Verify that Activity Log Alert exists for Create or Update Network Security Group
Why this matters
Changes to Network Security Groups (NSGs) can expose critical workloads to unwanted traffic. An alert on the creation or update of NSGs helps ensure that such changes are monitored, reducing the risk of misconfigurations or malicious tampering going undetected.
What this check does
This check verifies whether an Activity Log Alert exists that monitors the following:
Operation name: Microsoft.Network/networkSecurityGroups/write
Category: Administrative
Scope: Subscription level
Action Group assigned: Must notify designated security contacts
Check Logic:
IF ActivityLogAlert EXISTS where:
category == "Administrative" AND
operationName == "Microsoft.Network/networkSecurityGroups/write" AND
actionGroup IS NOT NULL
THEN PASS
ELSE FAIL
It examines alert rules at the subscription level to confirm that changes to NSGs are actively being tracked and actioned via an assigned alert group.
How to fix it
Remediate via Azure Portal
- Go to Monitor β Alerts β Alert rules
- Click Create β Alert rule
- Scope: Select your subscription
- Condition:
- Click See all signals
- Select
Create or Update Network Security Group
- Apply filter:
Category = Administrative
- Action:
- Select an existing Action Group or create a new one
- Name and finalize the rule
- Provide alert rule name and resource group
- Click Review + Create β Create
Remediate via Azure CLI
az monitor activity-log alert create \
--resource-group "<resource group name>" \
--name "<alert rule name>" \
--scope "/subscriptions/<subscription ID>" \
--condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/write and level=Verbose \
--action-group "<action group ID>" \
--subscription "<subscription ID>"
Remediate via PowerShell
$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Network/networkSecurityGroups/write -Field operationName
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level
$actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group>" -Name "<action group name>"
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id
$scope = "/subscriptions/<subscription ID>"
New-AzActivityLogAlert -Name "<alert rule name>" -ResourceGroupName "<resource group>" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Enabled $true
Exceptions
None known. All NSG changes should be monitored in production environments.