Verify that Activity Log Alert exists for Create or Update Public IP Address rule

Framework Reference: A.8.16 Integration: Azure – Activity Log Alerts

Why this matters

Creating or updating Public IP Addresses in Azure directly affects network exposure and access control. These operations may indicate changes to perimeter security, such as the unintentional or unauthorized exposure of internal resources to the internet.

Monitoring for Microsoft.Network/publicIPAddresses/write operations ensures your team is alerted in real time when public IPs are added or modified. This is critical for detecting security misconfigurations and reducing the response time to network-related threats.


What this check does

This Auto Check verifies that an Activity Log Alert exists for the operation:

Microsoft.Network/publicIPAddresses/write

Check Logic:
Passes if:

At least one enabled Activity Log Alert rule exists with:

  • Category set to Administrative
  • Operation name equal to Microsoft.Network/publicIPAddresses/write
  • No filters on Level, Status, or Caller
  • An Action Group configured to notify the appropriate team

Fails if:

  • No matching alert rule is found in the subscription.
  • The check queries Azure Monitor to evaluate all alert rules and confirms correct conditions and notification settings.

How to fix it

Create the Activity Log Alert using Azure Portal, CLI, or PowerShell.

Azure Portal:

  1. Go to Monitor > Alerts > Alert rules.
  2. Click Create > Alert rule.
  3. Select your subscription under Scope.
  4. Under Condition, select:
  5. Signal: Create or Update Public IP Address
  6. Operation: Microsoft.Network/publicIPAddresses/write
  7. Category: Administrative
  8. Under Actions, select or create an Action Group for notifications.
  9. Fill in details such as alert name and resource group.
  10. Click Review + create, then Create.

Azure CLI:

az monitor activity-log alert create \  --name "<activity log rule name>" \  --resource-group "<resource group name>" \  --scope "/subscriptions/<subscription ID>" \  --condition category=Administrative and operationName=Microsoft.Network/publicIPAddresses/write \  --action-group <action group ID> \  --enabled true 

PowerShell:

$conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Administrative" -Field "category" $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Microsoft.Network/publicIPAddresses/write" -Field "operationName" $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Verbose" -Field "level" $actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group name>" -Name "<action group name>" $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id $scope = "/subscriptions/<subscription ID>" New-AzActivityLogAlert -Name "<activity log alert rule name>" `  -ResourceGroupName "<resource group name>" `  -Condition $conditions `  -Scope $scope `  -Location "global" `  -Action $actionObject `  -Subscription "<subscription ID>" `  -Enabled $true

Replace all placeholders with your environment-specific values.


Exceptions

No exceptions are recommended. Any changes to public IP configuration must be logged and alerted on. If your organization uses an external monitoring platform, document its integration and ensure equivalent detection coverage.


Further resources

Was this article helpful?