networkSecurityGroups
Summary
Details
Configure Diagnostic Settings for all network security groups
Impact: Medium Category: Monitoring and Alerting
APRL GUID: d2976d3e-294b-4b49-a1f0-c42566a3758f
Description:
Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.
Potential Benefits:
Enhanced monitoring and security insights
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development
Monitor changes in Network Security Groups with Azure Monitor
Impact: Low Category: Monitoring and Alerting
APRL GUID: 8bb4a57b-55e4-d24e-9c19-2679d8bc779f
Description:
Create Alerts with Azure Monitor for operations like creating or updating Network Security Group rules to catch unauthorized/undesired changes to resources and spot attempts to bypass firewalls or access resources from the outside.
Potential Benefits:
Enhanced security and change monitoring
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all Network Security Groups without alerts for modification configured.
resources
| where type =~ "Microsoft.Network/networkSecurityGroups"
| project name, id, tags, lowerCaseNsgId = tolower(id)
| join kind = leftouter (
resources
| where type =~ "Microsoft.Insights/activityLogAlerts" and properties.enabled == true
| mv-expand scope = properties.scopes
| where scope has "Microsoft.Network/networkSecurityGroups"
| project alertName = name, conditionJson = dynamic_to_json(properties.condition.allOf), scope
| where conditionJson has '"Administrative"' and (
// Create or Update Network Security Group
(conditionJson has '"Microsoft.Network/networkSecurityGroups/write"') or
// All administrative operations
(conditionJson !has '"Microsoft.Network/networkSecurityGroups/write"' and conditionJson !has '"Microsoft.Network/networkSecurityGroups/delete"' and conditionJson !has '"Microsoft.Network/networkSecurityGroups/join/action"')
)
| project lowerCaseNsgIdOfScope = tolower(scope)
)
on $left.lowerCaseNsgId == $right.lowerCaseNsgIdOfScope
| where isempty(lowerCaseNsgIdOfScope)
| project recommendationId = "8bb4a57b-55e4-d24e-9c19-2679d8bc779f", name, id, tags, param1 = "ModificationAlert: Not configured/Disabled"
Configure locks for Network Security Groups to avoid accidental changes and/or deletion
Impact: Low Category: Governance
APRL GUID: 52ac35e8-9c3e-f84d-8ce8-2fab955333d3
Description:
As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental deletions and modifications. The lock overrides user permissions. Locks can prevent either deletions or modifications and are known as Delete and Read-only in the portal.
Potential Benefits:
Prevents accidental edits/deletions
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development
The NSG only has Default Security Rules, make sure to configure the necessary rules
Impact: Medium Category: Security
APRL GUID: 8291c1fa-650c-b44b-b008-4deb7465919d
Description:
Azure network security groups filter network traffic between resources in a virtual network, using security rules to allow or deny inbound or outbound traffic based on source, destination, port, and protocol.
Potential Benefits:
Enhanced traffic control and security
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// This query will return all NSGs that have NO security rules
resources
| where type =~ "microsoft.network/networksecuritygroups"
| extend sr = string_size(properties.securityRules)
| where sr <=2 or isnull(properties.securityRules)
| project recommendationId = "8291c1fa-650c-b44b-b008-4deb7465919d", name, id