Verify that Activity Log Alert exists for Create or Update Public IP Address rule
Why this matters
Creating or updating Public IP Addresses in Azure directly affects network exposure and access control. These operations may indicate changes to perimeter security, such as the unintentional or unauthorized exposure of internal resources to the internet.
Monitoring for Microsoft.Network/publicIPAddresses/write
operations ensures your team is alerted in real time when public IPs are added or modified. This is critical for detecting security misconfigurations and reducing the response time to network-related threats.
What this check does
This Auto Check verifies that an Activity Log Alert exists for the operation:
Microsoft.Network/publicIPAddresses/write
Check Logic:
Passes if:
At least one enabled Activity Log Alert rule exists with:
- Category set to
Administrative
- Operation name equal to
Microsoft.Network/publicIPAddresses/write
- No filters on
Level
,Status
, orCaller
- An Action Group configured to notify the appropriate team
Fails if:
- No matching alert rule is found in the subscription.
- The check queries Azure Monitor to evaluate all alert rules and confirms correct conditions and notification settings.
How to fix it
Create the Activity Log Alert using Azure Portal, CLI, or PowerShell.
Azure Portal:
- Go to Monitor > Alerts > Alert rules.
- Click Create > Alert rule.
- Select your subscription under Scope.
- Under Condition, select:
- Signal: Create or Update Public IP Address
- Operation:
Microsoft.Network/publicIPAddresses/write
- Category:
Administrative
- Under Actions, select or create an Action Group for notifications.
- Fill in details such as alert name and resource group.
- Click Review + create, then Create.
Azure CLI:
az monitor activity-log alert create \
--name "<activity log rule name>" \
--resource-group "<resource group name>" \
--scope "/subscriptions/<subscription ID>" \
--condition category=Administrative and operationName=Microsoft.Network/publicIPAddresses/write \
--action-group <action group ID> \
--enabled true
PowerShell:
$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Administrative" -Field "category"
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Microsoft.Network/publicIPAddresses/write" -Field "operationName"
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Verbose" -Field "level"
$actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group name>" -Name "<action group name>"
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id
$scope = "/subscriptions/<subscription ID>"
New-AzActivityLogAlert -Name "<activity log alert rule name>" `
-ResourceGroupName "<resource group name>" `
-Condition $conditions `
-Scope $scope `
-Location "global" `
-Action $actionObject `
-Subscription "<subscription ID>" `
-Enabled $true
Replace all placeholders with your environment-specific values.
Exceptions
No exceptions are recommended. Any changes to public IP configuration must be logged and alerted on. If your organization uses an external monitoring platform, document its integration and ensure equivalent detection coverage.