AzPolicyAdvertizer

last sync: 2020-Sep-25 13:37:27 UTC

Azure Policy

An activity log alert should exist for specific Administrative operations

Policy DisplayName An activity log alert should exist for specific Administrative operations

Policy Id b954148f-4c11-4c38-8221-be76711e194a

Policy Category Monitoring

Policy Description This policy audits specific Administrative operations with no activity log alerts configured.

Policy Mode All

Policy Type BuiltIn

Policy in Preview FALSE

Policy Deprecated FALSE

Policy Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)

Roles used none

Policy Changes

Date/Time (UTC ymd) (i)	Change	Change detail
2020-01-29 21:53:30	add: Policy	b954148f-4c11-4c38-8221-be76711e194a

Used in Policy Initiative(s)

Initiative DisplayName	Initiative Id
CIS Microsoft Azure Foundations Benchmark 1.1.0	1a5bb27d-173f-493e-9568-eb56638dde4d
CIS Microsoft Azure Foundations Benchmark 1.1.0	1a5bb27d-173f-493e-9568-eb56638dde4d
CIS Microsoft Azure Foundations Benchmark 1.1.0	1a5bb27d-173f-493e-9568-eb56638dde4d
CIS Microsoft Azure Foundations Benchmark 1.1.0	1a5bb27d-173f-493e-9568-eb56638dde4d
CIS Microsoft Azure Foundations Benchmark 1.1.0	1a5bb27d-173f-493e-9568-eb56638dde4d
CIS Microsoft Azure Foundations Benchmark 1.1.0	1a5bb27d-173f-493e-9568-eb56638dde4d
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab

Policy Rule

{
  "properties": {
    "displayName": "An activity log alert should exist for specific Administrative operations",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits specific Administrative operations with no activity log alerts configured.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "operationName": {
        "type": "String",
        "metadata": {
          "displayName": "Operation Name",
          "description": "Administrative Operation name for which activity log alert should be configured"
        },
        "allowedValues": [
          "Microsoft.Sql/servers/firewallRules/write",
          "Microsoft.Sql/servers/firewallRules/delete",
          "Microsoft.Network/networkSecurityGroups/write",
          "Microsoft.Network/networkSecurityGroups/delete",
          "Microsoft.ClassicNetwork/networkSecurityGroups/write",
          "Microsoft.ClassicNetwork/networkSecurityGroups/delete",
          "Microsoft.Network/networkSecurityGroups/securityRules/write",
          "Microsoft.Network/networkSecurityGroups/securityRules/delete",
          "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write",
          "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/ActivityLogAlerts",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "true"
              },
              {
                "count": {
                "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                          "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                          "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "Administrative"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                          "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "operationName"
                          },
                          {
                          "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                          "equals": "[parameters('operationName')]"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              },
              {
                "not": {
                "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                  "equals": "category"
                }
              },
              {
                "not": {
                "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                  "equals": "operationName"
                }
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b954148f-4c11-4c38-8221-be76711e194a"
}

Azure Policy

An activity log alert should exist for specific Administrative operations

Popular