Monitor activity log alert is not configured for "Delete Policy Assignment" events Affecting Monitor service in Azure

Snyk CCSS

Monitoring / Policy

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Azure

Snyk ID SNYK-CC-00693
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Monitoring for "Delete Policy Assignment" events reduces the time for users to detect any unwanted changes to policy assignments.

How to fix?

Set field operationName to Microsoft.Authorization/policyAssignments/delete and set enabled to true.

Example Configuration

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
  {
    "type": "Microsoft.Insights/activityLogAlerts",
    "apiVersion": "2017-04-01",
    "name": "allowed1",
    "location": "global",
    "properties": {
      "scopes": [
        "[subscription().id]"
      ],
      "condition": {
        "allOf": [
          {
            "field": "category",
            "equals": "Administrative"
          },
          {
            "field": "operationName",
            "equals": "Microsoft.Authorization/policyAssignments/delete"
          }
        ]
      },
      "actions": {
        "actionGroups": []
      },
      "enabled": true
    }
  }
]
}

ARM

Microsoft.Insights activityLogAlerts

Terraform

azurerm_monitor_activity_log_alert

References

Activity log alerts