Skip to main content

🛡️ Azure Subscription Activity Log Alert for Create or Update Network Security Group does not exist🟢

  • Contextual name: 🛡️ Activity Log Alert for Create or Update Network Security Group does not exist🟢
  • ID: /ce/ca/azure/subscription/activity-log-alert-for-create-or-update-nsg
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic

Similar Policies

Similar Internal Rules

RulePoliciesFlags
✉️ dec-x-79579ed71

Description

Open File

Description

Create an Activity Log Alert for the Create or Update Network Security Group event.

Rationale

Monitoring for Create or Update Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Audit

This policy evaluates Azure Subscriptions for the presence of an Azure Activity Log Alert that captures Create or Update Network Security Group events. A subscription is marked as INCOMPLIANT if it does not have an Activity Log Alert whose Condition JSON filters on the Microsoft.Network/networkSecurityGroups/write operation.

Default Value

By default, no monitoring alerts are created.

References

  1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
  2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
  3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
  4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid

... see more

Remediation

Open File

Remediation

From Azure Portal

  1. Navigate to the Monitor blade.
  2. Select Alerts.
  3. Select Create.
  4. Select Alert rule.
  5. Choose a subscription.
  6. Select Apply.
  7. Select the Condition tab.
  8. Click See all signals.
  9. Select Create or Update Network Security Group (Network Security Group).
  10. Click Apply.
  11. Select the Actions tab.
  12. Click Select action groups to select an existing action group, or Create action group to create a new action group.
  13. Follow the prompts to choose or create an action group.
  14. Select the Details tab.
  15. Select a Resource group, provide an Alert rule name and an optional Alert rule description.
  16. Click Review + create.
  17. Click Create.

From Azure CLI

az monitor activity-log alert create --resource-group "<resource group name>" --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/write and level=verbose --scope "/subscriptions/<subscription ID>" --name "<activity log rule name>" --subscription <subscription id> --action-group <action group ID>

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 APRA CPG 234 → 💼 16b situational awareness and intelligence;67no data
💼 APRA CPG 234 → 💼 36a change management —information security is addressed as part of the change management process and the information asset inventory is updated;78no data
💼 APRA CPG 234 → 💼 67b scanning for unauthorised hardware, software and changes to configurations;78no data
💼 CIS Azure v1.3.0 → 💼 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group - Level 1 (Automated)11no data
💼 CIS Azure v1.4.0 → 💼 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group - Level 1 (Automated)11no data
💼 CIS Azure v1.5.0 → 💼 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group - Level 1 (Automated)11no data
💼 CIS Azure v2.0.0 → 💼 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group - Level 1 (Automated)11no data
💼 CIS Azure v2.1.0 → 💼 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group - Level 1 (Automated)11no data
💼 CIS Azure v3.0.0 → 💼 6.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Automated)1no data
💼 CIS Azure v4.0.0 → 💼 7.1.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Automated)1no data
💼 Cloudaware Framework → 💼 Alerting and Notification27no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)726no data
💼 FedRAMP High Security Controls → 💼 AU-3(1) Additional Audit Information (M)(H)14no data
💼 FedRAMP High Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62032no data
💼 FedRAMP High Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)3811no data
💼 FedRAMP High Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)1618no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)265no data
💼 FedRAMP High Security Controls → 💼 CM-5(1) Automated Access Enforcement and Audit Records (M)(H)78no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)4851no data
💼 FedRAMP Low Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)24no data
💼 FedRAMP Low Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)10no data
💼 FedRAMP Low Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)18no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)65no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)26no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3(1) Additional Audit Information (M)(H)14no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)232no data
💼 FedRAMP Moderate Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)110no data
💼 FedRAMP Moderate Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)18no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)65no data
💼 FedRAMP Moderate Security Controls → 💼 CM-5(1) Automated Access Enforcement and Audit Records (M)(H)8no data
💼 ISO/IEC 27001:2013 → 💼 A.12.4.1 Event logging1518no data
💼 ISO/IEC 27001:2013 → 💼 A.12.4.3 Administrator and operator logs78no data
💼 ISO/IEC 27001:2013 → 💼 A.16.1.2 Reporting information security events910no data
💼 ISO/IEC 27001:2022 → 💼 5.28 Collection of evidence1421no data
💼 ISO/IEC 27001:2022 → 💼 8.15 Logging1834no data
💼 NIST CSF v1.1 → 💼 DE.AE-2: Detected events are analyzed to understand attack targets and methods1824no data
💼 NIST CSF v1.1 → 💼 DE.AE-3: Event data are collected and correlated from multiple sources and sensors1838no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
💼 NIST CSF v1.1 → 💼 DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2026no data
💼 NIST CSF v1.1 → 💼 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1824no data
💼 NIST CSF v1.1 → 💼 DE.DP-4: Event detection information is communicated2933no data
💼 NIST CSF v1.1 → 💼 ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations1519no data
💼 NIST CSF v1.1 → 💼 PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1633no data
💼 NIST CSF v1.1 → 💼 RS.AN-1: Notifications from detection systems are investigated1824no data
💼 NIST CSF v1.1 → 💼 RS.CO-2: Incidents are reported consistent with established criteria1922no data
💼 NIST CSF v1.1 → 💼 RS.CO-3: Information is shared consistent with response plans1618no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities35no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources50no data
💼 NIST CSF v2.0 → 💼 DE.AE-06: Information on adverse events is provided to authorized staff and tools33no data
💼 NIST CSF v2.0 → 💼 DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis38no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events145no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events85no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events35no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
💼 NIST CSF v2.0 → 💼 GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26no data
💼 NIST CSF v2.0 → 💼 ID.RA-10: Critical suppliers are assessed prior to acquisition26no data
💼 NIST CSF v2.0 → 💼 RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging22no data
💼 NIST CSF v2.0 → 💼 RS.CO-02: Internal and external stakeholders are notified of incidents31no data
💼 NIST CSF v2.0 → 💼 RS.CO-03: Information is shared with designated internal and external stakeholders19no data
💼 NIST CSF v2.0 → 💼 RS.MA-02: Incident reports are triaged and validated25no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3(1) Content of Audit Records _ Additional Audit Information1314no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation44765no data
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities1536no data