Description:
An Activity Log Alert for Create or Update Network Security Group (NSG) ensures that any creation or update of a Network Security Group (NSG) in your Azure environment triggers a notification. NSGs control network traffic to and from Azure resources within a Virtual Network and are essential for maintaining the security of network configurations. Creating or updating an NSG can have significant impacts on the security posture and traffic flow, making it critical to monitor such actions.
By creating an Activity Log Alert for Create or Update NSG actions, you can ensure that changes to your network security settings are tracked, and immediate action can be taken if unauthorized or accidental changes are made.
Rationale:
By configuring an Activity Log Alert for Create or Update NSG actions, you can:
Monitor the creation and updates of Network Security Groups that control network traffic.
Track changes to the NSG rules and ensure they are authorized and aligned with your security policies.
Improve security by notifying administrators when network security settings are modified, helping to prevent potential misconfigurations or unauthorized access.
Ensure compliance by maintaining a record of changes to critical security configurations.
Impact:
Configuring an Activity Log Alert for Create or Update NSG ensures that you are notified immediately when changes are made to your NSG configuration. This helps you react quickly to prevent potential misconfigurations or unauthorized rule modifications. However, this could result in an increased volume of alerts in environments where NSGs are frequently updated, so proper filtering and handling of alerts are necessary.
Default Value:
By default, there are no Activity Log Alerts configured for Create or Update Network Security Group actions. You need to manually create and configure these alerts to track and respond to such events.
Pre-requisites:
Azure subscription.
Owner or Contributor role permissions to create Activity Log Alerts.
Azure Monitor enabled for logging.
Log Analytics workspace (optional, for storing telemetry data).
Network Security Groups deployed in your Azure environment.
Audit:
Sign in to Azure portal as an Owner, Contributor, or Monitoring Contributor.
Navigate to Azure Monitor and review the Activity Log Alerts to ensure that alerts for Create or Update Network Security Group actions are configured.
Verify that the configured alert is properly notifying users when a Network Security Group is created or updated.
Implementation Steps (Automated):
Sign in to Azure portal:
Use an account with Owner, Contributor, or Monitoring Contributor permissions.
Navigate to Azure Monitor:
In the Azure portal, go to Azure Monitor and select Activity Log under Monitoring.
Create a New Alert for Create or Update Network Security Group:
In Activity Log Alerts, click on + New alert rule.
Under Scope, select your subscription or resource group.
Under Condition, choose Activity Log as the signal type.
Set the Event Category to Write and the Resource Type to Microsoft.Network/networkSecurityGroups.
Filter further by Operation Name: Create Network Security Group or Update Network Security Group.
Example of criteria:
Event Category: Write
Operation Name: Create Network Security Group, Update Network Security Group
Resource Type: Microsoft.Network/networkSecurityGroups
Set Up Action Group:
Under Action Group, either select an existing action group or create a new one to define how the alert will notify you (e.g., via Email, SMS, Webhook).
You can send notifications to security teams or network administrators whenever a Network Security Group is created or updated.
Review and Create:
Review the configuration and ensure the alert is set to notify you when a Network Security Group is created or updated.
Click Create to save the alert rule.
Automate Alert reation Using Azure CLI: To automate the creation of an Activity Log Alert for Create or Update Network Security Group using Azure CLI, run the following command:
az monitor activity-log alert create \ --name "CreateOrUpdateNSGAlert" \ --resource-group <Resource-Group-Name> \ --condition "operationName in ['Create Network Security Group', 'Update Network Security Group']" \ --action-group <Action-Group-ID> \ --description "Alert for creation or update of Network Security Group" \ --enabled true
Replace <Resource-Group-Name> and <Action-Group-ID> with the appropriate values for your environment.
Test the Alert:
After configuring the Activity Log Alert, test it by creating or updating a Network Security Group and ensuring that the alert is triggered and the notification is sent to the designated recipients.
Monitor and Review Alerts:
Use Azure Monitor to track the alert history and ensure that it is functioning as expected.
Review the alert history to verify that Network Security Group creation or update events are being logged.
Backout Plan (Automated):
Sign in to Azure portal:
Use an account with Owner, Contributor, or Monitoring Contributor permissions.
Navigate to Azure Monitor:
Go to Azure Monitor in the Azure portal.
Delete or Modify the Alert:
In Activity Log Alerts, locate the Create or Update Network Security Group alert you created.
Select the alert and either delete it or modify its parameters as needed (e.g., change the notification action group, adjust alert criteria).
Verify Alert Removal:
After removing or modifying the alert, ensure that it no longer triggers notifications for Create or Update Network Security Group events.
Test the Backout:
Test the configuration by creating or updating a Network Security Group to ensure that the alert no longer triggers or functions as expected after the backout.