Description

Create an activity log alert for the Delete Public IP Address rule.

Rationale

Monitoring for Delete Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Impact

There will be a substantial increase in log size if there are a large number of administrative actions on a server.

Audit

From Azure Portal

Navigate to the Monitor blade.
Click on Alerts.
In the Alerts window, click on Alert rules.
Ensure an alert rule exists where the Condition column contains Operation name=Microsoft.Network/publicIPAddresses/delete.
Click on the Alert Name associated with the previous step.
Ensure the Condition panel displays the text Whenever the Activity Log has an event with Category='Administrative', Operation name='Delete Public Ip Address' and does not filter on Level, Status or Caller.
Ensure the Actions panel displays an Action group is assigned to notify the appropriate personnel in your organization.

From Azure CLI

az monitor activity-log alert list --subscription <subscription Id> --query "[].{Name:name,Enabled:enabled,check:condition.allOf,Actions:actions}"

Look for Microsoft.Network/publicIPAddresses/delete in the output.

From PowerShell

Get-AzActivityLogAlert -SubscriptionId <subscription ID>|where-object {$_.ConditionAllOf.Equal -match "Microsoft.Network/publicIPAddresses/delete"}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf

From Azure Policy

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

Policy ID: 1513498c-3091-461a-b321-e9b433218d28 - Name: Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics

Default Value

By default, no monitoring alerts are created or active.

Rationale​

Impact​

Audit​

From Azure Portal​

From Azure CLI​

From PowerShell​

From Azure Policy​

Default Value​

References​