Check provider logo

Azure subscription has an Activity Log alert for public IP address deletion

monitor_alert_delete_public_ip_address_rule

Severitymedium
Servicemonitor
by Prowler
logging

Azure Monitor activity log alert exists for the Delete Public IP Address operation (Microsoft.Network/publicIPAddresses/delete), capturing subscription-wide events when Public IP resources are removed.

Risk

Unmonitored deletion of Public IPs can abruptly sever ingress/egress, break DNS and allowlists, and take services offline (availability). Attackers or misconfigurations can delete IPs to cause DoS or evade controls, and delayed visibility hinders incident response and forensics.

Run this check with Prowler CLI

prowler azure --checks monitor_alert_delete_public_ip_address_rule

Run in Prowler Cloud

Recommendation

Implement an activity log alert for Microsoft.Network/publicIPAddresses/delete and route it to an action group for rapid response.

  • Apply least privilege and change approval for IP deletions
  • Use resource locks on critical IPs
  • Centralize alerts in your SIEM and define runbooks for containment

Remediation

CLI

az monitor activity-log alert create --name <activity_log_rule_name> --resource-group <resource_group_name> --location global --scopes /subscriptions/<subscription_id> --condition category=Administrative and operationName=Microsoft.Network/publicIPAddresses/delete

Native IaC
Terraform
Other
  1. In the Azure portal, go to Monitor > Alerts > + Create > Alert rule
  2. Scope: Select your subscription and click Apply
  3. Condition: Choose Activity log, then set Category = Administrative and Operation name = Microsoft.Network/publicIPAddresses/delete; click Apply
  4. Actions: Skip (no action group required to pass)
  5. Details: Enter an alert name, set Region to Global, ensure Enable alert rule upon creation is checked
  6. Review + create > Create

Source Code

Resource Type

microsoft.insights/activitylogalerts

References