Check provider logo

Subscription has an Azure Monitor Activity Log alert for Microsoft.Security/securitySolutions delete operations

monitor_alert_delete_security_solution

Severitymedium
Servicemonitor
by Prowler
logging

Azure activity log alerts monitor deletions of Security Solutions by targeting the operation Microsoft.Security/securitySolutions/delete at subscription scope.

Identifies whether notifications are configured for security solution removal events.

Risk

Without this alert, unauthorized or accidental deletions of security tooling may go unnoticed, reducing the availability of protections and the integrity of monitoring. Adversaries can evade defenses, prolong dwell time, and enable data exfiltration under reduced visibility.

Run this check with Prowler CLI

prowler azure --checks monitor_alert_delete_security_solution

Run in Prowler Cloud

Recommendation

Configure a dedicated activity log alert for Microsoft.Security/securitySolutions/delete and route it to resilient action groups (email, chat, ticketing, SIEM). Apply least privilege and resource locks to deter tampering. Test alerting routinely and integrate it into defense-in-depth monitoring.

Remediation

CLI

az monitor activity-log alert create -g <example_resource_name> -n <example_resource_name> --condition operationName=Microsoft.Security/securitySolutions/delete --scope /subscriptions/<example_resource_id>

Native IaC
Terraform
Other
  1. In Azure portal, go to Monitor > Alerts > + Create > Alert rule
  2. Scope: Select your subscription and click Apply
  3. Condition: Click Add condition, search and select "Delete Security Solutions (Microsoft.Security/securitySolutions)", then Add
  4. Ensure no filters for Level or Status are set
  5. Details: Enter an Alert rule name and choose a resource group
  6. Create: Review + create, then Create

Source Code

Resource Type

microsoft.insights/activitylogalerts

References