Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

networkSecurityGroups

Summary

RecommendationImpactCategoryAutomation AvailablePG Verified
Configure Diagnostic Settings for all network security groupsMediumMonitoring and AlertingNoVerified
Monitor changes in Network Security Groups with Azure MonitorLowMonitoring and AlertingYesVerified
Configure locks for Network Security Groups to avoid accidental changes and/or deletionLowGovernanceNoVerified
Configure NSG Flow LogsMediumMonitoring and AlertingYesVerified
The NSG only has Default Security Rules, make sure to configure the necessary rulesMediumSecurityYesVerified

Details

Configure Diagnostic Settings for all network security groups

Impact:  Medium Category:  Monitoring and Alerting PG Verified:  Verified

APRL GUID:  d2976d3e-294b-4b49-a1f0-c42566a3758f

Description:

Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.

Potential Benefits:

Enhanced monitoring and security insights
Learn More:
Diagnostic settings in Azure Monitor

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Monitor changes in Network Security Groups with Azure Monitor

Impact:  Low Category:  Monitoring and Alerting PG Verified:  Verified

APRL GUID:  8bb4a57b-55e4-d24e-9c19-2679d8bc779f

Description:

Create Alerts with Azure Monitor for operations like creating or updating Network Security Group rules to catch unauthorized/undesired changes to resources and spot attempts to bypass firewalls or access resources from the outside.

Potential Benefits:

Enhanced security and change monitoring
Learn More:
Azure Monitor activity log

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find all Network Security Groups without alerts for modification configured.
resources
| where type =~ "Microsoft.Network/networkSecurityGroups"
| project name, id, tags, lowerCaseNsgId = tolower(id)
| join kind = leftouter (
    resources
    | where type =~ "Microsoft.Insights/activityLogAlerts" and properties.enabled == true
    | mv-expand scope = properties.scopes
    | where scope has "Microsoft.Network/networkSecurityGroups"
    | project alertName = name, conditionJson = dynamic_to_json(properties.condition.allOf), scope
    | where conditionJson has '"Administrative"' and (
        // Create or Update Network Security Group
        (conditionJson has '"Microsoft.Network/networkSecurityGroups/write"') or
        // All administrative operations
        (conditionJson !has '"Microsoft.Network/networkSecurityGroups/write"' and conditionJson !has '"Microsoft.Network/networkSecurityGroups/delete"' and conditionJson !has '"Microsoft.Network/networkSecurityGroups/join/action"')
        )
    | project lowerCaseNsgIdOfScope = tolower(scope)
    )
    on $left.lowerCaseNsgId == $right.lowerCaseNsgIdOfScope
| where isempty(lowerCaseNsgIdOfScope)
| project recommendationId = "8bb4a57b-55e4-d24e-9c19-2679d8bc779f", name, id, tags, param1 = "ModificationAlert: Not configured/Disabled"

Configure locks for Network Security Groups to avoid accidental changes and/or deletion

Impact:  Low Category:  Governance PG Verified:  Verified

APRL GUID:  52ac35e8-9c3e-f84d-8ce8-2fab955333d3

Description:

As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental deletions and modifications. The lock overrides user permissions. Locks can prevent either deletions or modifications and are known as Delete and Read-only in the portal.

Potential Benefits:

Prevents accidental edits/deletions
Learn More:
Lock your resources to protect your infrastructure

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Configure NSG Flow Logs

Impact:  Medium Category:  Monitoring and Alerting PG Verified:  Verified

APRL GUID:  da1a3c06-d1d5-a940-9a99-fcc05966fe7c

Description:

Monitoring, managing, and understanding your network is crucial for protection and optimization. Knowing the current state, who and from where connections are made, open internet ports, expected and irregular behavior, and traffic spikes is essential.

Potential Benefits:

Enhances security and optimizes network
Learn More:
Flow logging for network security groups

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find all Network Security Groups without NSG Flow logs configured or disabled.
resources
| where type =~ "Microsoft.Network/networkSecurityGroups"
| project name, id, tags, lowerCaseNsgId = tolower(id)
| join kind = leftouter (
    resources
    | where type == "microsoft.network/networkwatchers/flowlogs" and properties.enabled == true
    | project flowLogName = name, lowerCaseTargetNsgId = tolower(properties.targetResourceId)
    )
    on $left.lowerCaseNsgId == $right.lowerCaseTargetNsgId
| where isempty(lowerCaseTargetNsgId)
| project recommendationId = "da1a3c06-d1d5-a940-9a99-fcc05966fe7c", name, id, tags, param1 = "NSGFlowLog: Not configured/Disabled"

The NSG only has Default Security Rules, make sure to configure the necessary rules

Impact:  Medium Category:  Security PG Verified:  Verified

APRL GUID:  8291c1fa-650c-b44b-b008-4deb7465919d

Description:

Azure network security groups filter network traffic between resources in a virtual network, using security rules to allow or deny inbound or outbound traffic based on source, destination, port, and protocol.

Potential Benefits:

Enhanced traffic control and security
Learn More:
Security rules

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This query will return all NSGs that have NO security rules
resources
| where type =~ "microsoft.network/networksecuritygroups"
| extend sr = string_size(properties.securityRules)
| where sr <=2 or isnull(properties.securityRules)
| project recommendationId = "8291c1fa-650c-b44b-b008-4deb7465919d", name, id