Ensure that a Microsoft Azure activity log alert is fired whenever a "Power Off Virtual Machine" event is triggered within your cloud account. An Azure activity log alert fires each time the action event that matches the condition defined in the alert configuration is triggered. The alert condition that this conformity rule checks for is `Whenever the Administrative Activity Log "Power Off Virtual Machine (Microsoft.Compute/virtualMachines)" has "any" Event level, with "any" Status and Event initiated by "any"`
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
As opposed to deallocation, powering off a Microsoft Azure virtual machine (VM) will release the hardware but it will preserve the network resources (internal and public IPs) provisioned for it. Even if the VM`s network components are preserved, once the virtual machine is powered off, the cloud application(s) installed on it will become unavailable. Monitoring your Microsoft Azure account for "Power Off Virtual Machine (Microsoft.Compute/virtualMachines)" events will help you quickly mitigate the security issue in case the VM was accidentally or intentionally powered off, reduce application downtime and improve service availability.
Audit
To determine if there are any activity log alerts created for "Power Off Virtual Machine" events in your Microsoft Azure cloud account, perform the following actions:
Remediation / Resolution
To implement a Microsoft Azure activity log alert for "Power Off Virtual Machine (Microsoft.Compute/virtualMachines)" events, perform the following actions:
References
- Azure Official Documentation
- Create, view, and manage activity log alerts by using Azure Monitor
- Create, view, and manage log alerts using Azure Monitor
- Action rules (preview)
- Azure PowerShell Documentation
- az monitor activity-log alert list
- az monitor activity-log alert show
- az monitor activity-log alert create