- Knowledge Base
- Microsoft Azure
- Activity Log
- Create Alert for "Delete Public IP Address" Events
Ensure that activity log alerts are used to detect "Delete Public IP Address" events within your Microsoft Azure cloud account. An activity log alert gets activated when a new activity log event that matches the condition specified in the alert occurs.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Monitoring your Azure cloud account for "Delete Public IP Address" events can provide valuable insights into the network access changes performed at the subscription level and can help reduce the time it takes to detect unsolicited changes.
Audit
Using Azure Console
01 Sign in to the Azure Management Console.
02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.
03 In the blade navigation panel, select Alerts to access the notification alerts available in your Azure cloud account.
04 On the Alerts page, choose Alert rules to access the alert rules management page.
05 Select the Azure subscription that you want to examine from the Subscription filter box and the Enabled option from the Status dropdown list, to return all the active alert rules created for the selected subscription.
06 Click on the name (link) of the alert rule that you want to examine.
07 On the alert rule configuration panel, check the condition phrase available in the Condition section. If the condition phrase is different from Whenever the Activity Log has an event with Category='Administrative', Operation name='Delete Public Ip Address', the selected alert rule is not configured to detect "Delete Public IP Address" events. If the condition phrase is set to Whenever the Activity Log has an event with Category='Administrative', Operation name='Delete Public Ip Address', choose Edit, and check the Actions section to ensure that an action group is configured to send notification alerts when the alert rule triggers. If there are no action groups assigned to manage alert notifications, the selected alert rule is not configured to send alerts when "Delete Public IP Address" events are triggered.
08 Repeat steps no. 6 and 7 for the rest of the alert rules available within the selected subscription. If none of the verified rules contain the right condition and configuration, there are no activity log alerts created for "Delete Public IP Address" events in the selected Azure subscription.
09 Repeat steps no. 5 – 8 for each subscription created within your Microsoft Azure cloud account.
Using Azure CLI
01 Run monitor activity-log alert list command (Windows/macOS/Linux) with custom query filters to get the ID of each active activity log alert rule available within the current Azure subscription:
az monitor activity-log alert list --query '[?(enabled==`true`)].id'
02 The command output should return the requested activity log alert rule IDs:
[ "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/CreateUpdateNetworkSecurityGroup", "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/CreatePolicyAssignmentAlert" ]
03 Run monitor activity-log alert show command (Windows/macOS/Linux) using the ID of the activity log alert rule that you want to examine as the identifier parameter to describe the alert rule configuration:
az monitor activity-log alert show --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/CreateUpdateNetworkSecurityGroup"
04 The command output should return the configuration available for the selected alert rule:
{"actions": { "actionGroups": []
}, "condition": { "allOf": [ { "equals": "Administrative", "field": "category" }, {"equals": "Microsoft.Network/networkSecurityGroups/write", "field": "operationName"
} ] }, "description": "", "enabled": true, "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/CreateUpdateNetworkSecurityGroup", "location": "Global", "name": "CreateUpdateNetworkSecurityGroup", "resourceGroup": "cloud-shell-storage-westeurope", "scopes": [ "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd" ], "tags": {}, "type": "Microsoft.Insights/ActivityLogAlerts" }
Check the monitor activity-log alert show command output for the object with the "field" property set to "operationName". If the object's "equals" property is not set to "Microsoft.Network/publicIPAddresses/delete", the selected alert rule is not configured to detect "Delete Public IP Address" events. If the condition is set to "Microsoft.Network/publicIPAddresses/delete", check the "actions" object to ensure that an action group is configured to send notification alerts when the alert rule triggers. If there are no action groups assigned to manage alert notifications (i.e. "actionGroups": []), the selected alert rule is not configured to send alerts when "Delete Public IP Address" events are detected.
05 Repeat step no. 3 and 4 for the rest of the alert rules available in the current subscription. If none of the verified rules contain the right condition, there are no activity log alerts created for "Delete Public IP Address" events in the selected Azure subscription.
06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.
Remediation / Resolution
Using Azure Console
01 Sign in to the Azure Management Console.
02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.
03 In the blade navigation panel, select Alerts to access the notification alerts available in your Azure cloud account.
04 On the Alerts page, choose Alert rules to access the alert rules management page.
05 Select the Azure subscription that you want to access from the Subscription filter box.
06 Choose + Create to create a new Azure Monitor alert rule.
07 On the Create an alert rule page, perform the following actions:
- For Scope, choose Select resource and configure the target that you wish to monitor. In this case, select the appropriate Azure account subscription, then select Done. Choose Next: Condition >.
- For Condition, choose Add condition to configure the alert rule condition (i.e. a signal and its logic). On the Select a signal panel, find and select the signal with the name Delete Public Ip Address (Microsoft.Network/publicIPAddresses). To obtain the right configuration for the condition (i.e. Whenever the Activity Log has an event with Category='Administrative', Signal name='Delete Public Ip Address (Microsoft.Network/publicIPAddresses)'), leave the default settings available for the signal logic unchanged. Choose Next: Actions >.
- For Actions, choose Select action groups to select an existing action group to attach to your new alert rule or choose Create action group to create a new one. Azure Monitor alerts use action groups to notify users that an alert has been triggered. Choose Next: Details >.
- For Details, provide a unique name for the new alert rule in the Alert rule name box, enter a short description in the Alert rule description box, and choose the resource group in which the alert will be created from the Resource group dropdown list. Choose Advanced options and ensure that Enable alert rule upon creation option is selected. Choose Next: Tags >.
- For Tags, provide any required tags sets for the new activity log alert rule. Choose Next: Review + create >.
- Choose Create to complete the alert rule setup process.
08 Repeat steps no. 5 – 7 for each subscription created within your Microsoft Azure cloud account.
Using Azure CLI
01 Run monitor activity-log alert create command (Windows/macOS/Linux) to create a new Azure activity log alert for detecting " Delete Public IP Address" events in the current Microsoft Azure subscription:
az monitor activity-log alert create --name cc-delete-public-ip-alert --description "Alert triggered by Delete Public IP Address" --resource-group cloud-shell-storage-westeurope --action-group "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group" --condition category=Policy and operationName=Microsoft.Network/publicIPAddresses/delete
02 The command output should return the configuration information available for the new alert:
{ "actions": { "actionGroups": [ { "actionGroupId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/default-activitylogalerts/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group", "webhookProperties": null } ] }, "condition": { "allOf": [ { "containsAny": null, "equals": "Policy", "field": "category", "odata.type": null }, { "containsAny": null, "equals": "Microsoft.Network/publicIPAddresses/delete", "field": "operationName", "odata.type": null } ], "odata.type": null }, "description": "Alert triggered by Delete Public IP Address", "enabled": true, "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/Default-ActivityLogAlerts/providers/microsoft.insights/activityLogAlerts/cc-delete-public-ip-alert", "identity": null, "kind": null, "location": "Global", "name": "cc-delete-public-ip-alert", "resourceGroup": "cloud-shell-storage-westeurope", "scopes": [ "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope" ], "tags": {}, "type": "Microsoft.Insights/ActivityLogAlerts" }
03 Repeat steps no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Create a new alert rule
- Alert processing rules
- Azure Command Line Interface (CLI) Documentation
- az monitor activity-log alert list
- az monitor activity-log alert show
- az monitor activity-log alert create