Help Center
Go back to application
Help Center
Go back to application
Platform Terms GlossarySupport and Bug Reporting
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainingsGuidance
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations
Azure Auto Checks Detailed Explanations
Verify that Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database ServerVerify that server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database ServerVerify that server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database ServerVerify that server parameter 'log_connections' is set to 'ON' for PostgreSQL Database ServerVerify that 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database ServerVerify that Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database ServerVerify that Activity Log Alert exists for Create Policy AssignmentVerify that Activity Log Alert exists for Create or Update Public IP Address ruleVerify that Activity Log Alert exists for Delete SQL Server Firewall RuleVerify that Activity Log Alert exists for Create or Update SQL Server Firewall RuleVerify that Activity Log Alert exists for Delete Network Security GroupVerify that the storage account containing the container with activity logs is encrypted with Customer Managed KeyVerify that Activity Log Alert exists for Delete Policy AssignmentVerify that Activity Log Alert exists for Create or Update Network Security GroupVerify that Diagnostic Setting captures appropriate categoriesVerify that Activity Log Alert exists for Create or Update Security SolutionVerify that Activity Log Alert exists for Delete Public IP Address ruleVerify that logging for Azure AppService 'HTTP logs' is enabledVerify that logging for Azure Key Vault is 'Enabled'Verify that the Expiration Date is set for all Keys in RBAC Key VaultsEnable Role Based Access Control for Azure Key VaultVerify that Private Endpoints are Used for Azure Key VaultVerify that the Key Vault is RecoverableVerify that HTTP(S) access from the Internet is evaluated and restricted

Verify that Activity Log Alert exists for Delete Network Security Group

Framework Reference: A.8.15 Integration: Azure – Activity Log Alerts

Why this matters

Network Security Groups (NSGs) define inbound and outbound rules that protect Azure workloads from unauthorized network traffic. Deleting an NSG removes a critical layer of defense and may unintentionally expose services to the internet or other untrusted networks.

Monitoring for Microsoft.Network/networkSecurityGroups/delete operations ensures that any such deletion is logged and triggers an immediate alert. This reduces the time to detect unauthorized or accidental changes to critical security configurations.

What this check does

This Auto Check verifies that an Activity Log Alert exists for the operation:

Microsoft.Network/networkSecurityGroups/delete

Check Logic:
Passes if:

A rule exists with the following configuration:

  • Category: Administrative
  • Operation name: Microsoft.Network/networkSecurityGroups/delete
  • No filters applied to Level, Status, or Caller
  • An Action Group is assigned for notification

Fails if:

  • No enabled rule with the specified conditions is found in the monitored subscription.
  • The check queries Azure Monitor and validates alert rules against these conditions.

How to fix it

Create this alert using the Azure Portal, CLI, or PowerShell.

Azure Portal:

  1. Open Monitor > Alerts > Alert rules.
  2. Click Create > Alert rule.
  3. Set the scope to the relevant subscription.
  4. Under Condition, select:
  5. Signal: Delete Network Security Group
  6. Operation: Microsoft.Network/networkSecurityGroups/delete
  7. Category: Administrative
  8. Under Actions, select or create an Action Group.
  9. Under Details, define a name, description, and resource group.
  10. Click Review + create, then Create.

Azure CLI:

az monitor activity-log alert create \  --name "<activity log rule name>" \  --resource-group "<resource group name>" \  --scope "/subscriptions/<subscription ID>" \  --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/delete \  --action-group <action group ID> \  --enabled true 

PowerShell:

$conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Administrative" -Field "category" $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Microsoft.Network/networkSecurityGroups/delete" -Field "operationName" $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Verbose" -Field "level" $actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group name>" -Name "<action group name>" $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id $scope = "/subscriptions/<subscription ID>" New-AzActivityLogAlert -Name "<activity log alert rule name>" `  -ResourceGroupName "<resource group name>" `  -Condition $conditions `  -Scope $scope `  -Location "global" `  -Action $actionObject `  -Subscription "<subscription ID>" `  -Enabled $true

Exceptions

No exceptions are recommended. NSG deletion events directly impact the network security posture of your cloud infrastructure and must be monitored. If an external SIEM is used, equivalent logic and notifications must be in place and documented.

Further resources

Was this article helpful?

Powered by Product Fruits