Verify that Activity Log Alert exists for Delete Public IP Address rule

Subtitle: Framework Reference: A.8.20 Integration: Azure Monitor Activity Logs

Why this matters

Public IP addresses are sensitive network-facing resources. Deleting them could disrupt services or indicate malicious tampering. Without alerts, such deletions may go unnoticed, delaying incident detection and response.


What this check does

This Auto Check verifies that an Activity Log Alert is in place for the event:

Operation name = Microsoft.Network/publicIPAddresses/delete

Check Logic:

IF Activity Log Alert EXISTS AND   Condition includes Operation name = 'Microsoft.Network/publicIPAddresses/delete' AND   Category = 'Administrative' AND   No filters on Level, Status, or Caller THEN PASS ELSE FAIL

The check ensures the alert is enabled and tied to an action group to notify security teams or infrastructure owners.


How to fix it

  1. Remediate via Azure Portal
  2. Go to Monitor > Alerts > Alert rules
  3. Click Create β†’ Alert rule
  4. Choose your Subscription
  5. Under Condition, click See all signals
  6. Select: Delete Public IP Address (Public IP Address)
  7. Under Actions, assign an existing Action Group or create a new one
  8. Under Details, provide a name and resource group
  9. Review + Create β†’ Create
  10. Remediate via Azure CLI

az monitor activity-log alert create \  --resource-group "<resource group name>" \  --name "<activity log rule name>" \  --condition category=Administrative and \    operationName=Microsoft.Network/publicIPAddresses/delete and \    level=verbose \  --scope "/subscriptions/<subscription ID>" \  --action-group <action group ID> \  --subscription <subscription ID>

Remediate via PowerShell

$conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Network/publicIPAddresses/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level $actionGroup = Get-AzActionGroup -ResourceGroupName <resource group name> -Name <action group name> $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id $scope = "/subscriptions/<subscription ID>" New-AzActivityLogAlert -Name "<activity log alert rule name>" `  -ResourceGroupName "<resource group name>" `  -Condition $conditions `  -Scope $scope `  -Location global `  -Action $actionObject `  -Subscription <subscription ID> `  -Enabled $true


Exceptions

None. This is a mandatory security logging control.


Further resources

Was this article helpful?