Description
Create an activity log alert for the Delete Policy Assignment event.
Rationaleβ
Monitoring for delete policy assignment events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.
Auditβ
This policy evaluates Azure Subscriptions for the presence of an Azure Activity Log Alert that captures Delete Policy Assignment events. A subscription is marked asΒ INCOMPLIANTΒ if it does not have an Activity Log Alert whose Condition JSON filters on theΒ Microsoft.Authorization/policyAssignments/deleteΒ operation.
Default Valueβ
By default, no monitoring alerts are created.
Referencesβ
- https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
- https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
- https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation
- https://azure.microsoft.com/en-us/services/blueprints/
Additional Informationβ
This log alert also applies for Azure Blueprints.