Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule

Monitoring for Create or Update Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Risk Level: Low
Cloud Entity: Azure Alert Rule
CloudGuard Rule ID: D9.AZU.MON.30
Covered by Spectral: Yes
Category: Management Tools

GSL LOGIC

List<ActivityLogAlertRule> should have items with [condition.allOf contain [ field='operationName' and equals='Microsoft.Network/networkSecurityGroups/securityRules/write' ] and enabled=true and not condition.allOf contain [ field='level' ] and not condition.allOf contain [ field='status' ] ]

REMEDIATION

Using Azure Command Line Interface

Use the below command to create an Activity Log Alert for Create or Update Network Security Groups rule

az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_To Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@'input.json''

Where input.json contains the Request body JSON data as mentioned below.

{
	'location': 'Global',
'tags': {},
	'properties': {
		'scopes': [
		'/subscriptions/<Subscription_ID>'
		],
		'enabled': true,
		'condition': {
			'allOf': [
			{
				'containsAny': null,
				'equals': 'Administrative',
				'field': 'category'
			},
			{
				'containsAny': null,
				'equals': 'Microsoft.Network/networkSecurityGroups/securityRules/write',
				'field': 'operationName'
			}
			]
		},
		'actions': {
			'actionGroups': [
			{
				'actionGroupId': '/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>',
				'webhookProperties': null
			}
			]
		},
	}
}

Configurable Parameters for command line:

<Resource_Group_To Create_Alert_In>
<Unique_Alert_Name>

Configurable Parameters for input.json:

<Subscription_ID> in scopes
<Subscription_ID> in actionGroupId
<Resource_Group_For_Alert_Group> in actionGroupId
<Alert_Group> in actionGroupId

References

  1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
  2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
  3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
  4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
  5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources

Azure Alert Rule

Alerts proactively notify you when issues are found with your infrastructure or application using your monitoring data in Azure Monitor. They allow you to identify and address issues before the users of your system notice them.Alert rules are separated from alerts and the actions taken when an alert fires. The alert rule captures the target and criteria for alerting. The alert rule can be in an enabled or a disabled state. Alerts only fire when enabled.

Compliance Frameworks

  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset