Description

Create an activity log alert for the Delete Public IP Address event.

Rationale

Monitoring for Delete Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Impact

There will be a substantial increase in log size if there are a large number of administrative actions on a server.

Audit

This policy flags an Azure Subscription as INCOMPLIANT if it does not have an enabled related Azure Activity Log Alert scoped to the subscription whose Condition JSON filters on the Administrative category and the Microsoft.Network/publicIPAddresses/delete operation.

Default Value

By default, no monitoring alerts are created or active.

References

https://azure.microsoft.com/en-us/updates?id=classic-alerting-monitoring-retirement
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-activity-log-alert-rule
https://learn.microsoft.com/en-us/rest/api/monitor/activity-log-alerts/create-or-update
https://learn.microsoft.com/en-us/rest/api/monitor/activity-log-alerts/list-by-subscription-id
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation

Rationale​

Impact​

Audit​

Default Value​

References​

Rationale

Impact

Audit

Default Value

References