last sync: 2020-Sep-25 13:37:27 UTC

Azure Policy

An activity log alert should exist for specific Administrative operations

Policy DisplayName An activity log alert should exist for specific Administrative operations
Policy Id b954148f-4c11-4c38-8221-be76711e194a
Policy Category Monitoring
Policy Description This policy audits specific Administrative operations with no activity log alerts configured.
Policy Mode All
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-01-29 21:53:30 add: Policy b954148f-4c11-4c38-8221-be76711e194a
Used in Policy Initiative(s)
Initiative DisplayName Initiative Id
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab
Policy Rule
{
  "properties": {
    "displayName": "An activity log alert should exist for specific Administrative operations",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits specific Administrative operations with no activity log alerts configured.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "operationName": {
        "type": "String",
        "metadata": {
          "displayName": "Operation Name",
          "description": "Administrative Operation name for which activity log alert should be configured"
        },
        "allowedValues": [
          "Microsoft.Sql/servers/firewallRules/write",
          "Microsoft.Sql/servers/firewallRules/delete",
          "Microsoft.Network/networkSecurityGroups/write",
          "Microsoft.Network/networkSecurityGroups/delete",
          "Microsoft.ClassicNetwork/networkSecurityGroups/write",
          "Microsoft.ClassicNetwork/networkSecurityGroups/delete",
          "Microsoft.Network/networkSecurityGroups/securityRules/write",
          "Microsoft.Network/networkSecurityGroups/securityRules/delete",
          "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write",
          "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/ActivityLogAlerts",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "true"
              },
              {
                "count": {
                "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                          "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                          "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "Administrative"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                          "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "operationName"
                          },
                          {
                          "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                          "equals": "[parameters('operationName')]"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              },
              {
                "not": {
                "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                  "equals": "category"
                }
              },
              {
                "not": {
                "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                  "equals": "operationName"
                }
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b954148f-4c11-4c38-8221-be76711e194a"
}