Skip to main content

More Info:

Monitoring for ‘Delete Network Security Group Rule’ events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

CISAZURE, CBP, SOC2, ISO27001, HIPAA

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Network Security Group Rule” for Azure using Azure console, follow the below steps:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. Select the subscription for which you want to remediate the misconfiguration.
  3. Click on the “Activity log alerts” option from the left-hand side menu.
  4. Click on the ”+ Add activity log alert” button to create a new alert.
  5. In the “Basics” tab, provide a name for the alert, select the subscription, and resource group for which you want to create the alert.
  6. In the “Condition” tab, select the “Delete Network Security Group Rule” option from the “Event name” dropdown.
  7. In the “Actions” tab, select the action you want to take when the alert is triggered. You can choose to send an email, a webhook, or a SMS message.
  8. In the “Review + create” tab, review the alert configuration and click on the “Create” button to create the alert.
Once the alert is created, it will trigger whenever a network security group rule is deleted, and you will receive a notification based on the action you have configured. This will help you to identify and prevent accidental or unauthorized deletion of network security group rules.

To remediate the misconfiguration of missing Activity Log Alert for Delete Network Security Group Rule in AZURE using AZURE CLI, follow the below steps:Step 1: Open the AZURE CLI on your local machine or use the AZURE Cloud Shell.Step 2: Check if the Activity Log Alert exists for Delete Network Security Group Rule by running the following command:
az monitor activity-log alert list --query "[?contains(details.action, 'Microsoft.Network/networkSecurityGroups/securityRules/delete')]"
This command will list all the Activity Log Alerts that exist for the Delete Network Security Group Rule.Step 3: If the Activity Log Alert does not exist, create a new one by running the following command:
az monitor activity-log alert create --name <alert-name> --resource-group <resource-group-name> --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/securityRules/delete --action-group <action-group-id>
Replace <alert-name> with the name you want to give to the new Activity Log Alert, <resource-group-name> with the name of the resource group where the security group is located, and <action-group-id> with the ID of the action group that should be notified when the Activity Log Alert is triggered.Step 4: Verify if the Activity Log Alert is created successfully by running the following command:
az monitor activity-log alert list --query "[?contains(details.action, 'Microsoft.Network/networkSecurityGroups/securityRules/delete')]"
This command will list all the Activity Log Alerts that exist for the Delete Network Security Group Rule, and the newly created Activity Log Alert should be listed.By following these steps, you can remediate the misconfiguration of missing Activity Log Alert for Delete Network Security Group Rule in AZURE using AZURE CLI.
To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Network Security Group Rule” in Azure using Python, you can follow the below steps:Step 1: Install the Azure Python SDK using the following command:
pip install azure-mgmt-monitor
Step 2: Authenticate to Azure using the Azure CLI or using a Service Principal.Step 3: Use the following Python code to create an Activity Log alert for the Delete Network Security Group Rule:
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.monitor.models import *

# Replace <Subscription_Id> with your Subscription Id
subscription_id = '<Subscription_Id>'

# Replace <Resource_Group_Name> with the name of the Resource Group where the Network Security Group is located
resource_group_name = '<Resource_Group_Name>'

# Replace <Network_Security_Group_Name> with the name of the Network Security Group
network_security_group_name = '<Network_Security_Group_Name>'

# Replace <Activity_Log_Alert_Name> with the name of the Activity Log Alert
activity_log_alert_name = '<Activity_Log_Alert_Name>'

# Create a Monitor Management Client
monitor_client = MonitorManagementClient(
    credential=credentials,
    subscription_id=subscription_id
)

# Create a condition for the Activity Log Alert
condition = ManagementEventRuleCondition(
    all_of=[
        ManagementEventAggregationCondition(
            field='category',
            equals='Administrative'
        ),
        ManagementEventAggregationCondition(
            field='resourceId',
            equals=f'/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Network/networkSecurityGroups/{network_security_group_name}'
        ),
        ManagementEventAggregationCondition(
            field='operationName',
            equals='Microsoft.Network/networkSecurityGroups/securityRules/delete'
        )
    ]
)

# Create an Action Group for the Activity Log Alert
action_group = ActionGroup(
    group_short_name='Email Action Group',
    email_receivers=[
        ActionGroupReceiver(
            name='Email Receiver',
            email_address='[email protected]'
        )
    ]
)

# Create the Activity Log Alert
monitor_client.alert_rules.create_or_update(
    resource_group_name=resource_group_name,
    rule_name=activity_log_alert_name,
    parameters=ActivityLogAlert(
        location='global',
        enabled=True,
        condition=condition,
        actions=[action_group]
    )
)
In the above code, replace the placeholders <Subscription_Id>, <Resource_Group_Name>, <Network_Security_Group_Name> and <Activity_Log_Alert_Name> with the appropriate values.This code will create an Activity Log Alert for the Delete Network Security Group Rule in Azure. When this rule is triggered, an email will be sent to the specified email address.

Additional Reading: