Verify that Activity Log Alert exists for Create or Update Security Solution
Why this matters
Security solutions are central to maintaining a secure cloud environment. If they are created or updated without oversight, it opens the door to undetected misconfigurations or malicious changes. This alert ensures that any modification to security solutions triggers immediate visibility and review.
What this check does
This Auto Check verifies that an Activity Log Alert is configured for the event:
Operation name = Microsoft.Security/securitySolutions/write
Check Logic:
IF Activity Log Alert EXISTS AND
Condition includes Operation name = 'Microsoft.Security/securitySolutions/write' AND
Category = 'Administrative' AND
No filters on Level, Status, or Caller
THEN PASS
ELSE FAIL
The check ensures that such an alert is enabled and linked to an action group to notify responsible personnel.
How to fix it
- Remediate via Azure Portal
- Go to Monitor > Alerts > Alert Rules
- Click Create β Alert rule
- Select your Subscription
- Under Condition, click See all signals
- Select: Create or Update Security Solutions (Security Solutions)
- Under Actions, assign an existing Action Group or create a new one
- Under Details, provide a name and resource group
- Review + Create β Create
- Remediate via Azure CLI
az monitor activity-log alert create \
--resource-group "<resource group name>" \
--name "<activity log rule name>" \
--condition category=Administrative and \
operationName=Microsoft.Security/securitySolutions/write and \
level=verbose \
--scope "/subscriptions/<subscription ID>" \
--action-group <action group ID> \
--subscription <subscription ID>
Remediate via PowerShell
$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Security/securitySolutions/write -Field operationName
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level
$actionGroup = Get-AzActionGroup -ResourceGroupName <resource group name> -Name <action group name>
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id
$scope = "/subscriptions/<subscription ID>"
New-AzActivityLogAlert -Name "<activity log alert rule name>" `
-ResourceGroupName "<resource group name>" `
-Condition $conditions `
-Scope $scope `
-Location global `
-Action $actionObject `
-Subscription <subscription ID> `
-Enabled $true
Exceptions
None. This is a critical control for ensuring auditability of all changes to active security solutions.