Verify that Activity Log Alert exists for Create or Update Network Security Group

Subtitle: Framework Reference: A.8.16 Integration: Azure Monitor Activity Log

Why this matters

Changes to Network Security Groups (NSGs) can expose critical workloads to unwanted traffic. An alert on the creation or update of NSGs helps ensure that such changes are monitored, reducing the risk of misconfigurations or malicious tampering going undetected.

What this check does

This check verifies whether an Activity Log Alert exists that monitors the following:

Operation name: Microsoft.Network/networkSecurityGroups/write

Category: Administrative

Scope: Subscription level

Action Group assigned: Must notify designated security contacts

Check Logic:

IF ActivityLogAlert EXISTS where:  category == "Administrative" AND  operationName == "Microsoft.Network/networkSecurityGroups/write" AND  actionGroup IS NOT NULL THEN PASS ELSE FAIL

It examines alert rules at the subscription level to confirm that changes to NSGs are actively being tracked and actioned via an assigned alert group.

How to fix it

Remediate via Azure Portal

1. Go to Monitor → Alerts → Alert rules

2. Click Create → Alert rule

3. Scope: Select your subscription

4. Condition:

5. Click See all signals

6. Select Create or Update Network Security Group

7. Apply filter: Category = Administrative

8. Action:

9. Select an existing Action Group or create a new one

10. Name and finalize the rule

11. Provide alert rule name and resource group

12. Click Review + Create → Create

Remediate via Azure CLI

az monitor activity-log alert create \  --resource-group "<resource group name>" \  --name "<alert rule name>" \  --scope "/subscriptions/<subscription ID>" \  --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/write and level=Verbose \  --action-group "<action group ID>" \  --subscription "<subscription ID>" 

Remediate via PowerShell

$conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Network/networkSecurityGroups/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level $actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group>" -Name "<action group name>" $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id $scope = "/subscriptions/<subscription ID>" New-AzActivityLogAlert -Name "<alert rule name>" -ResourceGroupName "<resource group>" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Enabled $true

Exceptions

None known. All NSG changes should be monitored in production environments.

Further resources

• Azure Activity Log Alerts (Microsoft Docs)

• Azure CIS Benchmark Reference

• Azure REST API for Activity Log Alerts