How to Monitor New Management Group Creation and Deletion.

Question

I am writing this post to monitor new Management group creation and Deletion using Azure Activity Logs and Trigger Incident in Microsoft Sentinel.&nbsp; You can also use it to Monitor the Subscription Creation as well using this Step.
&nbsp;
By default, the Dianostic settings for at the management group level is not enabled. It cannot be enabled using Azure Policy or from the Portal interface. Use the below article to enable the "Management Group Diagnostic Settings"
&nbsp;
Management Group Diagnostic Settings - Create Or Update - REST API (Azure Monitor) | Microsoft Learn
&nbsp;
Below is the screenshot of message body if you like to forward the logs only to the Log analytic workspace where sentinel is enabled. Also make sure you enable the Diagnostic settings at the tenant management group level to track all changes in your tenant.&nbsp;
&nbsp;
{
&nbsp; "properties": {
&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;"workspaceId": "&lt;&lt; replace with workspace resource ID&gt;&gt;",
&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;"logs": [
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "category": "Administrative",
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "enabled": true
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; },
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "category": "Policy",
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "enabled": true
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }
&nbsp;&nbsp;&nbsp; ]
&nbsp; }
}
&nbsp;
Once you have enabled the Diagnostic settings, you can use the below KQL query to monitor the New Management group creation and Deletion using Azure Activity Logs.&nbsp;
&nbsp;
//KQL Query to Identify if Management group is deleted
AzureActivity
| where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/DELETE"
| where ActivityStatusValue == "Success"
| extend&nbsp; mg = split(tostring(Properties_d.entity),"/")
| project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message),
caller_ = tostring(Properties_d.caller)
&nbsp;
&nbsp;
//KQL Query to Identify if Management group is Created
AzureActivity
| where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/WRITE"
| where ActivityStatusValue == "Success"
| extend&nbsp; mg = split(tostring(Properties_d.entity),"/")
| project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message),
caller_ = tostring(Properties_d.caller)
&nbsp;
&nbsp;
This log can also be used to monitor the new subscription creation as well, using the below query
&nbsp;
AzureActivity
| where OperationNameValue == "Microsoft.Management" and ActivityStatusValue == "Succeeded" and isnotempty(SubscriptionId)
&nbsp;
If you need to trigger incident on sentinel, use the above query in your custom scheduled analytical rule and create alert.&nbsp;
&nbsp;
Note: Enabling this API on the Mangement group diagnostic logs will also be inherited by the subscriptions downstream on the specific category.&nbsp;

adeelaziz · Answer

I strongly believe this is an important component of one's overall Cloud governance and security strategy. Regardless of how simple or complex your Azure Management Group hierarchy is, you may have Azure Policies, IAM permissions, or other controls in place at varying levels of the Management Group hierarchy. You don't want a relatively simple activity like moving a subscription from one Management Group to another to impact the governance and security controls you have in place.

Forum Discussion

How to Monitor New Management Group Creation and Deletion.

Share

Resources