Verify that Activity Log Alert exists for Delete Security Solution

Framework Reference: 7.1.2.5 Activity Log Monitoring – Security Solutions (Level 1)

Why this matters

Security Solutions in Azure (Microsoft Defender integrations and related configurations) directly affect your security posture.
If a security solution is created, modified, or reconfigured:
Defensive controls may be weakened or disabled
Monitoring scope may change
New integrations may introduce risk
Attackers may attempt to alter security configurations to evade detection
Monitoring the Microsoft.Security/securitySolutions/write operation ensures visibility into changes that impact your security tooling.
Without an alert, these changes can occur silently.

What this check does

This Auto Check verifies that an Azure Activity Log Alert exists for the operation:

Microsoft.Security/securitySolutions/write

Check Logic

Passes if:

An Activity Log Alert rule exists, and
The condition includes:
Category = Administrative
Operation name = Microsoft.Security/securitySolutions/write
The alert is Enabled, and
An Action Group is assigned.

Fails if:

No matching alert rule exists,
The alert is disabled, or
No Action Group is configured.

Applies to:

Azure subscription-level monitoring
Administrative activity in Activity Logs
The check queries Azure Monitor alert rule configurations.

How to fix it

Create an Activity Log Alert for Create or Update Security Solution events.

Azure Portal

Navigate to Monitor.
Select Alerts.
Click Create → Alert rule.
Select the relevant Subscription.
Go to the Condition tab.
Click See all signals.
Select Create or Update Security Solutions (Security Solutions).
Click Apply.
Go to the Actions tab.
Select an existing Action Group or create a new one.
Go to the Details tab.
Provide:
Resource Group
Alert Rule Name
Optional description
Click Review + create.
Click Create.

Azure CLI

az monitor activity-log alert create \ --resource-group "<resource group name>" \ --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/write \ --scope "/subscriptions/<subscription ID>" \ --name "<activity log rule name>" \ --subscription <subscription ID> \ --action-group <action group ID>

PowerShell

Create conditions:

$conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Security/securitySolutions/write -Field operationName

Retrieve action group:

$actionGroup = Get-AzActionGroup -ResourceGroupName <resource group name> -Name <action group name> $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id

Create scope:

$scope = "/subscriptions/<subscription ID>"

Create alert rule:

New-AzActivityLogAlert -Name "<activity log alert rule name>" ` -ResourceGroupName "<resource group name>" ` -Condition $conditions ` -Scope $scope ` -Location global ` -Action $actionObject ` -Subscription <subscription ID> ` -Enabled $true

Default value

By default, no Activity Log Alerts are configured.

Impact

Generates alerts when Security Solutions are created or modified.
Requires an Action Group (email, webhook, SIEM, etc.).
May increase alert volume depending on environment changes.
Proper alert routing and triage processes are required.

Exceptions

No standard exceptions recommended.
If centralized monitoring is handled externally (e.g., SIEM ingestion of Activity Logs):
Document the alternative detection mechanism.
Ensure equivalent alerting for Microsoft.Security/securitySolutions/write.
Validate that alerts are actionable and monitored.