Click the Azure Resource Graph tab to view the query
//under-development
Monitor changes in Network Security Groups with Azure Monitor
Impact:LowCategory:Monitoring and AlertingPG Verified:Verified
APRL GUID:8bb4a57b-55e4-d24e-9c19-2679d8bc779f
Description:
Create Alerts with Azure Monitor for operations like creating or updating Network Security Group rules to catch unauthorized/undesired changes to resources and spot attempts to bypass firewalls or access resources from the outside.
Click the Azure Resource Graph tab to view the query
//AzureResourceGraphQuery//FindallNetworkSecurityGroupswithoutalertsformodificationconfigured.resources|wheretype=~"Microsoft.Network/networkSecurityGroups"|projectname,id,tags,lowerCaseNsgId=tolower(id)|joinkind=leftouter(resources|wheretype=~"Microsoft.Insights/activityLogAlerts"andproperties.enabled==true|mv-expandscope=properties.scopes|wherescopehas"Microsoft.Network/networkSecurityGroups"|projectalertName=name,conditionJson=dynamic_to_json(properties.condition.allOf),scope|whereconditionJsonhas'"Administrative"'and(//CreateorUpdateNetworkSecurityGroup(conditionJsonhas'"Microsoft.Network/networkSecurityGroups/write"')or//Alladministrativeoperations(conditionJson!has'"Microsoft.Network/networkSecurityGroups/write"'andconditionJson!has'"Microsoft.Network/networkSecurityGroups/delete"'andconditionJson!has'"Microsoft.Network/networkSecurityGroups/join/action"'))|projectlowerCaseNsgIdOfScope=tolower(scope))on$left.lowerCaseNsgId==$right.lowerCaseNsgIdOfScope|whereisempty(lowerCaseNsgIdOfScope)|projectrecommendationId="8bb4a57b-55e4-d24e-9c19-2679d8bc779f",name,id,tags,param1="ModificationAlert: Not configured/Disabled"
Configure locks for Network Security Groups to avoid accidental changes and/or deletion
Impact:LowCategory:GovernancePG Verified:Verified
APRL GUID:52ac35e8-9c3e-f84d-8ce8-2fab955333d3
Description:
As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental deletions and modifications. The lock overrides user permissions. Locks can prevent either deletions or modifications and are known as Delete and Read-only in the portal.
Click the Azure Resource Graph tab to view the query
//under-development
Configure NSG Flow Logs
Impact:MediumCategory:Monitoring and AlertingPG Verified:Verified
APRL GUID:da1a3c06-d1d5-a940-9a99-fcc05966fe7c
Description:
Monitoring, managing, and understanding your network is crucial for protection and optimization. Knowing the current state, who and from where connections are made, open internet ports, expected and irregular behavior, and traffic spikes is essential.
Click the Azure Resource Graph tab to view the query
//AzureResourceGraphQuery//FindallNetworkSecurityGroupswithoutNSGFlowlogsconfiguredordisabled.resources|wheretype=~"Microsoft.Network/networkSecurityGroups"|projectname,id,tags,lowerCaseNsgId=tolower(id)|joinkind=leftouter(resources|wheretype=="microsoft.network/networkwatchers/flowlogs"andproperties.enabled==true|projectflowLogName=name,lowerCaseTargetNsgId=tolower(properties.targetResourceId))on$left.lowerCaseNsgId==$right.lowerCaseTargetNsgId|whereisempty(lowerCaseTargetNsgId)|projectrecommendationId="da1a3c06-d1d5-a940-9a99-fcc05966fe7c",name,id,tags,param1="NSGFlowLog: Not configured/Disabled"
The NSG only has Default Security Rules, make sure to configure the necessary rules
Azure network security groups filter network traffic between resources in a virtual network, using security rules to allow or deny inbound or outbound traffic based on source, destination, port, and protocol.