iCompaas Support

Description:

Azure Network Security Groups control inbound and outbound traffic for resources such as virtual machines, subnets, and NICs. Any creation or update to an NSG may introduce misconfigurations or open unintended access paths. Activity Log Alerts must be created to detect Create or Update NSG operations so that security teams are immediately notified of any network configuration changes. This helps ensure visibility, auditing, and rapid incident response for network-related security events.

Rationale:

This control verifies that an Activity Log Alert exists for operations related to Network Security Group creation or modification. The alert must monitor the operations of Microsoft. Network networkSecurityGroups write and Microsoft. Network networkSecurityGroups securityRules write. Without this alert, unauthorized NSG changes can occur without visibility, increasing the risk of exposure due to misconfigurations. Monitoring NSG changes is essential for detecting suspicious activity, preventing lateral movement, and maintaining compliance with security frameworks.

Impact:

• Ensures real-time detection of NSG creation or modification.

• Enhances Azure security monitoring and supports incident response workflows.

• Reduces the risk of unauthorised exposure of network resources.

• Helps meet compliance frameworks requiring network configuration change auditing (e.g., CIS, NIST, PCI).

Default Value:

Azure does not automatically create Activity Log Alerts for NSG operations. Users must create the alert manually in Azure Monitor.

Pre-Requisites:

• Azure subscription with contributor or monitoring contributor permissions.

• Ability to create or manage Activity Log Alerts, Action Groups

• Resource subscriptions, resource Groups read, and Microsoft. Network networkSecurityGroups read.

Test Plan:

1. Sign in to the Azure Portal at https://portal.azure.com 

2. Navigate to Monitor

3. Select Alerts and Open Alert rules

4. Verify an Activity Log Alert exists for Create or Update Network Security Group (Network Security Group)

5. Verify the alert scope includes the required subscription

6. Verify that an Action Group is associated

7. If the alert does not exist, follow the implementation steps

Implementation Steps:

1. Sign in to the Azure Portal at https://portal.azure.com 

2. Navigate to Monitor

3. Select Alerts

4. Click Create and select Alert rule

5. Set the Scope to the required subscription

6. Under Condition, click See all signals, search for Create or Update Network Security Group (Network Security Group), and select the signal.

7. Associate with an Action Group

8. Provide an alert rule name

9. Create the alert rule

Backout Plan:

1. Sign in to the Azure Portal at https://portal.azure.com 

2. Navigate to Monitor

3. Select Alerts and Open Alert rules

4. Locate the Create or Update Network Security Group alert

5. Delete the alert rule

6. Confirm the deletion

Reference:

• https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-activity-log

• https://learn.microsoft.com/rest/api/monitor/activitylogalerts

• https://learn.microsoft.com/azure/security/benchmarks/security-controls-v3-logging-threat-detection