Monitor activity log alert does not exist for "Create Policy Assignment" events Affecting Monitor service in Azure

Severity Framework Snyk CCSS

Rule category Monitoring / Policy

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Azure HIPAA ISO-27001 PCI-DSS

Snyk ID SNYK-CC-00678
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Monitoring for "Create Policy Assignment" events may reduce the time it takes to detect unsolicited changes.

How to fix?

Set field operationName to Microsoft.Authorization/policyAssignments/write and set enabled to true.

Example Configuration

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Insights/activityLogAlerts",
            "apiVersion": "2017-04-01",
            "name": "default",
            "location": "global",
            "properties": {
                "scopes": [
                    "[subscription().id]"
                ],
                "condition": {
                    "allOf": [
                        {
                            "field": "category",
                            "equals": "Administrative"
                        },
                        {
                            "field": "operationName",
                            "equals": "Microsoft.Authorization/policyAssignments/Write"
                        }
                    ]
                },
                "actions": {
                    "actionGroups": []
                }
            }
        }
    ]
}

ARM

Microsoft.Insights activityLogAlerts

Terraform

azurerm_monitor_activity_log_alert

References

Activity log alerts