The penetration testing report showed that (page 38):
A number of rules were absent from Azure Monitor that can be enabled to flag upon detection of potentially powerful operations, that may be actioned by an attacker attempting to gain access to hardened resources.
Upon reviewing the alert rules configured for the environment, it was identified that there was missed opportunities to alert upon changes to firewall rules for SQL Servers and Network Security Groups.
The following recommended alert rules according to CIS Microsoft Azure Foundations Benchmark
latest version v1.3.0 were missing from the environment.
Create Policy Assignment activity log alert exist
Create or update Network Security Group activity log alert exist
Delete Network Security Group activity log alert exist
Create or update Network Security Group Rule activity log alert exist
Delete Network Security Group Rule activity log alert exist
Create or update Security Solution activity log alert exist
Delete Security Solution activity log alert exist
Create our update or delete SQL Server Firewall Rule activity log alert exist
This is a medium level risk, but is something we must fix before the next pen-test.
The penetration testing report showed that (page 38):
A number of rules were absent from Azure Monitor that can be enabled to flag upon detection of potentially powerful operations, that may be actioned by an attacker attempting to gain access to hardened resources.
Upon reviewing the alert rules configured for the environment, it was identified that there was missed opportunities to alert upon changes to firewall rules for SQL Servers and Network Security Groups.
The following recommended alert rules according to CIS Microsoft Azure Foundations Benchmark latest version v1.3.0 were missing from the environment.
This is a medium level risk, but is something we must fix before the next pen-test.