Monitoring for "Delete Policy Assignment" events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.

Note: Available for Azure Management Groups as well.

This test is part of DCF-406, DCF-407, and DCF-86. The Audit Logging control (DCF-406) that ensures audit logs are enabled and active for all system components and sensitive data in accordance with company policies. The System Monitoring control (DCF-86) that ensures production systems and resources are monitored and automated alerts are sent out personnel based on pre-configured rules. Events are triaged to determine if they constitute an incident and escalated per policy if necessary.

If Drata finds that there is no activity log alert for the 'Delete Policy Assignment' event in Azure, the test will fail. Monitoring for delete policy assignment events gives insight into changes done in 'Azure policy - assignments' and can reduce the time it takes to detect unsolicited changes.

1. Navigate to the 'Monitor' blade.

2. Select 'Alerts' > 'Create' > 'Alert rule'.

3. Choose a subscription and select 'Apply'.

4. Select the 'Condition' tab and click 'See all signals'.

5. Select 'Delete policy assignment (Policy assignment)' and click 'Apply'.

6. Select the 'Actions' tab and click 'Select action groups' to select an existing action group, or 'Create action group' to create a new action group. Then follow the prompts to choose or create an action group.

7. Select the 'Details' tab.

8. Select a 'Resource group,' provide an 'Alert rule name' and an optional 'Alert rule description'.

9. Click 'Review + create' and then click 'Create'.

This is a test that aligns with the Center for Internet Security’s (CIS) benchmarks for Microsoft Azure, providing prescriptive guidance to establish a secure baseline configuration for Azure environments. These benchmarks are developed through a global, consensus-driven process involving cybersecurity experts to help organizations strengthen their defenses against potential threats in the cloud.