Detections
Analytics

Ensure that Activity Log Alert exists for Create or Update Network Security Group

MEDIUM

Description

Description:

Create an activity log alert for the Create or Update Network Security Group Rule event.

Rationale:

Monitoring for Create or Update Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Remediation

From Azure Console

  1. Go to 'Monitor'
  2. Select 'Alerts'
  3. Click On 'New Alert Rule'
  4. Under 'Scope', click 'Select resource'
  5. Select the appropriate subscription under 'Filter by subscription'
  6. Select 'Network Security Group' under 'Filter by resource type'
  7. Select 'All' for 'Filter by location'
  8. Click on the subscription resource from the entries populated under Resource
  9. Click 'Done'
  10. Verify Selection preview shows Network Security Group and your selected subscription name
  11. Under 'Condition' click 'Add Condition'
  12. Select 'Create or Update Network Security Group' signal
  13. Click 'Done'
  14. Under 'Action group', select 'Add action groups' and complete creation process or select appropriate action group
  15. Under 'Alert rule details', enter 'Alert rule name' and 'description'
  16. Select appropriate resource group to save the alert to
  17. Check 'Enable alert rule upon creation' checkbox
  18. Click 'Create alert rule'

Using Azure Command Line Interface

Use the below command to create an Activity Log Alert for 'Create or Update Network Security Groups'

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@"input.json"'

Where 'input.json' contains the Request body JSON data as mentioned below.

{
"location": "Global",
"tags": {},
"properties": {
"scopes": [
"/subscriptions/"
],
"enabled": true,
"condition": {
"allOf": [
{
"containsAny": null,
"equals": "Administrative",
"field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Network/networkSecurityGroups/securityRules/write",
"field": "operationName"
}
]
},
"actions": {
"actionGroups": [
{
"actionGroupId": "/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/",
"webhookProperties": null
}
]
},
}
}

Configurable Parameters for command line:

Configurable Parameters for 'input.json':

in scopes
in actionGroupId
in actionGroupId
in actionGroupId
.

Policy Details

Rule Reference ID: AC_AZURE_0341
CSP: Azure
Remediation Available: Yes
Domain: Logging and Monitoring
Resource: azurerm_monitor_activity_log_alert
Resource Category: Logging and Monitoring
Resource Type: Monitor

Frameworks