Verify that Activity Log Alert exists for Create or Update Network Security Group

Subtitle: Framework Reference: A.8.16 Integration: Azure Monitor Activity Log

Why this matters

Changes to Network Security Groups (NSGs) can expose critical workloads to unwanted traffic. An alert on the creation or update of NSGs helps ensure that such changes are monitored, reducing the risk of misconfigurations or malicious tampering going undetected.


What this check does

This check verifies whether an Activity Log Alert exists that monitors the following:

Operation name: Microsoft.Network/networkSecurityGroups/write

Category: Administrative

Scope: Subscription level

Action Group assigned: Must notify designated security contacts

Check Logic:

IF ActivityLogAlert EXISTS where:  category == "Administrative" AND  operationName == "Microsoft.Network/networkSecurityGroups/write" AND  actionGroup IS NOT NULL THEN PASS ELSE FAIL

It examines alert rules at the subscription level to confirm that changes to NSGs are actively being tracked and actioned via an assigned alert group.


How to fix it

Remediate via Azure Portal

  1. Go to Monitor β†’ Alerts β†’ Alert rules
  2. Click Create β†’ Alert rule
  3. Scope: Select your subscription
  4. Condition:
  5. Click See all signals
  6. Select Create or Update Network Security Group
  7. Apply filter: Category = Administrative
  8. Action:
  9. Select an existing Action Group or create a new one
  10. Name and finalize the rule
  11. Provide alert rule name and resource group
  12. Click Review + Create β†’ Create

Remediate via Azure CLI

az monitor activity-log alert create \  --resource-group "<resource group name>" \  --name "<alert rule name>" \  --scope "/subscriptions/<subscription ID>" \  --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/write and level=Verbose \  --action-group "<action group ID>" \  --subscription "<subscription ID>" 

Remediate via PowerShell

$conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Network/networkSecurityGroups/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level $actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group>" -Name "<action group name>" $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id $scope = "/subscriptions/<subscription ID>" New-AzActivityLogAlert -Name "<alert rule name>" -ResourceGroupName "<resource group>" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Enabled $true


Exceptions

None known. All NSG changes should be monitored in production environments.


Further resources

Was this article helpful?