Description

Create an activity log alert for the Delete Policy Assignment event.

Rationale

Monitoring for delete policy assignment events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.

Audit

This policy evaluates Azure Subscriptions for the presence of an Azure Activity Log Alert that captures Delete Policy Assignment events. A subscription is marked as INCOMPLIANT if it does not have an Activity Log Alert whose Condition JSON filters on the Microsoft.Authorization/policyAssignments/delete operation.

Default Value

By default, no monitoring alerts are created.

References

https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://azure.microsoft.com/en-us/services/blueprints/

Additional Information

This log alert also applies for Azure Blueprints.

Rationale​

Audit​

Default Value​

References​

Additional Information​

Rationale

Audit

Default Value

References

Additional Information