Share via

Unable to make the policy "An activity log alert should exist for specific administrative operations" compliance

Fahim Thanawala 0 Reputation points
2025-02-20T18:40:41.2833333+00:00

Hello All,

We have applied Azure CIS Azure Foundations v2.1.0 Regulatory Compliance on our subscription. Some of the policy among the initiative is not getting compliance, Below is the initiative for the NSG.

User's image

I have created alert for the NSG creation & updation and it was compliance, but unable to find solution for the policy "an activity log alert should exist for specific administrative operations"

User's image

Need help on this.

Regards,

Fahim

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
965 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Stanislav Zhelyazkov 26,256 Reputation points MVP
    2025-02-21T06:51:57.94+00:00

    Hi,

    That policy has input parameter name operationName. So you should check first which of these operations were configured by the policy to check:

    
    "Microsoft.Sql/servers/firewallRules/write",
    "Microsoft.Sql/servers/firewallRules/delete",
    "Microsoft.Network/networkSecurityGroups/write",
    "Microsoft.Network/networkSecurityGroups/delete",
    "Microsoft.ClassicNetwork/networkSecurityGroups/write",
    "Microsoft.ClassicNetwork/networkSecurityGroups/delete",
    "Microsoft.Network/networkSecurityGroups/securityRules/write",
    "Microsoft.Network/networkSecurityGroups/securityRules/delete",
    "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write",
    "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"

    After that you should configure activity log alert with conditions that it applies for Administrative category and operation name for example Microsoft.Network/networkSecurityGroups/delete. Note that when you configure the alert via portal these operation names has display names instead of the raw type if you hover the mouse over the display name you will see the type. For example, type Microsoft.Network/networkSecurityGroups/delete has display name "Delete Network Security Group (Network Security Group)". In case you have one or more policies assigned with different input for operatioName you will need to create alert rule for each operation. Also keep in mind that if the policy is assigned to more than one subscription you should create such alert rule for each subscription.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.