Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Create Alert for "Power Off Virtual Machine" Events

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ActivityLog-013

Ensure that a Microsoft Azure activity log alert is fired whenever a "Power Off Virtual Machine" event is triggered within your cloud account. An Azure activity log alert fires each time the action event that matches the condition defined in the alert configuration is triggered. The alert condition that this conformity rule checks for is `Whenever the Administrative Activity Log "Power Off Virtual Machine (Microsoft.Compute/virtualMachines)" has "any" Event level, with "any" Status and Event initiated by "any"`

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

As opposed to deallocation, powering off a Microsoft Azure virtual machine (VM) will release the hardware but it will preserve the network resources (internal and public IPs) provisioned for it. Even if the VM`s network components are preserved, once the virtual machine is powered off, the cloud application(s) installed on it will become unavailable. Monitoring your Microsoft Azure account for "Power Off Virtual Machine (Microsoft.Compute/virtualMachines)" events will help you quickly mitigate the security issue in case the VM was accidentally or intentionally powered off, reduce application downtime and improve service availability.


Audit

To determine if there are any activity log alerts created for "Power Off Virtual Machine" events in your Microsoft Azure cloud account, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Alerts to access all the alerts available in your cloud account.

04 On the Alerts page, click on the Manage alert rules button from the dashboard top menu to access the alert rules management page.

05 On the Rules page, select the subscription that you want to examine from the Subscription filter box and the Enabled option from the Status dropdown list, to return all the active alert rules created in the selected subscription.

06 Click on the name of the alert rule that you want to examine.

07 On the selected alert rule configuration page, check the condition expression listed in the CONDITION section. If the expression is different than Whenever the Administrative Activity Log "Power Off Virtual Machine (Microsoft.Compute/virtualMachines)" has "any" Event level, with "any" Status and Event initiated by "any", the selected alert rule is not configured to fire whenever "Power Off Virtual Machine" events are triggered.

08 Repeat step no. 6 and 7 for the rest of the activity log alert rules available in the selected subscription. If none of the verified rules contain the expected condition, there are no activity log alerts created for "Power Off Virtual Machine" events, within the selected Azure cloud account subscription.

09 Repeat steps no. 5 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor activity-log alert list command (Windows/macOS/Linux) using custom query filters to get the identifiers of the active activity log alert rules available in the current Azure subscription:

az monitor activity-log alert list
    --query '[?(enabled==`true`)].id'

02 The command output should return the requested activity log alert rule identifiers (IDs):

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/cc-delete-virtual-machine-alert",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/cc-delete-nsg-rule-alert",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/cc-delete-key-vault-alert"
]

03 Run monitor activity-log alert show command (Windows/macOS/Linux) using the ID of the alert rule that you want to examine as identifier parameter and custom query filters to list the condition(s) defined for the selected alert rule:

az monitor activity-log alert show
    --ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/cc-delete-virtual-machine-alert"
    --query 'condition'

04 The command output should return the condition metadata for the selected alert rule:

{
  "allOf": [
    {
      "containsAny": null,
      "equals": "Policy",
      "field": "category",
      "odata.type": null
    },
    {
      "containsAny": null,
      "equals": "Microsoft.Compute/virtualMachines/delete",
      "field": "operationName",
      "odata.type": null
    }
  ],
  "odata.type": null
}

Verify the command output for a JSON object with the "field" property set to "operationName" (highlighted). If the JSON object's "equals" property is not set to "Microsoft.Compute/virtualMachines/powerOff/action", the selected activity log alert rule is not configured to fire whenever "Power Off Virtual Machine" events get triggered.

05 Repeat step no. 3 and 4 for the rest of the alert rules available in the current subscription. If none of the verified rules contain the expected condition, there are no activity log alerts created for "Power Off Virtual Machine" events, within the selected Azure account subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To implement a Microsoft Azure activity log alert for "Power Off Virtual Machine (Microsoft.Compute/virtualMachines)" events, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Alerts to access the alerts available in your Azure cloud account.

04 On the Alerts page, click on the Manage alert rules button from the dashboard top menu to access the alert rules management page.

05 On the Rules page, select the Azure account subscription where you want to create the new alert rule, from the Subscription filter box.

06 Click New alert rule button from the dashboard top menu to initiate the alert rule setup process.

07 On the Create rule page, perform the following actions:

  1. In the Scope section, click Select and configure the target subscription that you wish to monitor. Once the right Azure subscription is selected, click Done.
  2. In the Condition section, click Add to configure the alert rule condition. On Configure signal logic panel, find and select the signal with the name Power Off Virtual Machine (Microsoft.Compute/virtualMachines). Leave the signal default settings unchanged to generate the right condition, i.e. Whenever the Administrative Activity Log "Power Off Virtual Machine (Microsoft.Compute/virtualMachines)" has "any" Event level, with "any" Status and Event initiated by "any", then click Done to save the changes.
  3. In the Action group section, click Select action group to choose an existing action group to attach to the new alert rule or click Create action group button to create a new one. An action group is a collection of alert notification preferences defined for the selected Azure subscription. The Monitor service uses action groups to notify admin users when Azure activity log alerts are triggered.
  4. In the Alert rule details section, provide a unique name for the new rule in the Alert rule name box, type a short description in the Description box, and choose the resource group in which the new alert will be placed, from the Save alert to resource group dropdown list.
  5. Ensure that Enable alert rule upon creation option is set to checked, then click Create alert rule to finish the alert rule setup process.

08 Repeat steps no. 5 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor activity-log alert create command (Windows/macOS/Linux) to create a new Azure activity log alert that fires whenever a "Power Off Virtual Machine" event is triggered in the current Microsoft Azure cloud subscription:

az monitor activity-log alert create
    --name cc-power-off-virtual-machine-alert
    --description "Alert triggered by Power Off Virtual Machine events"
    --resource-group Default-ActivityLogAlerts
    --action-group "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourcegroups/default-activitylogalerts/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group"
    --condition category=Administrative and operationName=Microsoft.Compute/virtualMachines/powerOff/action

02 The command output should return the configuration metadata for the new activity log alert:

{
  "actions": {
    "actionGroups": [
      {
        "actionGroupId": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourcegroups/default-activitylogalerts/providers/microsoft.insights/actiongroups/cloudconformity%20action%20group",
        "webhookProperties": null
      }
    ]
  },
  "condition": {
    "allOf": [
      {
        "containsAny": null,
        "equals": "Administrative",
        "field": "category",
        "odata.type": null
      },
      {
        "containsAny": null,
        "equals": "Microsoft.Compute/virtualMachines/powerOff/action",
        "field": "operationName",
        "odata.type": null
      }
    ],
    "odata.type": null
  },
  "description": "Alert triggered by Power Off Virtual Machine events",
  "enabled": true,
  "id": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/Default-ActivityLogAlerts/providers/microsoft.insights/activityLogAlerts/cc-power-off-virtual-machine-alert",
  "identity": null,
  "kind": null,
  "location": "Global",
  "name": "cc-power-off-virtual-machine-alert",
  "resourceGroup": "Default-ActivityLogAlerts",
  "scopes": [
    "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/Default-ActivityLogAlerts"
  ],
  "tags": {},
  "type": "Microsoft.Insights/ActivityLogAlerts"
}

03 Repeat step no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Nov 28, 2019