Ensure that Activity Log Alert exists for Create or Update Public IP Address rule

From Azure Console

1. Navigate to the Monitor blade.
2. Select Alerts.
3. Select Create.
4. Select Alert Rule.
5. Under Scope, click Select scope.
6. Select your subscription and click Apply.
7. Select the Condition tab.
8. Under Signal name, click Create or Update Public IP Address (Microsoft.Network/publicIPAddresses).
9. Select the Actions tab.
10. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection.
11. Select the Details tab.
12. Select a Resource Group, provide an Alert rule name and an optional Alert rule description.
13. Click Review + create.
14. Click Create.

Using Azure Command Line Interface

Use the below command to create an Activity Log Alert for Create or Update Public IP Address.

az monitor activity-log alert create --resource-group "<resourceGroupName" --condition category=Administrative and operationName=Microsoft.Network/publicIPAddresses/write and level=verbose --scope "/subscriptions/<subscriptionID>" --name "<activityLogRuleName>" --subscription <subscriptionID> --action-group <actionGroupID> 

Using Azure Powershell

Create the conditions object.

$conditions = @() 
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category 
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Network/publicIPAddresses/write -Field operationName 
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level

Get the Action Group information and store it in a variable, then create a new Action object.

$actionGroup = Get-AzActionGroup -ResourceGroupName <resourceGroupName> -Name <actionGroupName>
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id

Create the scope variable.

$scope = "/subscriptions/<subscriptionID>"

Create the Activity Log Alert Rule for Microsoft.Network/publicIPAddresses/write.

New-AzActivityLogAlert -Name "<activityAlertRuleName>" -ResourceGroupName "<resourceGroupName>" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription “<subscriptionID>” -Enabled $true

Default Value

By default, no monitoring alerts are created.

References

1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
2. https://learn.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
3. https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
4. https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
5. https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
3. Re-scan and track approved exceptions with an owner and expiry date.