nuclei-templates/cloud/azure/activitylog/azure-public-ip-update-unal...

id: azure-public-ip-update-unalerted
info:
  name: Azure Public IP Create/Update Alert Not Configured
  author: princechaddha
  severity: high
  description: |
    Ensure that activity log alerts are used to detect "Create or Update Public IP Address" events within your Microsoft Azure cloud account. An activity log alert gets activated when a new activity log event that matches the condition specified in the alert occurs.
  impact: |
    Without proper alert rules configured for monitoring "Create or Update Public IP Address" events, unauthorized or unwanted changes might go unnoticed, leading to potential security risks.
  remediation: |
    Ensure alert rules are properly configured to monitor and notify on "Create or Update Public IP Address" events by setting the alert condition to "Microsoft.Network/publicIPAddresses/write" and ensuring that an action group is attached to manage notifications.
  reference:
    - https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log
  tags: cloud,devops,azure,microsoft,public-ip,azure-cloud-config

flow: |
  code(1);
  for (let AlertData of iterate(template.alertList)) {
    set("id", AlertData);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az monitor activity-log alert list --output json --query '[?(enabled==`true`)].id'

    extractors:
      - type: json
        name: alertList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az monitor activity-log alert show --ids "$id"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"field": "operationName"'

      - type: word
        words:
          - "Microsoft.Network/publicIPAddresses/write"
        negative: true

    extractors:
      - type: dsl
        dsl:
          - 'id + " does not have the correct alert configuration for Create/Update Public IP Address events"'
# digest: 4a0a0047304502202be5a4a2bfa611b69fc79517df7164c88db74f9f14d264ec39f7d9cca5b7e6e5022100dd1eedf832d9786e3077c4d98c92da7f0c58dab10314f9689772a46f2ec809b0:922c64590222798bb761d5b6d8e72950
added activitylog templates 2024-07-25 13:03:55 +00:00			`id: azure-public-ip-update-unalerted`
			`info:`
			`name: Azure Public IP Create/Update Alert Not Configured`
			`author: princechaddha`
			`severity: high`
			`description: \|`
			`Ensure that activity log alerts are used to detect "Create or Update Public IP Address" events within your Microsoft Azure cloud account. An activity log alert gets activated when a new activity log event that matches the condition specified in the alert occurs.`
			`impact: \|`
			`Without proper alert rules configured for monitoring "Create or Update Public IP Address" events, unauthorized or unwanted changes might go unnoticed, leading to potential security risks.`
			`remediation: \|`
			`Ensure alert rules are properly configured to monitor and notify on "Create or Update Public IP Address" events by setting the alert condition to "Microsoft.Network/publicIPAddresses/write" and ensuring that an action group is attached to manage notifications.`
			`reference:`
			`- https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log`
			`tags: cloud,devops,azure,microsoft,public-ip,azure-cloud-config`

			`flow: \|`
			`code(1);`
			`for (let AlertData of iterate(template.alertList)) {`
			`set("id", AlertData);`
			`code(2);`
			`}`

			`self-contained: true`
			`code:`
			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			az monitor activity-log alert list --output json --query '[?(enabled==`true`)].id'

			`extractors:`
			`- type: json`
			`name: alertList`
			`internal: true`
			`json:`
			`- '.[]'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`az monitor activity-log alert show --ids "$id"`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- '"field": "operationName"'`

			`- type: word`
			`words:`
			`- "Microsoft.Network/publicIPAddresses/write"`
			`negative: true`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- 'id + " does not have the correct alert configuration for Create/Update Public IP Address events"'`
chore: sign templates 🤖 2024-09-12 05:59:14 +00:00			`# digest: 4a0a0047304502202be5a4a2bfa611b69fc79517df7164c88db74f9f14d264ec39f7d9cca5b7e6e5022100dd1eedf832d9786e3077c4d98c92da7f0c58dab10314f9689772a46f2ec809b0:922c64590222798bb761d5b6d8e72950`