Verify that Activity Log Alert exists for Delete Network Security Group
Why this matters
Network Security Groups (NSGs) define inbound and outbound rules that protect Azure workloads from unauthorized network traffic. Deleting an NSG removes a critical layer of defense and may unintentionally expose services to the internet or other untrusted networks.
Monitoring for Microsoft.Network/networkSecurityGroups/delete
operations ensures that any such deletion is logged and triggers an immediate alert. This reduces the time to detect unauthorized or accidental changes to critical security configurations.
What this check does
This Auto Check verifies that an Activity Log Alert exists for the operation:
Microsoft.Network/networkSecurityGroups/delete
Check Logic:
Passes if:
A rule exists with the following configuration:
- Category:
Administrative
- Operation name:
Microsoft.Network/networkSecurityGroups/delete
- No filters applied to
Level
,Status
, orCaller
- An Action Group is assigned for notification
Fails if:
- No enabled rule with the specified conditions is found in the monitored subscription.
- The check queries Azure Monitor and validates alert rules against these conditions.
How to fix it
Create this alert using the Azure Portal, CLI, or PowerShell.
Azure Portal:
- Open Monitor > Alerts > Alert rules.
- Click Create > Alert rule.
- Set the scope to the relevant subscription.
- Under Condition, select:
- Signal: Delete Network Security Group
- Operation:
Microsoft.Network/networkSecurityGroups/delete
- Category:
Administrative
- Under Actions, select or create an Action Group.
- Under Details, define a name, description, and resource group.
- Click Review + create, then Create.
Azure CLI:
az monitor activity-log alert create \
--name "<activity log rule name>" \
--resource-group "<resource group name>" \
--scope "/subscriptions/<subscription ID>" \
--condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/delete \
--action-group <action group ID> \
--enabled true
PowerShell:
$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Administrative" -Field "category"
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Microsoft.Network/networkSecurityGroups/delete" -Field "operationName"
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Verbose" -Field "level"
$actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group name>" -Name "<action group name>"
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id
$scope = "/subscriptions/<subscription ID>"
New-AzActivityLogAlert -Name "<activity log alert rule name>" `
-ResourceGroupName "<resource group name>" `
-Condition $conditions `
-Scope $scope `
-Location "global" `
-Action $actionObject `
-Subscription "<subscription ID>" `
-Enabled $true
Exceptions
No exceptions are recommended. NSG deletion events directly impact the network security posture of your cloud infrastructure and must be monitored. If an external SIEM is used, equivalent logic and notifications must be in place and documented.