Skip to content

Security Alerts

Provisioning of Azure Monitor Activity Log Alert and Action Group.

This documentation provides information on the configuration and usage of Terraform resources for creating Azure Monitor Activity Log Alerts and an associated Action Group. These resources are used to monitor and respond to security-related events and changes in the Azure environment in our subscription level.

This file monitor.tf contain the code to provision Azure Monitor Subscription Alert.

1. Azure Monitor Resources

Action Group (azurerm_monitor_action_group)

The azurerm_monitor_action_group resource defines an Azure Monitor Action Group. This action group is responsible for handling notifications and responses when activity log alerts are triggered. Key attributes include:

  • name: The name of the action group.
  • resource_group_name: The Azure Resource Group to associate with.
  • email_receiver: Specifies email notifications and the recipient's email address.
  • tags: Tags associated with the action group.
Activity Log Alerts (azurerm_monitor_activity_log_alert)

There are eight azurerm_monitor_activity_log_alert resources, each defining a different activity log alert. These alerts are used to monitor specific security-related events. Common attributes for these resources include:

  • name: A unique name for the alert.
  • resource_group_name: The Azure Resource Group to associate with.
  • scopes: The Azure subscription to monitor.
  • description: A brief description of the alert's purpose.
  • criteria: Conditions specifying when the alert should trigger.
  • action: The associated action group for notifications and responses.

2. Resource Configuration

Action Group (azurerm_monitor_action_group)

The azurerm_monitor_action_group resource is configured as follows:

  • name: "alert-group-${var.common_tags.project}-${var.tags.environment}"
  • resource_group_name: [Specify the Azure Resource Group where this action group is created]
  • email_receiver:
  • name: "alert-group-${var.common_tags.project}-${var.tags.environment}"
  • email_address: [Specify the email address for receiving notifications]
  • tags: [Specify any additional tags you want to associate with the action group]
Activity Log Alerts (azurerm_monitor_activity_log_alert)

Each azurerm_monitor_activity_log_alert resource is configured similarly with variations based on the event type. For example, "Create or Update Security Group" alert is configured as follows:

  • name: "Activity Log Alert for Create or Update Security Group"
  • resource_group_name: [Specify the Azure Resource Group]
  • scopes: [Specify the Azure subscription ID]
  • description: [Provide a brief description of the alert]
  • criteria:
  • category: "Security"
  • operation_name: "Microsoft.Network/networkSecurityGroups/write"
  • action:
  • action_group_id: [Reference the action group's ID]

3. Benefits

  • Early detection of security incidents and policy violations.
  • Reduction in response time to suspicious activities.
  • Automation of notifications and response actions.
  • Enhanced security monitoring in the Azure environment.

4. Example Usage

Here's an example of how to use these resources in a Terraform configuration:

commons.tfvars:
monitor_action_group_soc_email = "Infra@reg-1.com"

variables.tf:
variable "monitor_action_group_soc_email" {
  description = "Email address to be used on action group"
  type        = string
}

monitor.tf:

resource "azurerm_monitor_action_group" "monitor_action_group_soc" {
  name                = "alert-group-${var.common_tags.project}-${var.tags.environment}"
  resource_group_name = azurerm_resource_group.main.name
  short_name          = "alert${var.common_tags.project}${var.tags.environment_short}"
  tags                = merge(var.tags, var.common_tags)

  email_receiver {
    name          = "alert-group-${var.common_tags.project}-${var.tags.environment}"
    email_address = var.monitor_action_group_soc_email
  }
}

resource "azurerm_monitor_activity_log_alert" "activity_log_alert_cu_security_group" {
  name                = "Activity Log Alert for Create or Update Security Group"
  resource_group_name = azurerm_resource_group.main.name
  scopes              = [data.azurerm_subscription.current.id]
  description         = "Monitoring for Create or Update Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity"
  tags                = merge(var.tags, var.common_tags)
  criteria {
    category       = "Security"
    operation_name = "Microsoft.Network/networkSecurityGroups/write"
  }

  action {
    action_group_id = azurerm_monitor_action_group.monitor_action_group_soc.id
  }
}