daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cloud/azure/activitylog/azure-vm-create-update-unal...

57 lines
2.2 KiB
YAML
Raw Permalink Blame History

id: azure-vm-create-update-unalerted
info:
name: Azure VM Create/Update Alert Not Configured
author: princechaddha
severity: high
description: |
Ensure that an Azure activity log alert is fired whenever "Create Virtual Machine" or "Update Virtual Machine" events are triggered in your Microsoft Azure cloud account. Activity log alerts get triggered when a new activity log event that matches the condition specified in the alert configuration occurs. This rule is crucial as it monitors for any administrative activity log related to "Create or Update Virtual Machine".
impact: |
Failing to monitor "Create or Update Virtual Machine" events could allow unauthorized or harmful modifications to go unnoticed, increasing security and operational risks.
remediation: |
Configure alert rules to fire on "Create or Update Virtual Machine" events by setting the alert condition to "Microsoft.Compute/virtualMachines/write" and ensuring that notifications are managed through an action group.
reference:
- https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log
tags: cloud,devops,azure,microsoft,virtual-machines,azure-cloud-config
flow: |
code(1);
for (let AlertData of iterate(template.alertList)) {
set("vm_id", AlertData);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az monitor activity-log alert list --output json --query '[?(enabled==`true`)].id'
extractors:
- type: json
name: alertList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az monitor activity-log alert show --ids "$vm_id" --query 'condition'
matchers-condition: and
matchers:
- type: word
words:
- '"field": "operationName"'
- type: word
words:
- "Microsoft.Compute/virtualMachines/write"
negative: true
extractors:
- type: dsl
dsl:
- 'vm_id + " does not have the correct alert configuration for Create/Update Virtual Machine events"'
# digest: 4b0a00483046022100dfcdc763db362820afe709e6dbca00cf01a1b63a7809ec3089905dfa9ee50c00022100e979c3eef747d5acde32145f669f1c3a93d34a1d5eb7da0cd4fe87850ea9b63f:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink