last sync: 2020-Jul-03 15:47:34 UTC

Azure Policy

An activity log alert should exist for specific Policy operations

Policy DisplayName An activity log alert should exist for specific Policy operations
Policy Id c5447c04-a4d7-4ba8-a263-c9ee321a6858
Policy Category Monitoring
Policy Description This policy audits specific Policy operations with no activity log alerts configured.
Policy Mode All
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-01-29 21:53:30 add: Policy c5447c04-a4d7-4ba8-a263-c9ee321a6858
Used in Policy Initiative(s)
Initiative DisplayName Initiative Id
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d
Policy Rule
{
  "properties": {
    "displayName": "An activity log alert should exist for specific Policy operations",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits specific Policy operations with no activity log alerts configured.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "operationName": {
        "type": "String",
        "metadata": {
          "displayName": "Operation Name",
          "description": "Policy Operation name for which activity log alert should exist"
        },
        "allowedValues": [
          "Microsoft.Authorization/policyAssignments/write",
          "Microsoft.Authorization/policyAssignments/delete"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/ActivityLogAlerts",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "true"
              },
              {
                "count": {
                "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                          "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                          "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "Policy"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                          "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "operationName"
                          },
                          {
                          "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                          "equals": "[parameters('operationName')]"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              },
              {
                "not": {
                "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                  "equals": "category"
                }
              },
              {
                "not": {
                "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                  "equals": "operationName"
                }
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c5447c04-a4d7-4ba8-a263-c9ee321a6858"
}