User Profile
Sahins
Copper Contributor
Joined Oct 21, 2020
User Widgets
Recent Discussions
An activity log alert should exist for specific Policy operations : Wrong category in the rules sec
Hi, I have "CIS Microsoft Azure Foundations Benchmark 1.1.0" assigned to my subscription and the policy "An activity log alert should exist for specific Policy operations" is non-compliant even though I created necessary alert rules. I noticed that the category for the necessary alert rules (allowed values in the policiy definition) is "Administrative" rather than "Policy" which is indicated in the policy rules. When I duplicate the policy and change the category into "Administrative" it becomes compliant but the built-in policy is not effected from this and the whole initiative stay non-compliant which also effects my compliance level for industry standards. What can I do to make this policy and initiative to be compliant and getting compliant with industry standards? Or should it be updated by the relevant team? { "properties": { "displayName": "An activity log alert should exist for specific Policy operations", "policyType": "BuiltIn", "mode": "All", "description": "This policy audits specific Policy operations with no activity log alerts configured.", "metadata": { "version": "2.0.0", "category": "Monitoring" }, "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "operationName": { "type": "String", "metadata": { "displayName": "Operation Name", "description": "Policy Operation name for which activity log alert should exist" }, "allowedValues": [ "Microsoft.Authorization/policyAssignments/write", "Microsoft.Authorization/policyAssignments/delete" ] } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Resources/subscriptions" } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/ActivityLogAlerts", "existenceCondition": { "allOf": [ { "field": "Microsoft.Insights/ActivityLogAlerts/enabled", "equals": "true" }, { "count": { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]", "where": { "anyOf": [ { "allOf": [ { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", "equals": "category" }, { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals", "equals": "Policy" } ] }, { "allOf": [ { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", "equals": "operationName" }, { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals", "equals": "[parameters('operationName')]" } ] } ] } }, "equals": 2 }, { "not": { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", "equals": "category" } }, { "not": { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", "equals": "operationName" } } ] } } } } }, "id": "/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858", "type": "Microsoft.Authorization/policyDefinitions", "name": "c5447c04-a4d7-4ba8-a263-c9ee321a6858" } Kind regards, Sahin
