Ensure that an Azure activity log alert is fired whenever "Deallocate Virtual Machine" events are triggered within your Microsoft Azure cloud account. An Azure activity log alert is triggered when a new activity log event that matches the condition specified in the alert configuration occurs. For this conformity rule, the matched condition is `Whenever the Administrative Activity Log "Deallocate Virtual Machine (Microsoft.Compute/virtualMachines)" has "any" Event level, with "any" Status and Event initiated by "any"`
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
When you deallocate a virtual machine (VM), you not only stop the VM`s operating system, you also free up the hardware and the network resources (i.e. public and internal IPs) that Microsoft Azure provisioned for it. While your virtual machine is stopped (i.e. deallocated), the service endpoints on the VM won`t accept network traffic anymore, therefore the application workload that the deallocated VM is running will be unavailable. Monitoring your Microsoft Azure account for "Deallocate Virtual Machine" events will help reduce the time it takes to detect and mitigate unauthorized activity at the VM level and improve your cloud applications availability.
Audit
To determine if there are any activity log alerts created for "Deallocate Virtual Machine" events in your Microsoft Azure cloud account, perform the following actions:
Remediation / Resolution
To create a Microsoft Azure activity log alert for "Deallocate Virtual Machine (Microsoft.Compute/virtualMachines)" events, perform the following actions:
References
- Azure Official Documentation
- Create, view, and manage activity log alerts by using Azure Monitor
- Create, view, and manage log alerts using Azure Monitor
- Action rules (preview)
- Azure PowerShell Documentation
- az monitor activity-log alert list
- az monitor activity-log alert show
- az monitor activity-log alert create