Azure Introduction
Azure Pricing
Azure Threats
Ensure Activity Log Alert exists for Create or Update Network Security Group Rule
More Info:
Monitoring for ‘Create’ or ‘Update Network Security Group Rule’ events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
Risk Level
Low
Address
Security, Operational Maturity
Compliance Standards
SOC2, ISO27001, HIPAA, CISAZURE, CBP
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Network Security Group Rule” in Azure using the Azure console:
- Log in to the Azure portal using your credentials.
- In the Azure portal, click on the “Security Center” icon in the left-hand menu.
- Select “Security policy” from the Security Center menu.
- In the “Security policy” page, click on the “Activity Log Alerts” option.
- On the “Activity Log Alerts” page, click on the ”+ Add activity log alert” button.
- In the “Add activity log alert” page, select the “Resource Group” or “Subscription” that you want to create the alert for.
- In the “Condition” section, select “Service” as “Network Security Group Rule” and “Operation” as “Write”.
- In the “Action group” section, select the action group that you want to use for the alert.
- In the “Alert details” section, provide a name and description for the alert.
- Click on the “Create alert rule” button to create the alert.
Once you have completed these steps, the misconfiguration “Ensure Activity Log Alert exists for Create or Update Network Security Group Rule” will be remediated in Azure. The alert will notify you when a new network security group rule is created or updated, which will help you identify any potential security issues.
To remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Network Security Group Rule” in Azure using Azure CLI, you can follow the below steps:
-
Open the Azure CLI and login to your Azure account by running the command:
az login
-
Once you are logged in, set the subscription where the misconfiguration exists by running the command:
az account set --subscription <subscription_id>
Replace
<subscription_id>
with the ID of the subscription where the misconfiguration exists. -
Create an Activity Log Alert for Network Security Group Rule creation or update by running the command:
az monitor activity-log alert create --name <alert_name> --description <alert_description> --condition category=Administrative and resourceType=Microsoft.Network/networkSecurityGroups and operationName=Microsoft.Network/networkSecurityGroups/securityRules/write --action-group <action_group_id> --enabled true
Replace
<alert_name>
with a name for the alert,<alert_description>
with a description for the alert, and<action_group_id>
with the ID of an existing action group that will be notified when the alert is triggered. -
Verify that the Activity Log Alert was created successfully by running the command:
az monitor activity-log alert show --name <alert_name>
Replace
<alert_name>
with the name of the alert that you created. -
Once the Activity Log Alert is created, it will trigger whenever there is a Create or Update operation on a Network Security Group Rule. The action group that you specified will be notified when the alert is triggered.
By following the above steps, you can remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Network Security Group Rule” in Azure using Azure CLI.
To remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Network Security Group Rule” for Azure using Python, you can follow these steps:
- Install the necessary Python packages:
pip install azure-mgmt-monitor
pip install azure.identity
- Authenticate to Azure using Python:
from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient
credential = DefaultAzureCredential()
subscription_id = '<your-subscription-id>'
monitor_client = MonitorManagementClient(credential, subscription_id)
- Create a new activity log alert:
from azure.mgmt.monitor.models import (ActivityLogAlertActionList, ActivityLogAlertAllOfCondition, ActivityLogAlertLeafCondition, ActivityLogAlertList, ActivityLogAlertResourceRegionCondition)
alert_name = '<your-alert-name>'
resource_group_name = '<your-resource-group-name>'
nsg_name = '<your-nsg-name>'
condition = ActivityLogAlertAllOfCondition(
all_of=[
ActivityLogAlertLeafCondition(
field='category',
equals='Administrative'
),
ActivityLogAlertLeafCondition(
field='resourceType',
equals='Microsoft.Network/networkSecurityGroups/securityRules'
),
ActivityLogAlertLeafCondition(
field='operationName',
equals='Microsoft.Network/networkSecurityGroups/securityRules/write'
),
ActivityLogAlertResourceRegionCondition(
field='resourceRegion',
equals='<your-region>'
)
]
)
actions = ActivityLogAlertActionList(
action_groups=[]
)
monitor_client.activity_log_alerts.create_or_update(
resource_group_name=resource_group_name,
activity_log_alert_name=alert_name,
activity_log_alert=ActivityLogAlertList(
scopes=[
f"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Network/networkSecurityGroups/{nsg_name}"
],
condition=condition,
actions=actions
)
)
- Verify that the activity log alert has been created:
alert = monitor_client.activity_log_alerts.get(
resource_group_name=resource_group_name,
activity_log_alert_name=alert_name
)
print(alert)
This should remediate the misconfiguration “Ensure Activity Log Alert exists for Create or Update Network Security Group Rule” for Azure using Python.