Description

Create an activity log alert for the Delete Security Solution event.

Rationale

Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.

Audit

From Azure Console

Navigate to the Monitor blade.
Click on Alerts.
In the Alerts window, click on Alert rules.
Ensure an alert rule exists where the Condition column contains Operation name=Microsoft.Security/securitySolutions/delete.
Click on the Alert Name associated with the previous step.
Ensure the Condition panel displays the text Whenever the Activity Log has an event with Category='Administrative', Operation name='Delete Security Solutions' and does not filter on Level, Status or Caller.
Ensure the Actions panel displays an Action group is assigned to notify the appropriate personnel in your organization.

From Azure CLI

az monitor activity-log alert list --subscription <subscription Id> --query "[].{Name:name,Enabled:enabled,check:condition.allOf,Actions:actions}"

Look for Microsoft.Security/securitySolutions/delete in the output.

From PowerShell

Get-AzActivityLogAlert -SubscriptionId <subscription ID>|where-object {$_.ConditionAllOf.Equal -match "Microsoft.Security/securitySolutions/delete"}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf

From Azure Policy

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

Policy ID: b954148f-4c11-4c38-8221-be76711e194a - Name: An activity log alert should exist for specific Administrative operations

Default Value

By default, no monitoring alerts are created.

Rationale​

Audit​

From Azure Console​

From Azure CLI​

From PowerShell​

From Azure Policy​

Default Value​

References​