Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

networkSecurityGroups

Summary

RecommendationImpactCategoryAutomation AvailableIn Azure Advisor
Configure Diagnostic Settings for all network security groupsMediumMonitoring and AlertingNoNo
Monitor changes in Network Security Groups with Azure MonitorLowMonitoring and AlertingYesNo

Details


Configure Diagnostic Settings for all network security groups

Impact:  Medium Category:  Monitoring and Alerting

APRL GUID:  d2976d3e-294b-4b49-a1f0-c42566a3758f

Description:

Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.

Potential Benefits:

Enhanced monitoring and security insights
Learn More:
Diagnostic settings in Azure Monitor

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Monitor changes in Network Security Groups with Azure Monitor

Impact:  Low Category:  Monitoring and Alerting

APRL GUID:  8bb4a57b-55e4-d24e-9c19-2679d8bc779f

Description:

Create Alerts with Azure Monitor for operations like creating or updating Network Security Group rules to catch unauthorized/undesired changes to resources and spot attempts to bypass firewalls or access resources from the outside.

Potential Benefits:

Enhanced security and change monitoring
Learn More:
Azure Monitor activity log

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find all Network Security Groups without alerts for modification configured.
resources
| where type =~ "Microsoft.Network/networkSecurityGroups"
| project name, id, tags, lowerCaseNsgId = tolower(id)
| join kind = leftouter (
    resources
    | where type =~ "Microsoft.Insights/activityLogAlerts" and properties.enabled == true
    | mv-expand scope = properties.scopes
    | where scope has "Microsoft.Network/networkSecurityGroups"
    | project alertName = name, conditionJson = dynamic_to_json(properties.condition.allOf), scope
    | where conditionJson has '"Administrative"' and (
        // Create or Update Network Security Group
        (conditionJson has '"Microsoft.Network/networkSecurityGroups/write"') or
        // All administrative operations
        (conditionJson !has '"Microsoft.Network/networkSecurityGroups/write"' and conditionJson !has '"Microsoft.Network/networkSecurityGroups/delete"' and conditionJson !has '"Microsoft.Network/networkSecurityGroups/join/action"')
        )
    | project lowerCaseNsgIdOfScope = tolower(scope)
    )
    on $left.lowerCaseNsgId == $right.lowerCaseNsgIdOfScope
| where isempty(lowerCaseNsgIdOfScope)
| project recommendationId = "8bb4a57b-55e4-d24e-9c19-2679d8bc779f", name, id, tags, param1 = "ModificationAlert: Not configured/Disabled"