Detections
Analytics

Ensure that Activity Log alert exists for the Delete Network Security Group Rule

MEDIUM

Description

Description:

Create an activity log alert for the Delete Network Security Group Rule event.

Rationale:

Monitoring for Delete Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Remediation

From Azure Console

  1. Go to 'Monitor'
  2. Select 'Alerts'
  3. Click On 'New Alert Rule'
  4. Under 'Scope', click 'Select resource'
  5. Select the appropriate subscription under 'Filter by subscription'
  6. Select 'Network Security Group Rules' under 'Filter by resource type'
  7. Select 'All' for 'Filter by location'
  8. Click on the subscription resource from the entries populated under Resource
  9. Click 'Done'
  10. Verify Selection preview shows Network Security Group Rules and your selected subscription name
  11. Under 'Condition' click 'Add Condition'
  12. Select 'Delete Network Security Group Rule' signal
  13. Click 'Done'
  14. Under 'Action group', select 'Add action groups' and complete creation process or select appropriate action group
  15. Under 'Alert rule details', enter 'Alert rule name' and 'description'
  16. Select appropriate resource group to save the alert to
  17. Check 'Enable alert rule upon creation' checkbox
  18. Click 'Create alert rule'

Using Azure Command Line Interface

Use the below command to create an Activity Log Alert for 'Delete Network Security Groups rule'

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@"input.json"'

Where 'input.json' contains the Request body JSON data as mentioned below.

{
"location": "Global",
"tags": {},
"properties": {
"scopes": [
"/subscriptions/"
],
"enabled": true,
"condition": {
"allOf": [
{
"containsAny": null,
"equals": "Administrative",
"field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Network/networkSecurityGroups/securityRules/delete",
"field": "operationName"
}
]
},
"actions": {
"actionGroups": [
{
"actionGroupId": "/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/",
"webhookProperties": null
}
]
},
}
}

Configurable Parameters for command line:

Configurable Parameters for 'input.json':

in scopes
in actionGroupId
in actionGroupId
in actionGroupId
.

Policy Details

Rule Reference ID: AC_AZURE_0340
CSP: Azure
Remediation Available: Yes
Domain: Logging and Monitoring
Resource: azurerm_monitor_activity_log_alert
Resource Category: Logging and Monitoring
Resource Type: Monitor

Frameworks