[Feature Request]: Provide baseline activity log alerts for compliance with HITRUST/HIPAA built-in initiative

[SvenAelterman]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Description

For compliance with the built-in HITRUST/HIPAA initiative, each covered subscription must have a few Activity Log alerts created.

Specifically, these are the Activity Log events for which alerts must exist:

• "Microsoft.Sql/servers/firewallRules/write"

• "Microsoft.Sql/servers/firewallRules/delete",

• "Microsoft.Network/networkSecurityGroups/write",

• "Microsoft.Network/networkSecurityGroups/delete",

• "Microsoft.Network/networkSecurityGroups/securityRules/write",

• "Microsoft.Network/networkSecurityGroups/securityRules/delete",

• "Microsoft.ClassicNetwork/networkSecurityGroups/write",

• "Microsoft.ClassicNetwork/networkSecurityGroups/delete",

• "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write",

• "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"

This is a great use case for AMBA, as there don't appear to be any existing ways to deploy these without having to repeat the same steps.

[JoeyBarnes]

@SvenAelterman - Thanks for the feedback. Are you looking for this functionality within the ALZ pattern or more general?

[SvenAelterman]

@JoeyBarnes I think it should be outside of the ALZ pattern, because not everyone (especially globally) would care about HITRUST/HIPAA compliance.

Perhaps a new set of "compliance" patterns can be created that could be extensible to include alerts required by other policy initiatives?

[SvenAelterman]

In the meantime, if anyone is looking for this for HITRUST/HIPAA compliance, this repository contains the necessary Bicep templates: https://github.com/SvenAelterman/AzHITRUSTHIPAAActivityLogAlerts

[JoeyBarnes]

Thanks @SvenAelterman - This would make a good pattern / scenario to add to AMBA and has been tagged as a feature request for future development.