)8
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.1 Event logging1518
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.3 Administrator and operator logs78
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.16.1.2 Reporting information security events910
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.28 Collection of evidence1421
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.15 Logging1834
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-2: Detected events are analyzed to understand attack targets and methods1823
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1837
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1841
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2026
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1823
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated2932
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations1519
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1632
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-1: Notifications from detection systems are investigated1823
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-2: Incidents are reported consistent with established criteria1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-3: Information is shared consistent with response plans1617
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities31
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources46
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools32
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis37
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events115
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events81
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events31
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-10: Critical suppliers are assessed prior to acquisition26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-02: Internal and external stakeholders are notified of incidents30
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-03: Information is shared with designated internal and external stakeholders18
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated24
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(4) Account Management _ Automated Audit Actions1416
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-3(1) Content of Audit Records _ Additional Audit Information1314
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44765
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.5 Use of and changes to identification and authentication mechanisms.116
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.16
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.16
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-3 Establishes Relevant Security Management Process Controls Activities1535