Share via

Guidance needed to comply with Defender activity log alert policy.

Ashutosh Jadhav 0 Reputation points
2025-10-20T12:12:52.3666667+00:00

I am implementing the Azure Defender compliance policy: “An activity log alert should exist for specific Security operations.”

It requires an activity log alert for the following security operations:

Microsoft.Security/policies/write

Microsoft.Security/securitySolutions/write

Microsoft.Security/securitySolutions/delete

However, there appears to be a mismatch in the policy definition. The policy type is Security, but when creating an Activity Log alert in Azure Monitor, the signal type only allows the category to be Administrative for the above mentioned security operations. I have attached the created log alert below for reference along with the policy.

I would like guidance on the recommended way to configure alerts so that the Defender compliance policy is fully satisfied. My goal is to ensure full compliance with this Defender security policy.

User's image

User's image

Thanks,

Ashutosh

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva shunmugam Nadessin 2,075 Reputation points Microsoft External Staff Moderator
    2025-10-22T11:45:24.09+00:00

    Hello Ashutosh Jadhav,

    Why the mismatch occurs

    • Azure Activity Log categorizes most resource-level operations (including Microsoft.Security resource provider actions) under Administrative, not Security.
    • The policy definition uses "equals": "Security" for the category field, which does not match the real signal type in alerts.

    How to resolve

    You have two options:

    Option 1: Modify the Policy Definition

    • Clone the built-in policy and create a custom policy.
    • In the definition, change:
    "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"equals": "Security"
 

    To 

    "equals": "Administrative"

    Assign your custom policy instead of the built-in one.

     

    Option 2: Accept Built-in Limitation

    • Keep the alerts with category = Administrative (correct for compliance in practice).
    • Document the deviation and mark the policy as not applicable or override compliance in Defender for Cloud.

     As a best practice, always verify the actual Activity Log category for the operations using Azure Activity Log schema and for Microsoft.Security operations like policies/write or securitySolutions/delete, the category is Administrative.

    Thanks.

    Kindly check and let us know if you have further questions? 

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.